Slashdot Mirror
Telco Networks Open to Attack?
Cally writes: "This post to NANOG summarises Dave Henderson's paper (.ppt: HTML in Google cache, grep for 'Now Really Public') from the Internetwork Interoperability Test Coordination Committee, about the state of security in the public switched (telephone) network: wide open and "very fragile with a tremendous number of vulnerabilities". Apparently, there's $12b in fraud per year, growing interest from blackhat groups, and more, better, intruder tools. We often hear talk of "information warfare attacks that could result in the draining of bank reserves and the cutting off of power sources" from budget-and-PR hungry, but clue-light, politicians and wonks these days. When an experienced engineer uses such language, it's more worrying." We've also had submissions of this AP article speculating about viruses hitting mobile phones.
The security argument is just a gimmick to win other people over to their side. But their real motive for this racist missive is their planned strike.
Say no to software patents.
Did you all know that all power transactions on public power systems travel over the internet? Wanna hear something a little better? The backup plan in case of internet breakage is by E-Mail and then finally defaulting to the old fax machine. With the increasing complexity of transactions, increasing dependance on automation of power delivery, and an upcoming rollout of the ETag 1.7 transaction updgrade in April, who's to say the light switches will work in the future?
In light of this article and the probability that the public phone system is very susceptible to a terrorist or otherwise dangerous attack, shouldn't there be a dedicated messaging medium for the power grid? Say, Satellite or Microwave? I realize how daunting a project would be, as well as how cost prohibitive, but look at it this way: A foreign or national threat doesn't attack the power generation facilities, instead, they DDoS a server responsible for scheduling the power delivery. Thus preventing or decreasing the reliability of this power grid. Statewide or even interstate power blackouts are just one of a million effects of such an attack.
I'm not proclaiming a doomsday here, but with the current plight of Enron, shouldn't there be a little more scrutiny?
Related links:
FERC - Federal Energy Regulatory Commission
NERC - North American Electric Reliability Coucil
You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
The policy wonks when they get it right manage to tune into the right people. They don't always make it up as they go along, so there's no need to be so contemptuous. Alarm bells like this have been sounding for ages and some of the right people have clearly been listening. Despite this yet the /. story dismisses their opinions with casual contempt. They deserve more credit than that for their efforts in the vanguard.
With poorly implemented user rights and security. User have the right to be billed, and administrator have the rights to change anything, and there is (almost) nothing in between.
Any LAN administrator oversees a more balanced aproach, e.g., preventing most user with rights to clear the print que, from deleting all printer software, or deleting anything else. Until SS7's security is better implemented, abuse will be rampant.
-Nathaniel
"When an experienced engineer uses such language, it's more worrying".
Yep, sure is... those engineering degrees ain't what they used to be...
This appears to be just another indication that the formerly monolithic telecommunications system in the USA is continuing its slow collapse into anarchy. The system has been jettisoning its research, engineering and operations expertise for decades. The former Bell companies are following the example of American rail and steel companies, milk the system for cash and let the infrastructure rot in place.
Mea navis aericumbens anguillis abundat
Maybe slightly off topic... but I do recall reading that upon Alexander Graham Bells death, all the telephone networks went silent for a period of 1min (?) as a mark of respect.
If that happend today the world would panic
Would stock markets crash and water/rail etc networks to go tits-up because of a major 1min phone outage?
We dont realise how dependent we are on the telephone! :-)
(Also... try subsetuteing telephones for oil in the above post
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
http://www.atis.org/pub/iitc/ntc/ntc24.doc
This seems to contain the same information in what I found was a tad easier to read although it is in word format so it may not be for everyone.
The article url is http://www.cnn.com/2002/TECH/03/08/cebit.preview/i ndex.html. I don't know what happened to the html in my first post. No, I did not mean "first post"!
3rd generation mobile phone networks are only just around the corner (relatively speaking); these networks use IPv6 as the transport for the call data. Billing is likely to be based on your source IP address, so if you can spoof someone's address (and probably circumvent a whole load of encryption and authentication) you can probably end up with free phone calls. Voice and data traffic will be going down the same backbone, with intelligent switches that decide what traffic is Internet data and what traffic is voice data. SkRiPt KiDdIeS will have easy access to all the 3G networks the moment they dial up to the internet. I don't know about you lot, but this idea scares the hell outta me given the current state of worldwide network security. I don't know how many IP-based attacks have been solved with IPv6, but I know it's gonna get messy sooner or later.
For those that are interested, there's various IPv4-IPv6 tunnels around that are open for use. If you have a dual-stack machine (Linux can, and there's a MS IPv6 stack available for 'doze) you can set up a VPN into various IPv6 networks. Can't remember the URL, but I know there's one from BT. If people start using / attacking these networks now, then perhaps the problems will be fixed before IPv6 and 3G become mainstream...
