Slashdot Mirror
Telco Networks Open to Attack?
Cally writes: "This post to NANOG summarises Dave Henderson's paper (.ppt: HTML in Google cache, grep for 'Now Really Public') from the Internetwork Interoperability Test Coordination Committee, about the state of security in the public switched (telephone) network: wide open and "very fragile with a tremendous number of vulnerabilities". Apparently, there's $12b in fraud per year, growing interest from blackhat groups, and more, better, intruder tools. We often hear talk of "information warfare attacks that could result in the draining of bank reserves and the cutting off of power sources" from budget-and-PR hungry, but clue-light, politicians and wonks these days. When an experienced engineer uses such language, it's more worrying." We've also had submissions of this AP article speculating about viruses hitting mobile phones.
Did you all know that all power transactions on public power systems travel over the internet? Wanna hear something a little better? The backup plan in case of internet breakage is by E-Mail and then finally defaulting to the old fax machine. With the increasing complexity of transactions, increasing dependance on automation of power delivery, and an upcoming rollout of the ETag 1.7 transaction updgrade in April, who's to say the light switches will work in the future?
In light of this article and the probability that the public phone system is very susceptible to a terrorist or otherwise dangerous attack, shouldn't there be a dedicated messaging medium for the power grid? Say, Satellite or Microwave? I realize how daunting a project would be, as well as how cost prohibitive, but look at it this way: A foreign or national threat doesn't attack the power generation facilities, instead, they DDoS a server responsible for scheduling the power delivery. Thus preventing or decreasing the reliability of this power grid. Statewide or even interstate power blackouts are just one of a million effects of such an attack.
I'm not proclaiming a doomsday here, but with the current plight of Enron, shouldn't there be a little more scrutiny?
Related links:
FERC - Federal Energy Regulatory Commission
NERC - North American Electric Reliability Coucil
You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
The policy wonks when they get it right manage to tune into the right people. They don't always make it up as they go along, so there's no need to be so contemptuous. Alarm bells like this have been sounding for ages and some of the right people have clearly been listening. Despite this yet the /. story dismisses their opinions with casual contempt. They deserve more credit than that for their efforts in the vanguard.
"When an experienced engineer uses such language, it's more worrying".
Yep, sure is... those engineering degrees ain't what they used to be...
This appears to be just another indication that the formerly monolithic telecommunications system in the USA is continuing its slow collapse into anarchy. The system has been jettisoning its research, engineering and operations expertise for decades. The former Bell companies are following the example of American rail and steel companies, milk the system for cash and let the infrastructure rot in place.
Mea navis aericumbens anguillis abundat
Maybe slightly off topic... but I do recall reading that upon Alexander Graham Bells death, all the telephone networks went silent for a period of 1min (?) as a mark of respect.
If that happend today the world would panic
Would stock markets crash and water/rail etc networks to go tits-up because of a major 1min phone outage?
We dont realise how dependent we are on the telephone! :-)
(Also... try subsetuteing telephones for oil in the above post
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
3rd generation mobile phone networks are only just around the corner (relatively speaking); these networks use IPv6 as the transport for the call data. Billing is likely to be based on your source IP address, so if you can spoof someone's address (and probably circumvent a whole load of encryption and authentication) you can probably end up with free phone calls. Voice and data traffic will be going down the same backbone, with intelligent switches that decide what traffic is Internet data and what traffic is voice data. SkRiPt KiDdIeS will have easy access to all the 3G networks the moment they dial up to the internet. I don't know about you lot, but this idea scares the hell outta me given the current state of worldwide network security. I don't know how many IP-based attacks have been solved with IPv6, but I know it's gonna get messy sooner or later.
For those that are interested, there's various IPv4-IPv6 tunnels around that are open for use. If you have a dual-stack machine (Linux can, and there's a MS IPv6 stack available for 'doze) you can set up a VPN into various IPv6 networks. Can't remember the URL, but I know there's one from BT. If people start using / attacking these networks now, then perhaps the problems will be fixed before IPv6 and 3G become mainstream...
