Slashdot Mirror

← Back to Stories (view on slashdot.org)

Newer Diameter Telephony Protocol Just As Vulnerable As SS7 (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

An anonymous reader writes: Security researchers say the Diameter protocol used with today's 4G (LTE) telephony and data transfer standard is vulnerable to the same types of vulnerabilities as the older SS7 standard used with older telephony standards such as 3G, 2G, and earlier. The vulnerabilities are happening because 4G operators are misconfiguring the Diameter protocol (a SS7 replacement) and using it in the same way as SS7.

The incorrect use of Diameter leads to the presence of several vulnerabilities in 4G networks that resemble the ones found in older networks that use SS7, and which Diameter was supposed to prevent. Researchers say that the Diameter misconfigurations they've spotted inside 4G networks are in many cases unique per each network but they usually repeat themselves to have them organized in five classes of attacks: (1) subscriber information disclosure, (2) network information disclosure, (3) subscriber traffic interception, (4) fraud, and (5) denial of service. Researchers warn that not fixing these vulnerabilities "could lead to sudden failure of ATMs, payment terminals, utility meters, car alarms, and video surveillance." This is because these types of devices often use 4G SIM card modules to connect to their servers when located in a remote area where classic Internet connections are not possible. Old SS7 attacks such as tracking users' location and intercepting SMS and phone calls are also possible via Diameter as well.

31 comments

  1. Why not just use HTTPS? by Anonymous Coward · · Score: 1

    Why don't they just use a tried and true protocol like HTTPS instead of rolling their own protocol?

    1. Re:Why not just use HTTPS? by Anonymous Coward · · Score: 0

      Diameter is an AAA protocol like its predecessor, RADIUS. HTTPS has nothing to do with this.

    2. Re:Why not just use HTTPS? by WaffleMonster · · Score: 3, Informative

      Why don't they just use a tried and true protocol like HTTPS instead of rolling their own protocol?

      This is in fact what Diameter does for security it uses TLS just like HTTPS.

    3. Re: Why not just use HTTPS? by buchanmilne · · Score: 3, Informative

      The summary says:
      "The incorrect use of Diameter leads to the presence of several vulnerabilities in 4G networks"

      That's like saying:
      "The incorrect use of HTTP (such as not requiring HTTPS, or permittting weak ciphers, or not protecting sensitive APIs from the internet with a firewall) leads to the presence of several vulnerabilities in corporate networks".

      In other words, it's not that the protocol itself is vulnerable, but that misconfiguration and poorly architected deployments can result in installations that are vulnerable.

      Just like HTTP(S).

    4. Re:Why not just use HTTPS? by Anonymous Coward · · Score: 0

      ... and just like HTTPS, everybody misconfigures it.

    5. Re: Why not just use HTTPS? by kenh · · Score: 1

      Exactly. I love it when the summary refutes the /. headline, it lets me know the editors at /. are hard at work...

      --
      Ken
    6. Re:Why not just use HTTPS? by kenh · · Score: 1

      Uh, because routing and billing for phone calls is just a wee-bit different than serving up webpages...

      Do you have any earthly idea what SS7 or Diameter actually do or did you just see the word "protocol" and say to yourself, "a protocol is a protocol, they are all interchangeable, so why not use HTTP?"

      Computers somehow did useful work before Tim Berners-Lee "invented" HTTP and Linus Torvalds got frustrated with the software available to fully utilize his then-new 80386-based desktop computer and "invented" Linux, and every computing problem can't be solved by a heap of x86-based web servers.

      --
      Ken
  2. NSA and GCHQ by AHuxley · · Score: 1

    Keep that telco collecting real time.

    --
    Domestic spying is now "Benign Information Gathering"
    1. Re:NSA and GCHQ by currently_awake · · Score: 2

      If we have to choose between letting the NSA spy on us, as well as China and Russia and Organized Crime, or locking the door and not letting anyone spy on us, I think our National Security is better served by choosing Nobody spies.

