Lone Packet Crashes Telco Networks

← Back to Stories (view on slashdot.org)

Lone Packet Crashes Telco Networks

Posted by Soulskill on Friday October 12, 2012 @02:10AM from the sharpshooting-with-information dept.

mask.of.sanity writes "A penetration tester has shown that GSM communications systems can be taken down with a handful of malformed packets. The weakness was in the lack of security around the Home Location Register server clusters which store GSM subscriber details as part of the global SS7 network. A single packet, sent from within any network including femtocells, took down one of the clusters for two minutes."

21 of 57 comments (clear)

Min score:

Reason:

Sort:

Hardly surprising... by jonwil · 2012-10-12 02:15 · Score: 3, Informative

Cellular standards like GSM and UMTS (no idea about other standards like LTE or CDMA) are not designed to be secure. They are designed to be complex to implement and to use as many pieces of patented technology as possible.
1. Re:Hardly surprising... by Another,+completely · 2012-10-12 02:23 · Score: 3, Informative
  
  They do have security designed in, but it's the hard-outer-shell variety. Doesn't GSM authenticate handsets by having the home register send a challenge along with the appropriate response in a plain-text packet to the cell? The first GSM "attack" I heard about involved connecting your fake phone to a cell, and listening to the microwave channel to hear what response you should send when it sends a challenge. It doesn't sound like a clever design, but I suppose it was trying to reduce communication and memory requirements at the home register?
2. Re:Hardly surprising... by Severus+Snape · 2012-10-12 02:26 · Score: 5, Insightful
  
  You surely can't be that naive and must be trolling. GSM masts are critical pieces of infrastructure in mobile telecoms and it's in every stakeholders that they are secure and reliable. It's security researchers jobs to find these holes, if they were so poorly designed we'd see stories like this every day.
3. Re:Hardly surprising... by queazocotal · 2012-10-12 02:39 · Score: 4, Informative
  
  Well, no.
  The barrier to entry for a firefox security hole is really, really low.
  Typically anyone with a computer can do it, with no external equipment.
  In addition, it's typically legal to do. (though that may not stop some).
  Knowledge of how tcp/ip and similar standards work is widespread, and lots of people know this.
  For hacking cell networks, it's a bit different.
  It's basically a completely different set of protocol stacks unrelated to tcp/ip - so you have to learn a whole bunch to even attempt it.
  You need a few thousand dollars (this may have come down slightly) of specialised equipment to do the attack.
  You are doing something that is often illegal, or of dubious legality at best.
  All of these combine to make the pool of attackers orders of magnitude smaller.
4. Re:Hardly surprising... by Gerald · 2012-10-12 02:48 · Score: 4, Interesting
  
  The barrier for GSM is getting lower every day so it wouldn't surprise me if bugs like this start showing up more often.
5. Re:Hardly surprising... by Megane · 2012-10-12 02:52 · Score: 4, Insightful
  
  It's basically a completely different set of protocol stacks unrelated to tcp/ip - so you have to learn a whole bunch to even attempt it. You need a few thousand dollars (this may have come down slightly) of specialised equipment to do the attack. You are doing something that is often illegal, or of dubious legality at best.
  What you are talking about is security through obscurity, which is of dubious security at best.
  
  --
  #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
6. Re:Hardly surprising... by geekoid · 2012-10-12 03:03 · Score: 2, Informative
  
  Security through obscurity is a perfectly fine layer of security.
  
  --
  The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
7. Re:Hardly surprising... by grcumb · 2012-10-12 03:23 · Score: 4, Insightful
  
  "Security through obscurity is a perfectly fine extra layer of security."
  FTFY
  In other words: If you're relying on obscurity, you're doing it wrong.
  
  --
  Crumb's Corollary: Never bring a knife to a bun fight.
8. Re:Hardly surprising... by scamper_22 · 2012-10-12 03:25 · Score: 3, Insightful
  
  Or there's a much simpler explanation... people who design protocols make tradeoffs or don't care about security.
  Most of the Internet protocols were designed in a relatively open way. Are they secure?
  Have you perhaps taken a look at SMTP, HTTP... heck even TCP isn't really secure. There's no authentication.
  Now yes, things have been built on top of things and security added on and more focused on... but really...
  In any case, just looking at history in the internet space, I think the lack of security has more to do with tradeoffs and trying to get things out quickly than any grand plan for patents.
9. Re:Hardly surprising... by camperdave · 2012-10-12 03:52 · Score: 4, Interesting
  
  Security is a presentation layer issue. SMTP, HTTP and TCP are not session layer protocols, and have no business worrying about security.
  