I helped build one of the world's largest VoIP companies & i know a few things about the telephony networks as a result. And from what i read in the article is mostly wrong.. You can't just interconnect with out a carrier knowing who you are, Even with ss7. You need to have work orders generated, physical connections involved.. even in VoIP you need set up CICs and point codes, testing of the connection..
Also if anything the decentralization of the telephone networks have made absolutely stronger as a reliable means of transport in times of failure now. It works on the same principle in effect as the internet. Where you can reach a destination via many differnt hops.
For example.. in the old days if you wanted to call London, your call went across AT&T and that was that. Now with 5-10 serious International carriers if even 3 or 4 of the carriers have a facility outage for whatever reason(rare as it is) they can re-route calls to alternate carries where as before they would not be able to do that.
What he seems to fail to mention is that with in 10-15 years traditional telephone networks will be thing of the past and phone service will be regulated to just being another service provided through one of a number of broadband pipes(fiber to your house, g3,g4,gwhatever wireless networks that come next) and the whole concept of a telco will change to the point where companies will server merely as giant switching operation and "enhanced services" with almost zero physical infrastructure, which will also result in the fast drop of telephone pricing as the infrastructure costs dramatically.
Some 7am blurred tired thoughts.. hope that was coherent enough.
This guy has been following that story since it first hit, and if you follow all the links in that article you'll find out a lot more than might be good for your sanity.
It's not one Israeli company, but two, Amdocs Ltd. and Comverse Infosys. Between the two of them they don't just handle all the billing but also play crucial roles in law enforcement wiretaps. The amount of damage some random joe can do with a good exploit is really pretty minor compared to the damage that can result when crucial infrastructure is under control of a foreign government - even if it's a government which is usually an ally.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
At the local level, your phone is switched by your neighboorhood central office, which is basically a small building filled with relays (or nowdays, digital switching equipment). The most striking thing about CO's is the battery room. They have racks upon racks of batteries that are constantly charged, and can provide power to run the CO at full load for roughly 12 hours. CO's also have 2 diesel generators to recharge the batteries and enough fuel onsite to run the generators continuously for 2+ days.
Think about it: how often has your phone went out? And when it has, how often was your neighboor's phone out also? Remember, the phone system keeps working even when the power is out.
The physical infrastructure is the most important layer. Everything else can be fixed relatively quickly in the event of an attack (DOS). Its trival to sever a carrier from your network, but its a major undertaking to replace physical infrastructure. As long as that is redundant, and relatively secure, your phones aren't going to stop working any time soon.
Point 1: When a telco person says "switch", it means something totally different than what a data person means when they say "switch". This is a persistent annoyance.
You can't simply packet an ESS out of existence, because it doesn't know what a packet is. It's not connected to the internet. There are SS7 signaling links and X.25 control links, and maybe a few IP control links if you're lucky. None of them are connected to the internet. Your phone line is payload, not control.
Exactly how do you propose to access the switch in order to DoS it? There are switch dialins, but most are pretty secure, and good luck finding them. You're planning to do a lot of wardialing first?
Point 2: Telcos lie about bandwidth. When someone says they have a 10 Gigabit backbone, it means they own a couple OC192 circuits. Most of the channels in those circuits are probably not filled.
That's like saying I can move a thousand shipping containers a day, because there's a large river between me and my destination, and seaports at each end. Nevermind that I don't own any ships!
An OC192 circuit, for instance, can carry four OC48 signals, or 16 OC12 signals, or a mix thereof. Anything that adds up to 192 STS-1 payload envelopes, or equivalent concatenated payloads. You get the idea. Chances are, they're carrying one or two OC48s on the thing, and the rest is for future expansion. Each of those OC48s in turn is probably only 70% full.
The entire infrastructure is carried on SONET equipment. (That's Synchronous Optical Network, and if you didn't know that, you should read up on it, it's neat stuff.) Being synchronous, this stuff royally shits if there's something wrong with the timing.