  3. Let me know... by Obfuscant · · Score: 1

    Just let me know when I can have fun with my old blue box again, and that whistle I keep in the junk drawer.

    1. Re:Let me know... by kenh · · Score: 1

      Uh, you understand the difference between in-band call routing and out-of-band call routing, right? SS7 is an out-of-band call routing system, sending tones over the voice network is an example of in-band signaling.

      --
      Ken
    2. Re:Let me know... by Obfuscant · · Score: 1

      Uh, you understand the difference between in-band call routing and out-of-band call routing, right?

      Yes, sweetheart, I understand the difference. That's why what I said is a joke. Or, in the common vernacular: whoosh.

  4. uh SS7 replacement by Anonymous Coward · · Score: 0

    "a SS7 replacement"
    an! an! an!

  5. Security is an illusion by Anonymous Coward · · Score: 0

    They can blow you up in broad daylight and blame guys in a cave on the other side of the planet. But as long as you sheeple feel safe I guess everything is OK. Duh!

    If you want a 100% secure computer you'll need to encase it in concrete and deep six it to the bottom of the sea.

    ae911truth dot org

  6. it only works if you do it properly by adfraggs · · Score: 3

    Diameter is just a protocol i.e. it's a guideline, there is no enforcement. Network operators are typically going to do whatever they need to do in order to just get stuff working. Apart from straight out abusing the protocol by making up their own session rules they can also simply neglect to make basic security considerations. In this ultra-competitive world where everyone is scrambling to build their next gen networks many will happily forgo extra testing or security design in order to just get something running so that customers can start paying for the service. That's not to mention even having the expertise in the first instance to be able to make those security considerations. Diameter is complicated and hard. If a provider gets it working and customers can use the service and be billed for that usage then that's often the end of the story.

  7. Diameter and SS7 are diametrically opposed by Anonymous Coward · · Score: 3, Informative

    Diameter replaces SS7? In what universe? SS7 is a control signalling protocol used for setting up calls. Diameter is a AAA (Authentication, Authorization & Accounting) protocol that's just a supercharged Radius (Diameter = twice the Radius, get it? ha ha). No doubt you can royally screw up the AAA setup and leak like a sieve, but it's got nothing to do with SS7.

    1. Re:Diameter and SS7 are diametrically opposed by Anonymous Coward · · Score: 0

      Agree. Diameter replaces Radias.

    2. Re:Diameter and SS7 are diametrically opposed by Anonymous Coward · · Score: 0

      You might want to do some more reading around - there are multiple applications built on Diameter in a 4G cellular network - whilst core AAA functions are still there (e.g. HSS interaction) there are lots of other things going on too - Policy and Charging rules, Charging/Usage information, Subscriber Profile Retrieval, Roaming, Application requests, Wi-Fi interworking (trusted and untrusted)...if I sat on a nice Diameter Router I would probably see all sorts of fun stuff in an operator network.

      I have never once had to even think about SS7 for controlling a pure 4G/LTE network.

  8. Caller-ID by Anonymous Coward · · Score: 0

    Just fix Caller-ID so that it can't be forged. Is that too much to ask?

    1. Re:Caller-ID by Bryansix · · Score: 1

      Apparently it is. So here is the deal. I worked at several small-medium size businesses that owned their own phone systems. They would set up the phone system so that whichever line called out, the caller ID would show the 800 number. This is a legitimate use of overriding the Caller ID. The problem is that Telcos don't expend any effort whatsoever to validate that the number being sent is actually a legitimate number and is associated with the business/person in question. Really, there should be some sort of verification process similar to that for obtaining an SSL Certificate for a website where you validate that you own the number you are sending. Then you can only send that number and no some other number unless you go through the verification process again.

