Telco Networks Open to Attack?

Cally writes: "This post to NANOG summarises Dave Henderson's paper (.ppt: HTML in Google cache, grep for 'Now Really Public') from the Internetwork Interoperability Test Coordination Committee, about the state of security in the public switched (telephone) network: wide open and "very fragile with a tremendous number of vulnerabilities". Apparently, there's $12b in fraud per year, growing interest from blackhat groups, and more, better, intruder tools. We often hear talk of "information warfare attacks that could result in the draining of bank reserves and the cutting off of power sources" from budget-and-PR hungry, but clue-light, politicians and wonks these days. When an experienced engineer uses such language, it's more worrying." We've also had submissions of this AP article speculating about viruses hitting mobile phones.

If the 'phones did go down...

[SomethingOrOther]

Maybe slightly off topic... but I do recall reading that upon Alexander Graham Bells death, all the telephone networks went silent for a period of 1min (?) as a mark of respect.

If that happend today the world would panic
Would stock markets crash and water/rail etc networks to go tits-up because of a major 1min phone outage?

We dont realise how dependent we are on the telephone!
(Also... try subsetuteing telephones for oil in the above post :-)

It's only gonna get worse

[ChrisPaget]

3rd generation mobile phone networks are only just around the corner (relatively speaking); these networks use IPv6 as the transport for the call data. Billing is likely to be based on your source IP address, so if you can spoof someone's address (and probably circumvent a whole load of encryption and authentication) you can probably end up with free phone calls. Voice and data traffic will be going down the same backbone, with intelligent switches that decide what traffic is Internet data and what traffic is voice data. SkRiPt KiDdIeS will have easy access to all the 3G networks the moment they dial up to the internet. I don't know about you lot, but this idea scares the hell outta me given the current state of worldwide network security. I don't know how many IP-based attacks have been solved with IPv6, but I know it's gonna get messy sooner or later.

For those that are interested, there's various IPv4-IPv6 tunnels around that are open for use. If you have a dual-stack machine (Linux can, and there's a MS IPv6 stack available for 'doze) you can set up a VPN into various IPv6 networks. Can't remember the URL, but I know there's one from BT. If people start using / attacking these networks now, then perhaps the problems will be fixed before IPv6 and 3G become mainstream...

Re:It's only gonna get worse

[lars_stefan_axelsson]

This is true, but after you have gotten an IP to your device, this IP is what you look after to charge you. If you can change it (and the router back to you offcourse) you wouldn't be charged, would you?

Actually, yes you would be charged. It's not the IP-address per se that the network looks as in a 3G network to decide who sent (or received) how many bytes to whom (or was active for a certain period of time, 3G allows both), but the tunnel ID.

You see, all end user traffic in a 3G core network (which does the charging part) is tunnled over a protocol called GTP, each user (i.e. active PDP-context of each user and QoS level) has it's own tunnel. The network never really looks at the end user traffic, it just switches tunnels. So in effect, changing your IP address would only prevent your IP stack at the mobile/laptop from accepting the packets, not the network from actually delivering and charging you for them. (Assuming PDP-type-IP).

This is the way it must work if the operator is to be able to correctly isolate corporate customers, without any overlap with other customers. Corporates, that is that may use private addresses and NAT to connect to the Internet per se. So, in effect your phone may not be the only one in the network with that very IP address.

Now, IPv6 complicates matters some, but not much, the basic IPv4 3G infrastructure is still there.

If you want to know more about these matters, it's no longer a secret. All the 3G specs can be found at 3GPP. Start with the 23.060 specification, it's the overview. From there on you can dvelve deeper into the charging and the GTP specs, though they are not for the faint of heart (and heavy to carry around to).

Re:It's only gonna get worse

[BrookHarty]

Not true. 3G networks are built from the ground up with security and operability. There isn't the 100+ legacy issues to deal with. Our 3G network is an overlay network, it sits on top of the 2G network, and is deployed where the demand is, then rolled out on schedule. We have more firewalls, command and control networks, backup networks, and intrusion detection on these networks than on the 2G. This is the future of the company, we want to make sure its damn secure and unbreakable, we get to build it right this time, perfect.

Currently we don't use IPv6, Our phone IP space is nat'ed. But we don't even care about your IP, we bill on your IMSI which is programmed in your SIM Card. But yes, we have these neat sniffers that will show your phone from the (gb) base station link to the (gi) Internet connection. Nice real time ping pong charts that show your every move. Oh yes, and we have location based services, we know where you are. (For E911 etc..)

Interesting fact, most of us read /. and attend the black hat security conferences. This is the place that hires the hackers. Hell I even have a copy of 2600 on my desk, nobody said a damn word. lol..
-
All comments are my own, not of my employer.

Really though...

[SkyLeach]

I don't want to cause a scare and I really don't want the FBI, CIA or anyone else comming to grill me but this information needs to be added...

I used to work for a very large telecomm company and part of my job was to write software which helped to design networks for some of the largest companies in the US. I throw out the name AOL not because I worked on their network, but because they were one of the mid-sized networks, not the "big ones".

My points are these.

1.) It is very easy to get a map of ALL the major telecomm switching locations and backup generators.

2.) Security is pretty lax, so most dedicated hackers and any mailroom worker could get the information.

3.) Most POP locations are not even manned, much less guarded. A half-dozen backhoes and some cell phones would be enough to coordinate the destruction of about 90% of our telecomm system.

4.) The weak point of every single network is the location of the equipment, not the pipe itself. Some people may argue that there is backup equipment. BS. There is NO backup equipment to replace those locations. The demand to keep up with new technology (DWDM, WLCS, and other cramming technologies) always exceeds the networks' staff, time, and budget. If the equipment was taken out in even a small percentage of the major backbone locations the entire network would fail, and it would be down for a very long time.

Reality check

Yes, the management plane is seperate. However, it's horribly insecure: You can simply ring the doorbell and walk into the COs in my area, tour around and leave. I've done it a few times, covering three offices. Face it, the only security is the wall of jargon and the priesthood of odd procedures that goes with the public phone network.

[I type this as I latch-up the console on a local ADM and hop around a ring which has a couple of SLICs and a cosmos console on it]