Way back when T-carrier was first deployed, Bell realized this and set up a nationwide synchronization distribution. I think the master clock was in Kansas City. Anyway, the sync signal was distributed over wireline circuits to every central office in the country. Maybe Canada too?
However, most interoffice links are fiber now, the same SONET rings that depend on such precise synchronization. Ring-timing is awkward, and without very careful planning, sync loops can form. (Long story, look it up. The short version is that when a SONET system loses sync, it doesn't carry traffic.)
The modern concept is called BITS, or Building Integrated Timing Supply. Each office has a sync signal source, driven by an LPR (local primary reference) oscillator, which is in turn frequency-locked to a reference signal derived from GPS satellite signals.
Yes, that's right, the whole telephone network will fall apart if the Global Positioning System stops transmitting. Depending on the stratum class of the LPR, it might be able to "hold over" for a couple days, maintaining an accurate timing signal in the absence of an upstream reference. They will eventually drift, and most offices only have stratum-3 units anyway.
The network is so poorly planned in the first place, most transport engineers haven't got a clue about ring timing and such. They just hook each terminal to the BITS clock and hope it works, which it does, until something happens to the BITS clock. If all the BITSes in the network started drifting from one another, the system would slowly fail over a few days, as timing slips exceeded the tolerances of the various systems.
If such a thing were to happen, don't bet on the ability to patch things up quickly. Recordkeeping is horrible, and even if it weren't, it would be a daunting task to spontaneously set up a new sync distribution network independent of GPS.
I've heard on good authority that you wouldn't even need to take out the satellites themselves. A couple properly placed nuclear detinations could screw up the somethingsphere such that GPS signal propagation would suffer. Any physicists care to clarify?
I don't want to cause a scare and I really don't want the FBI, CIA or anyone else comming to grill me but this information needs to be added...
I used to work for a very large telecomm company and part of my job was to write software which helped to design networks for some of the largest companies in the US. I throw out the name AOL not because I worked on their network, but because they were one of the mid-sized networks, not the "big ones".
My points are these.
1.) It is very easy to get a map of ALL the major telecomm switching locations and backup generators.
2.) Security is pretty lax, so most dedicated hackers and any mailroom worker could get the information.
3.) Most POP locations are not even manned, much less guarded. A half-dozen backhoes and some cell phones would be enough to coordinate the destruction of about 90% of our telecomm system.
4.) The weak point of every single network is the location of the equipment, not the pipe itself. Some people may argue that there is backup equipment. BS. There is NO backup equipment to replace those locations. The demand to keep up with new technology (DWDM, WLCS, and other cramming technologies) always exceeds the networks' staff, time, and budget. If the equipment was taken out in even a small percentage of the major backbone locations the entire network would fail, and it would be down for a very long time.
My $0.02 will always be worth more than your â0.02, so
Wow, "Myself", that's probably the most intelligent response I've read so far! And for what it's worth, I totally agree, and people need to make an effort to understand the difference between a "data switch" and a "voice switch"!
:)
Simple fact - 99.9% of basic wired telco infrastructure is completely IP "unaware". In other words, no IP address, doesn't have a clue what TCP/IP is, nor does it care. Granted, the new wireless technologies are more/heavily IP based, but that's a different matter - wireless services always have been, and likely always will be many orders of magnitude more vulnerable to abuse/attack purely because of the uncontrolled nature of the transmission medium (without wires, hence wireless). But I digress...
Of the equipment that does have an IP address, 99.9% of it is privately addresses or firewalled or simply not physically or logically connected to another network.
The only way to "DoS" a switch is to use up the DS0's on it's switching backplane (or whatever, the terminology varies). Even on a tiny switch (5ESS VCDX, etc), this can be multiple hundreds of simultaneous calls.
Then what happens you ask? Simple really, no dial tone to the customer. Your phone doesn't explode, melt down, or otherwise. Nor does the switch "crash". Would it be easily detectable? Without doubt. Would the phone company know where it was coming from or what was causing it? Sure they would.