  9. This is what happens when... by williamyf · · Score: 2

    This is what happens when the guys who were in chrage of the MSCs and SS7 STPs of yore are put in charge of the Newflanged Diameter Servers and Routers of 4G and 5G

    Do not get me wrong, those guys are very smart and briliant guys. But just as the Slashdot crowd would have a hell of a day trying to configure the 67 E1s of an STM-1 in order to Set up a set of SS& links, an Old School Telco switch guy would have hell undertsnading the nuances of security on Diameter...

    Me, I had a feet in each camp for 5 years (1999-2004), but now I am looking from above in my (OpenStack) cloud...

    --
    *** Suerte a todos y Feliz dia!
    1. Re:This is what happens when... by Nethead · · Score: 1

      The vulnerabilities are happening because 4G operators are misconfiguring the Diameter protocol (a SS7 replacement) and using it in the same way as SS7.

      Reminds me of IPv6.

      --
      -- I have a private email server in my basement.
  10. Diameter is a RADIUS replacement, not SS7 by Anonymous Coward · · Score: 0

    Diameter is (as you might guess from the name), a replacement for RADIUS.

    Some of the Diameter applications overlap with some of the functions that parts of SS7 provided though (e.g call billing etc).

  11. I've been using Signal recently. Works well. by Anonymous Coward · · Score: 0

    Surprisingly, Signal calls work pretty well even on not perfect mobile data or wifi connections. I can use it just like a normal call. It barely uses any data by today's standards, so the data cap lasts me much longet than the call minutes I have on my measly XS-sized prepaid card.

    The audio quality is insanely better. But of course the proper real-time encryption heats the SoC quite a bit and drains the battery quicker. That audio quality though! And even video chat works.

    So with 4G, where the "real" phone calls are als just packets, there is no real point to using that crap anymore. Ergo Diameter can kiss my ass.

    1. Re: I've been using Signal recently. Works well. by nbvb · · Score: 1

      Not one of those Signal data packets wouldâ(TM)ve gone anywhere without Diameter..... go study IMS.

  12. Actually, we have dotation-level backdoors now. by Anonymous Coward · · Score: 0

    They can't even be detected with a microscope. And can do whatever they want.

    Short of making your own chip, with your own machines, without anyone sneaking into your workshop, and from sources that have been thoroughly checked for underhanded backdoors *post*-routing, and *after* the mask data leaves the last chip, there is no chance in hell to avoid being snooped on, if the NSAssholes really want to.

    1. Re:Actually, we have dotation-level backdoors now. by kenh · · Score: 1

      Right, because an air-gap between the computer and the internet can be bridged by the super-secret wifi/cellular data connections inside the CPU in your system. /SMH

      Explain to me how the NSA can get into a computer that is not on the internet without physically accessing (as in "laying hands on")the computer?

      --
      Ken
    2. Re:Actually, we have dotation-level backdoors now. by suutar · · Score: 1

      Given the human tendency to plug USB sticks into things, there's a non-zero chance that dropping a stick in the parking lot will do it. And for exfiltrating info, you have seen the stories about use of audio outside human hearing range, yes?

      I'm not saying it's likely at all. But it's not impossible.

  13. "Vulnerable to vulnerabilities?" by jenningsthecat · · Score: 1

    Editor! We need help with this patient, stat!!!

    --
    'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
  14. Diameter? by nitehawk214 · · Score: 1

    I was trying to figure out how making the cable wider would affect security in any way? Nobody actually physically taps wires anymore.

    --
    I'm a good cook. I'm a fantastic eater. - Steven Brust
  15. Re: Actually, we have dotation-level backdoors now by kenh · · Score: 1

    So, a user takes a usb they found on the ground and plugs it into an air-gapped, stand-alone computer - how does the three-letter government agency actually get their hands on the data? How does the data cross the still in-place airgap?

    And transmitting data via ultrasonic audio emissions? First your computer would need to have suitable transducers built into the computer, and second the three-letter agency would need to locate a suitable sensor within earshot of the computer in question.

    To the best f my knowledge, no commercially-produced computers have appropriate ultrasonic transducers built-in - but then again, maybe that's what they want you to think!

    --
    Ken