Lone Packet Crashes Telco Networks

← Back to Stories (view on slashdot.org)

Lone Packet Crashes Telco Networks

Posted by Soulskill on Friday October 12, 2012 @02:10AM from the sharpshooting-with-information dept.

mask.of.sanity writes "A penetration tester has shown that GSM communications systems can be taken down with a handful of malformed packets. The weakness was in the lack of security around the Home Location Register server clusters which store GSM subscriber details as part of the global SS7 network. A single packet, sent from within any network including femtocells, took down one of the clusters for two minutes."

7 of 57 comments (clear)

Min score:

Reason:

Sort:

The RF portion of the standards is well designed by exabrial · 2012-10-12 02:35 · Score: 4, Interesting

The RF portion of the standards is well designed (take LTE with orthogonal multiplexing for example). However, the systems and switching part is waaay to complex. Telco providers are buried under mountains of technical debt... Even the systems part of LTE is complex: the American implementations from Sprint and Verizon are not be compatible because they cherry picked what parts they felt like implementing.
Re:Hardly surprising... by Gerald · 2012-10-12 02:48 · Score: 4, Interesting

The barrier for GSM is getting lower every day so it wouldn't surprise me if bugs like this start showing up more often.
Sometimes you don't even need a malformed packet by Anonymous Coward · 2012-10-12 03:24 · Score: 4, Interesting

When I was testing a broadband access server at my first job, I've seen a case ping with explicitly specified packet size of 0 caused a divByZeroException on the receiving end. I couldn't resist reporting this bug in person to see the reaction on the developper's face. It was priceless. =)
Someone else had also found a TFTP packet of death, when broadcasted all boxes under test crashed.
Now when you factor in maliciously malformed packets, it doesn't surprise me these things happen at all.
Re:Hardly surprising... by camperdave · 2012-10-12 03:52 · Score: 4, Interesting

Security is a presentation layer issue. SMTP, HTTP and TCP are not session layer protocols, and have no business worrying about security.

--
When our name is on the back of your car, we're behind you all the way!
Re:Hardly surprising... by camperdave · 2012-10-12 03:54 · Score: 2, Interesting

You need a few thousand dollars (this may have come down slightly) of specialised equipment to do the attack.
Specialized equipment? You can probably do it with a cheap Android cell phone and some warez.

--
When our name is on the back of your car, we're behind you all the way!
Remember the Ping-O-Death by xmas2003 · 2012-10-12 04:46 · Score: 3, Interesting

Us old farts will remember something similar called the Ping-O-Death! ;-)

--
Hulk SMASH Celiac Disease
Re:Hardly surprising... by queazocotal · 2012-10-12 05:10 · Score: 4, Interesting

In essentially all android and other phones, the 'modem' runs on a seperate processor, running its own OS, signed.
'owning' the base android phone does nothing.
You need to separately crack the modem. (unlocking is not cracking).
The modem in most phones is basically a hayes-compatible modem, with a wierd interface soldered onto the board.
The only interfaces the android side has to it is 'AT' commands.
It can't inject raw packets, or ...