  --
  When our name is on the back of your car, we're behind you all the way!
10. Re:Hardly surprising... by camperdave · 2012-10-12 03:54 · Score: 2, Interesting
  
  You need a few thousand dollars (this may have come down slightly) of specialised equipment to do the attack.
  Specialized equipment? You can probably do it with a cheap Android cell phone and some warez.
  
  --
  When our name is on the back of your car, we're behind you all the way!
11. Re:Hardly surprising... by DarkOx · 2012-10-12 05:02 · Score: 2
  
  No its not fine as a layer, and yes if you rely on it you are most certainly doing it wrong. While I'll agree it might be best not publish you network diagrams and similar as that might just be inviting trouble your components should not be secret.
  It can take way less time than you might be inclined to think for skilled cracker to develop a vulnerability. If they get their foot in the door anywhere, that obscure device or software component might well be their easiest path to escalated privileges. Since few use it and few have access the weakness have not been exposed, patches and mitigation strategies not developed. It ends up in many cases being easy prey for a 0-day.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
12. Re:Hardly surprising... by queazocotal · 2012-10-12 05:10 · Score: 4, Interesting
  
  In essentially all android and other phones, the 'modem' runs on a seperate processor, running its own OS, signed.
  'owning' the base android phone does nothing.
  You need to separately crack the modem. (unlocking is not cracking).
  The modem in most phones is basically a hayes-compatible modem, with a wierd interface soldered onto the board.
  The only interfaces the android side has to it is 'AT' commands.
  It can't inject raw packets, or ...
13. Re:Hardly surprising... by DarkOx · 2012-10-12 05:10 · Score: 4, Insightful
  
  Well yes and know. Authentication, Confidentiality, and forms of integrity are session or higher layer problems. Availability is also a key component of security. You can't tell me issues like ye'old LAND attack, tear drop, ping of death, negative sequence numbers etc don't cause Availability problems and they are decidedly network and transport layer. If I can cut your wire to jam your airwaves thats a physical layer issue.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
A missing break statement by Anonymous Coward · 2012-10-12 02:24 · Score: 2, Informative

A missing break statement was what brought down the eastern phone network in North America about 20 years ago. And the same simple problem seems to happen again.
The Lone Packet Crashed My Network by Anonymous Coward · 2012-10-12 02:25 · Score: 3, Funny

I was wondering why my router was playing the William Tell Overture.
What was in this packet? by Anonymous Coward · 2012-10-12 02:26 · Score: 3, Funny

Taco Bell Fire Sauce?
The RF portion of the standards is well designed by exabrial · 2012-10-12 02:35 · Score: 4, Interesting

The RF portion of the standards is well designed (take LTE with orthogonal multiplexing for example). However, the systems and switching part is waaay to complex. Telco providers are buried under mountains of technical debt... Even the systems part of LTE is complex: the American implementations from Sprint and Verizon are not be compatible because they cherry picked what parts they felt like implementing.
Re:The RF portion of the standards is well designe by fuzzyfuzzyfungus · 2012-10-12 03:13 · Score: 2, Funny

Thankfully there are no examples of 'inter-networking' actually working in the wild, much less crazy stuff like hardware that can connect easily to almost any of those 'inter-networked' networks through standardized interfaces and protocols, so we can cut them some slack for failing to achieve such an absurdly difficult task...
Sometimes you don't even need a malformed packet by Anonymous Coward · 2012-10-12 03:24 · Score: 4, Interesting

When I was testing a broadband access server at my first job, I've seen a case ping with explicitly specified packet size of 0 caused a divByZeroException on the receiving end. I couldn't resist reporting this bug in person to see the reaction on the developper's face. It was priceless. =)
Someone else had also found a TFTP packet of death, when broadcasted all boxes under test crashed.
Now when you factor in maliciously malformed packets, it doesn't surprise me these things happen at all.
Remember the Ping-O-Death by xmas2003 · 2012-10-12 04:46 · Score: 3, Interesting

Us old farts will remember something similar called the Ping-O-Death! ;-)

--
Hulk SMASH Celiac Disease