I helped build one of the world's largest VoIP companies & i know a few things about the telephony networks as a result. And from what i read in the article is mostly wrong.. You can't just interconnect with out a carrier knowing who you are, Even with ss7. You need to have work orders generated, physical connections involved.. even in VoIP you need set up CICs and point codes, testing of the connection..
Also if anything the decentralization of the telephone networks have made absolutely stronger as a reliable means of transport in times of failure now. It works on the same principle in effect as the internet. Where you can reach a destination via many differnt hops.
For example.. in the old days if you wanted to call London, your call went across AT&T and that was that. Now with 5-10 serious International carriers if even 3 or 4 of the carriers have a facility outage for whatever reason(rare as it is) they can re-route calls to alternate carries where as before they would not be able to do that.
What he seems to fail to mention is that with in 10-15 years traditional telephone networks will be thing of the past and phone service will be regulated to just being another service provided through one of a number of broadband pipes(fiber to your house, g3,g4,gwhatever wireless networks that come next) and the whole concept of a telco will change to the point where companies will server merely as giant switching operation and "enhanced services" with almost zero physical infrastructure, which will also result in the fast drop of telephone pricing as the infrastructure costs dramatically.
Some 7am blurred tired thoughts.. hope that was coherent enough.
2001-12-05 21:23:51 MCI Worldcom networks hacked (articles,news) (rejected)
and I used to work at MCI WorldCom, they were constantly fighting this...
Thanks to file sharing, I purchase more CDs
Thanks to the RIAA, I buy them used...
I volunteer to guard Eva Savalot.
This guy has been following that story since it first hit, and if you follow all the links in that article you'll find out a lot more than might be good for your sanity.
It's not one Israeli company, but two, Amdocs Ltd. and Comverse Infosys. Between the two of them they don't just handle all the billing but also play crucial roles in law enforcement wiretaps. The amount of damage some random joe can do with a good exploit is really pretty minor compared to the damage that can result when crucial infrastructure is under control of a foreign government - even if it's a government which is usually an ally.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
At the local level, your phone is switched by your neighboorhood central office, which is basically a small building filled with relays (or nowdays, digital switching equipment). The most striking thing about CO's is the battery room. They have racks upon racks of batteries that are constantly charged, and can provide power to run the CO at full load for roughly 12 hours. CO's also have 2 diesel generators to recharge the batteries and enough fuel onsite to run the generators continuously for 2+ days.
Think about it: how often has your phone went out? And when it has, how often was your neighboor's phone out also? Remember, the phone system keeps working even when the power is out.
The physical infrastructure is the most important layer. Everything else can be fixed relatively quickly in the event of an attack (DOS). Its trival to sever a carrier from your network, but its a major undertaking to replace physical infrastructure. As long as that is redundant, and relatively secure, your phones aren't going to stop working any time soon.
The bells have been broken up for years and the only result has been the degradation of technology. We need the new small guys to step up to the plate and create something new and different and stop relying on the old outdated equipment the bells are using to continue to dominate the markets. The only way systems will be secure is if you create new, secure systems that are designed specifically to be secure. There will never be a completely secure system, at least not any time soon, but let's innovate and put a little more effort into improving or recreating what we have. Finally the VoIP guys are starting to create bigger and better methods and systems that require less bandwidth, are more reliable, and are more secure than the current system. The innovation is coming, but I've played with Cisco's VoIP system and I can tell you that even with their CCIEs there were a few weaknesses that were prominent in the new systems, though I admit that it isn't finished yet. The point is, as long as the new companies rise up to challenge the bells with the bells own equipment nothing is going to happen. There will be no improvement, no innovation, and there will be more exploits and increased knowledge of these systems that can be exploited.
Point 1: When a telco person says "switch", it means something totally different than what a data person means when they say "switch". This is a persistent annoyance.
You can't simply packet an ESS out of existence, because it doesn't know what a packet is. It's not connected to the internet. There are SS7 signaling links and X.25 control links, and maybe a few IP control links if you're lucky. None of them are connected to the internet. Your phone line is payload, not control.
Exactly how do you propose to access the switch in order to DoS it? There are switch dialins, but most are pretty secure, and good luck finding them. You're planning to do a lot of wardialing first?
Point 2: Telcos lie about bandwidth. When someone says they have a 10 Gigabit backbone, it means they own a couple OC192 circuits. Most of the channels in those circuits are probably not filled.
That's like saying I can move a thousand shipping containers a day, because there's a large river between me and my destination, and seaports at each end. Nevermind that I don't own any ships!
