Slashdot Mirror
Telco Networks Open to Attack?
Cally writes: "This post to NANOG summarises Dave Henderson's paper (.ppt: HTML in Google cache, grep for 'Now Really Public') from the Internetwork Interoperability Test Coordination Committee, about the state of security in the public switched (telephone) network: wide open and "very fragile with a tremendous number of vulnerabilities". Apparently, there's $12b in fraud per year, growing interest from blackhat groups, and more, better, intruder tools. We often hear talk of "information warfare attacks that could result in the draining of bank reserves and the cutting off of power sources" from budget-and-PR hungry, but clue-light, politicians and wonks these days. When an experienced engineer uses such language, it's more worrying." We've also had submissions of this AP article speculating about viruses hitting mobile phones.
I helped build one of the world's largest VoIP companies & i know a few things about the telephony networks as a result. And from what i read in the article is mostly wrong.. You can't just interconnect with out a carrier knowing who you are, Even with ss7. You need to have work orders generated, physical connections involved.. even in VoIP you need set up CICs and point codes, testing of the connection..
Also if anything the decentralization of the telephone networks have made absolutely stronger as a reliable means of transport in times of failure now. It works on the same principle in effect as the internet. Where you can reach a destination via many differnt hops.
For example.. in the old days if you wanted to call London, your call went across AT&T and that was that. Now with 5-10 serious International carriers if even 3 or 4 of the carriers have a facility outage for whatever reason(rare as it is) they can re-route calls to alternate carries where as before they would not be able to do that.
What he seems to fail to mention is that with in 10-15 years traditional telephone networks will be thing of the past and phone service will be regulated to just being another service provided through one of a number of broadband pipes(fiber to your house, g3,g4,gwhatever wireless networks that come next) and the whole concept of a telco will change to the point where companies will server merely as giant switching operation and "enhanced services" with almost zero physical infrastructure, which will also result in the fast drop of telephone pricing as the infrastructure costs dramatically.
Some 7am blurred tired thoughts.. hope that was coherent enough.
Point 1: When a telco person says "switch", it means something totally different than what a data person means when they say "switch". This is a persistent annoyance.
You can't simply packet an ESS out of existence, because it doesn't know what a packet is. It's not connected to the internet. There are SS7 signaling links and X.25 control links, and maybe a few IP control links if you're lucky. None of them are connected to the internet. Your phone line is payload, not control.
Exactly how do you propose to access the switch in order to DoS it? There are switch dialins, but most are pretty secure, and good luck finding them. You're planning to do a lot of wardialing first?
Point 2: Telcos lie about bandwidth. When someone says they have a 10 Gigabit backbone, it means they own a couple OC192 circuits. Most of the channels in those circuits are probably not filled.
That's like saying I can move a thousand shipping containers a day, because there's a large river between me and my destination, and seaports at each end. Nevermind that I don't own any ships!
An OC192 circuit, for instance, can carry four OC48 signals, or 16 OC12 signals, or a mix thereof. Anything that adds up to 192 STS-1 payload envelopes, or equivalent concatenated payloads. You get the idea. Chances are, they're carrying one or two OC48s on the thing, and the rest is for future expansion. Each of those OC48s in turn is probably only 70% full.
The entire infrastructure is carried on SONET equipment. (That's Synchronous Optical Network, and if you didn't know that, you should read up on it, it's neat stuff.) Being synchronous, this stuff royally shits if there's something wrong with the timing.
Way back when T-carrier was first deployed, Bell realized this and set up a nationwide synchronization distribution. I think the master clock was in Kansas City. Anyway, the sync signal was distributed over wireline circuits to every central office in the country. Maybe Canada too?
However, most interoffice links are fiber now, the same SONET rings that depend on such precise synchronization. Ring-timing is awkward, and without very careful planning, sync loops can form. (Long story, look it up. The short version is that when a SONET system loses sync, it doesn't carry traffic.)
The modern concept is called BITS, or Building Integrated Timing Supply. Each office has a sync signal source, driven by an LPR (local primary reference) oscillator, which is in turn frequency-locked to a reference signal derived from GPS satellite signals.
Yes, that's right, the whole telephone network will fall apart if the Global Positioning System stops transmitting. Depending on the stratum class of the LPR, it might be able to "hold over" for a couple days, maintaining an accurate timing signal in the absence of an upstream reference. They will eventually drift, and most offices only have stratum-3 units anyway.
The network is so poorly planned in the first place, most transport engineers haven't got a clue about ring timing and such. They just hook each terminal to the BITS clock and hope it works, which it does, until something happens to the BITS clock. If all the BITSes in the network started drifting from one another, the system would slowly fail over a few days, as timing slips exceeded the tolerances of the various systems.
If such a thing were to happen, don't bet on the ability to patch things up quickly. Recordkeeping is horrible, and even if it weren't, it would be a daunting task to spontaneously set up a new sync distribution network independent of GPS.
I've heard on good authority that you wouldn't even need to take out the satellites themselves. A couple properly placed nuclear detinations could screw up the somethingsphere such that GPS signal propagation would suffer. Any physicists care to clarify?
You are correct about the vulnerability due to telecom's dependance on the GPS system. If the GPS network over the US were to go down, it would cause a lot of problems, but it would not crash the entire phone system nationwide. Many central offices, at least the larger ones, have a cesium clock for timing purposes(I'm an engineer at one of the big 4 telecoms and I'm very familiar with our BITS standards). These can go weeks without a slip but eventually they will start to lose sync. Sites that have only stratum 3 back ups are few and far between. Almost all sites that rely on GPS timing have at least a stratum 1 backup. From what I know of my company's and the others SOP's, the industry operates on the belief that if the GPS network goes, we expect it to be back up before the cesium clocks would begin to slip. Stratum 1 can go for a few days, so it would be my estimate that we would encounter problems with the phone networks, major disruptions would be avoided if GPS can be restored within a week. I believe that this theory follows the line of thaught that if the GPS network is down for longet than that, something nearly catostrophic would have to have happened...something so bad that having the phones screwd up would be the least of the country's problems. If something were to happen that takes out GPS sats, it would almost certainly take out a lot of other satellites. Now THAT would really screw us. If you remember what happened in the summer of 1998 what just one communication satellite went down, then you know what I mean. Almost all ATM and credit card transactions, as well as a lot of pagers (mine included) came to a screatching halt. Take out GPS and a dozen other satellites and things get really scary.