And, to add to this, most people don't have the slightest clue that dedicated nailed-up circuits (such as PtP T1's) never see a switch. That data is split/multiplexed out of the fiber and handled independantly of switched data. It can't be "jumped" onto another circuit, or have some "magic packet" sent to it to allow it to then connect itself to another circuit or timeslot. Hence the term "nailed-up". Even frame relay is external to the switched voice network for the most part.
What is quite possibly vulnerable is the internal IP (ie computer) network of a particular phone company, or possibly dialup administration modems connected to craft interfaces on various bits of telco gear. But cracking a single telco or exchange and using it as the source of a massive nationwide DoS attack on other carriers isn't going to happen anytime soon.
What's far more likely is a very low-tech attack on the physical infrastructure. Even with redundant facility (logical, physical, and route), there always comes a point in a network that a single "failure point" can bite you. It only depends on how fine-grained your idea of "single point" is.
As far as DoS'ing a "router", how exactly is that different than what happens to routers now? Happens all the time now, so what else is new?
You are correct about the vulnerability due to telecom's dependance on the GPS system. If the GPS network over the US were to go down, it would cause a lot of problems, but it would not crash the entire phone system nationwide. Many central offices, at least the larger ones, have a cesium clock for timing purposes(I'm an engineer at one of the big 4 telecoms and I'm very familiar with our BITS standards). These can go weeks without a slip but eventually they will start to lose sync. Sites that have only stratum 3 back ups are few and far between. Almost all sites that rely on GPS timing have at least a stratum 1 backup. From what I know of my company's and the others SOP's, the industry operates on the belief that if the GPS network goes, we expect it to be back up before the cesium clocks would begin to slip. Stratum 1 can go for a few days, so it would be my estimate that we would encounter problems with the phone networks, major disruptions would be avoided if GPS can be restored within a week. I believe that this theory follows the line of thaught that if the GPS network is down for longet than that, something nearly catostrophic would have to have happened...something so bad that having the phones screwd up would be the least of the country's problems. If something were to happen that takes out GPS sats, it would almost certainly take out a lot of other satellites. Now THAT would really screw us. If you remember what happened in the summer of 1998 what just one communication satellite went down, then you know what I mean. Almost all ATM and credit card transactions, as well as a lot of pagers (mine included) came to a screatching halt. Take out GPS and a dozen other satellites and things get really scary.
Today, we can choose from a bewildering array of "services", most of which we don't need, that appear to have a lower unit price but which after fees, surcharges, fees on fees, fees on surcharges, and opportunity costs of fighting through your bill (we have a full-time person doing that now) generally turn out to be more expensive than they were in 1970. And we receive these services from organizations which are not only just as arrogant as the Bell companies of 1970, but which often don't even bother to answer their phones and which can't find a person to fix your problem even when they do bother to answer. And which also tend to disappear overnight, taking your wonderful "services" with them.
And, of course, the old Bell companies are still there (dealt with Verizon lately?), as arrogant and as profitable as ever.
Now what was that "progress" you mentioned?
sPh
You are vastly over simplyfying the concept of a timing source.
A true reference clock takes a number of inputs, GPS being a less desired form. Almost all of the major carriers also include an atomic clock as part of their reference.
The militiary pioneered the design of insane consistency when it comes to reference clock signals, with entire 1000+ page documetns describing the various levels of reliability and consistency and the proper combination of all sorts of timing sources from GPS to atomic clocks.
The phone networks will not go down if GPS does.
I dont buy that. 12 billion in fraud? no.
Maybe I would feel a little more compasionate for these companies were it not for the *many* times they have ripped me off, over charged me, pretended to offer a special deal that they would only uphold if you called them up and complained about not getting what you were promised.
I say screw the phone co's and all other companies that have similar slimy practices. Good for those that have ripped them off for 12B. VOIP anyone... there are still companies out there that, even though have shitty executives, (www.quicknet.net) are offering voip services at affordable rates.