An OC192 circuit, for instance, can carry four OC48 signals, or 16 OC12 signals, or a mix thereof. Anything that adds up to 192 STS-1 payload envelopes, or equivalent concatenated payloads. You get the idea. Chances are, they're carrying one or two OC48s on the thing, and the rest is for future expansion. Each of those OC48s in turn is probably only 70% full.
The entire infrastructure is carried on SONET equipment. (That's Synchronous Optical Network, and if you didn't know that, you should read up on it, it's neat stuff.) Being synchronous, this stuff royally shits if there's something wrong with the timing.
Way back when T-carrier was first deployed, Bell realized this and set up a nationwide synchronization distribution. I think the master clock was in Kansas City. Anyway, the sync signal was distributed over wireline circuits to every central office in the country. Maybe Canada too?
However, most interoffice links are fiber now, the same SONET rings that depend on such precise synchronization. Ring-timing is awkward, and without very careful planning, sync loops can form. (Long story, look it up. The short version is that when a SONET system loses sync, it doesn't carry traffic.)
The modern concept is called BITS, or Building Integrated Timing Supply. Each office has a sync signal source, driven by an LPR (local primary reference) oscillator, which is in turn frequency-locked to a reference signal derived from GPS satellite signals.
Yes, that's right, the whole telephone network will fall apart if the Global Positioning System stops transmitting. Depending on the stratum class of the LPR, it might be able to "hold over" for a couple days, maintaining an accurate timing signal in the absence of an upstream reference. They will eventually drift, and most offices only have stratum-3 units anyway.
The network is so poorly planned in the first place, most transport engineers haven't got a clue about ring timing and such. They just hook each terminal to the BITS clock and hope it works, which it does, until something happens to the BITS clock. If all the BITSes in the network started drifting from one another, the system would slowly fail over a few days, as timing slips exceeded the tolerances of the various systems.
If such a thing were to happen, don't bet on the ability to patch things up quickly. Recordkeeping is horrible, and even if it weren't, it would be a daunting task to spontaneously set up a new sync distribution network independent of GPS.
I've heard on good authority that you wouldn't even need to take out the satellites themselves. A couple properly placed nuclear detinations could screw up the somethingsphere such that GPS signal propagation would suffer. Any physicists care to clarify?
I don't want to cause a scare and I really don't want the FBI, CIA or anyone else comming to grill me but this information needs to be added...
I used to work for a very large telecomm company and part of my job was to write software which helped to design networks for some of the largest companies in the US. I throw out the name AOL not because I worked on their network, but because they were one of the mid-sized networks, not the "big ones".
My points are these.
1.) It is very easy to get a map of ALL the major telecomm switching locations and backup generators.
2.) Security is pretty lax, so most dedicated hackers and any mailroom worker could get the information.
3.) Most POP locations are not even manned, much less guarded. A half-dozen backhoes and some cell phones would be enough to coordinate the destruction of about 90% of our telecomm system.
4.) The weak point of every single network is the location of the equipment, not the pipe itself. Some people may argue that there is backup equipment. BS. There is NO backup equipment to replace those locations. The demand to keep up with new technology (DWDM, WLCS, and other cramming technologies) always exceeds the networks' staff, time, and budget. If the equipment was taken out in even a small percentage of the major backbone locations the entire network would fail, and it would be down for a very long time.
My $0.02 will always be worth more than your â0.02, so
Wow, "Myself", that's probably the most intelligent response I've read so far! And for what it's worth, I totally agree, and people need to make an effort to understand the difference between a "data switch" and a "voice switch"!
:)
Simple fact - 99.9% of basic wired telco infrastructure is completely IP "unaware". In other words, no IP address, doesn't have a clue what TCP/IP is, nor does it care. Granted, the new wireless technologies are more/heavily IP based, but that's a different matter - wireless services always have been, and likely always will be many orders of magnitude more vulnerable to abuse/attack purely because of the uncontrolled nature of the transmission medium (without wires, hence wireless). But I digress...
Of the equipment that does have an IP address, 99.9% of it is privately addresses or firewalled or simply not physically or logically connected to another network.
The only way to "DoS" a switch is to use up the DS0's on it's switching backplane (or whatever, the terminology varies). Even on a tiny switch (5ESS VCDX, etc), this can be multiple hundreds of simultaneous calls.
Then what happens you ask? Simple really, no dial tone to the customer. Your phone doesn't explode, melt down, or otherwise. Nor does the switch "crash". Would it be easily detectable? Without doubt. Would the phone company know where it was coming from or what was causing it? Sure they would.
And, to add to this, most people don't have the slightest clue that dedicated nailed-up circuits (such as PtP T1's) never see a switch. That data is split/multiplexed out of the fiber and handled independantly of switched data. It can't be "jumped" onto another circuit, or have some "magic packet" sent to it to allow it to then connect itself to another circuit or timeslot. Hence the term "nailed-up". Even frame relay is external to the switched voice network for the most part.
What is quite possibly vulnerable is the internal IP (ie computer) network of a particular phone company, or possibly dialup administration modems connected to craft interfaces on various bits of telco gear. But cracking a single telco or exchange and using it as the source of a massive nationwide DoS attack on other carriers isn't going to happen anytime soon.
What's far more likely is a very low-tech attack on the physical infrastructure. Even with redundant facility (logical, physical, and route), there always comes a point in a network that a single "failure point" can bite you. It only depends on how fine-grained your idea of "single point" is.
As far as DoS'ing a "router", how exactly is that different than what happens to routers now? Happens all the time now, so what else is new?
You are correct about the vulnerability due to telecom's dependance on the GPS system. If the GPS network over the US were to go down, it would cause a lot of problems, but it would not crash the entire phone system nationwide. Many central offices, at least the larger ones, have a cesium clock for timing purposes(I'm an engineer at one of the big 4 telecoms and I'm very familiar with our BITS standards). These can go weeks without a slip but eventually they will start to lose sync. Sites that have only stratum 3 back ups are few and far between. Almost all sites that rely on GPS timing have at least a stratum 1 backup. From what I know of my company's and the others SOP's, the industry operates on the belief that if the GPS network goes, we expect it to be back up before the cesium clocks would begin to slip. Stratum 1 can go for a few days, so it would be my estimate that we would encounter problems with the phone networks, major disruptions would be avoided if GPS can be restored within a week. I believe that this theory follows the line of thaught that if the GPS network is down for longet than that, something nearly catostrophic would have to have happened...something so bad that having the phones screwd up would be the least of the country's problems. If something were to happen that takes out GPS sats, it would almost certainly take out a lot of other satellites. Now THAT would really screw us. If you remember what happened in the summer of 1998 what just one communication satellite went down, then you know what I mean. Almost all ATM and credit card transactions, as well as a lot of pagers (mine included) came to a screatching halt. Take out GPS and a dozen other satellites and things get really scary.
You are vastly over simplyfying the concept of a timing source.
A true reference clock takes a number of inputs, GPS being a less desired form. Almost all of the major carriers also include an atomic clock as part of their reference.
The militiary pioneered the design of insane consistency when it comes to reference clock signals, with entire 1000+ page documetns describing the various levels of reliability and consistency and the proper combination of all sorts of timing sources from GPS to atomic clocks.
The phone networks will not go down if GPS does.
As a person who works with energy trading systems for a living and who gets to spend time on the trading floor for IT stuff, I feel entitled to respond.
If you are referring to power brokerage, the answer is that you are mostly incorrect. A few trading systems support IP trading brokerage between similar systems, but not many. Most trades are done by telephone or (and I shit-you-not) AIM/Yahoo Messenger. we have had people actaully ask us to not let people enter deals into the trading system if the deals was wrong for some reason. (Umm, sir, if the deals has already been made, what good will it do to keep it out of the system if you don't like it? cough cough enron cough)
Now, if you are referring to power generation assets in the field communicating to a central point as to their status, I wouldn't know, because IT has kept me from using my engineering degree for a while...
my 2 bits
- Sig
I dont buy that. 12 billion in fraud? no.
Maybe I would feel a little more compasionate for these companies were it not for the *many* times they have ripped me off, over charged me, pretended to offer a special deal that they would only uphold if you called them up and complained about not getting what you were promised.
I say screw the phone co's and all other companies that have similar slimy practices. Good for those that have ripped them off for 12B. VOIP anyone... there are still companies out there that, even though have shitty executives, (www.quicknet.net) are offering voip services at affordable rates.
I'm aware that a good reference has multiple inputs, I'm simply saying that there isn't a good reference at most offices.
The CO's I've been in have a Telecom Solutions (by Symmetricom) DCD-LPR with GPS GTI cards feeding a DCD-ST2 with Stratum-2 oscillators, which drives the TOxA cards to feed the BITS-clocked network elements in the office.
In such a situation, if the GTI boards lose lock, the ST2 shelf goes into holdover, where it should be good for a few days. (I don't have the specs in front of me.) Equipment still has timing, it's just not locked to anything in particular. The switch and stuff will continue to run, but interoffice links will suffer as slip increases.
I'm sure all the major carriers had a Cesium reference in an office at one time, but nowadays I don't think that's used for anything. It's simply too awkward to push that signal out to each office. The GPS constellation is considered the primary reference.
The phone system won't go down completely, but it will break up into islands until a terrestrial sync distribution system can be established, or GPS can be restored.
Sure, the GPS satellites could be taken out by a rogue nation with too much laser power on their hands. The orbit data are public, after all. It's not a direct military strike, just a nasty thing to do, with repercussions that wouldn't be realized until after the fact.