Lone Packet Crashes Telco Networks 57
mask.of.sanity writes "A penetration tester has shown that GSM communications systems can be taken down with a handful of malformed packets. The weakness was in the lack of security around the Home Location Register server clusters which store GSM subscriber details as part of the global SS7 network. A single packet, sent from within any network including femtocells, took down one of the clusters for two minutes."
Hardly surprising... (Score:3, Informative)
Cellular standards like GSM and UMTS (no idea about other standards like LTE or CDMA) are not designed to be secure. They are designed to be complex to implement and to use as many pieces of patented technology as possible.
Re:Hardly surprising... (Score:4, Informative)
Re: (Score:2)
They do have security designed in, but it's the hard-outer-shell variety.
Isn't that the M&M security method with a hard outer shell and a soft creamy center?
Re:Hardly surprising... (Score:5, Insightful)
Re:Hardly surprising... (Score:5, Informative)
Well, no.
The barrier to entry for a firefox security hole is really, really low.
Typically anyone with a computer can do it, with no external equipment.
In addition, it's typically legal to do. (though that may not stop some).
Knowledge of how tcp/ip and similar standards work is widespread, and lots of people know this.
For hacking cell networks, it's a bit different.
It's basically a completely different set of protocol stacks unrelated to tcp/ip - so you have to learn a whole bunch to even attempt it.
You need a few thousand dollars (this may have come down slightly) of specialised equipment to do the attack.
You are doing something that is often illegal, or of dubious legality at best.
All of these combine to make the pool of attackers orders of magnitude smaller.
Re:Hardly surprising... (Score:5, Interesting)
The barrier for GSM is getting lower every day [osmocom.org] so it wouldn't surprise me if bugs like this start showing up more often.
Re:Hardly surprising... (Score:4, Insightful)
It's basically a completely different set of protocol stacks unrelated to tcp/ip - so you have to learn a whole bunch to even attempt it. You need a few thousand dollars (this may have come down slightly) of specialised equipment to do the attack. You are doing something that is often illegal, or of dubious legality at best.
What you are talking about is security through obscurity, [wikipedia.org] which is of dubious security at best.
Re: (Score:3, Informative)
Security through obscurity is a perfectly fine layer of security.
Re:Hardly surprising... (Score:5, Insightful)
"Security through obscurity is a perfectly fine extra layer of security."
FTFY
In other words: If you're relying on obscurity, you're doing it wrong.
Re: (Score:3)
No its not fine as a layer, and yes if you rely on it you are most certainly doing it wrong. While I'll agree it might be best not publish you network diagrams and similar as that might just be inviting trouble your components should not be secret.
It can take way less time than you might be inclined to think for skilled cracker to develop a vulnerability. If they get their foot in the door anywhere, that obscure device or software component might well be their easiest path to escalated privileges. Since
Re: (Score:2)
Actually I thought he was talking about how bad the mobile networks are. The comment to which he was replying said that there are a lot of people trying to find these holes, so we'd find them all, but really there aren't that many people in a position to look for the holes, thus many will go unfound.
Re: (Score:3, Interesting)
You need a few thousand dollars (this may have come down slightly) of specialised equipment to do the attack.
Specialized equipment? You can probably do it with a cheap Android cell phone and some warez.
Re:Hardly surprising... (Score:5, Interesting)
In essentially all android and other phones, the 'modem' runs on a seperate processor, running its own OS, signed. ...
'owning' the base android phone does nothing.
You need to separately crack the modem. (unlocking is not cracking).
The modem in most phones is basically a hayes-compatible modem, with a wierd interface soldered onto the board.
The only interfaces the android side has to it is 'AT' commands.
It can't inject raw packets, or
Re: (Score:2)
Cellular standards like GSM and UMTS (no idea about other standards like LTE or CDMA) are not designed to be secure. They are designed to be complex to implement and to use as many pieces of patented technology as possible.
Not to mention they were designed in 1990, and anything above only a minimal level of security is "optional". The world (or the parts of it that still use GSM) need to move on.
Re:Hardly surprising... (Score:4, Insightful)
Or there's a much simpler explanation... people who design protocols make tradeoffs or don't care about security.
Most of the Internet protocols were designed in a relatively open way. Are they secure?
Have you perhaps taken a look at SMTP, HTTP... heck even TCP isn't really secure. There's no authentication.
Now yes, things have been built on top of things and security added on and more focused on... but really...
In any case, just looking at history in the internet space, I think the lack of security has more to do with tradeoffs and trying to get things out quickly than any grand plan for patents.
Re:Hardly surprising... (Score:5, Interesting)
Re:Hardly surprising... (Score:5, Insightful)
Well yes and know. Authentication, Confidentiality, and forms of integrity are session or higher layer problems. Availability is also a key component of security. You can't tell me issues like ye'old LAND attack, tear drop, ping of death, negative sequence numbers etc don't cause Availability problems and they are decidedly network and transport layer. If I can cut your wire to jam your airwaves thats a physical layer issue.
Not quite.... (Score:1)
Security probably needs to exist at all layers of the OSI model.
It is true that some forms of security, relating to user data or user transactions, apply at the higher level and thus belong up in the topmost OSI network model layers.
On the other hand, if your lower layers are compromised, channel availability is lost or data is compromised. You can't exactly ignore that sort of security at the lower layers.
Every layer needs enough security so as to not be easily compromised.
Also note that the Internet was a
Re: (Score:2)
A missing break statement (Score:2, Informative)
A missing break statement was what brought down the eastern phone network in North America about 20 years ago. And the same simple problem seems to happen again.
The Lone Packet Crashed My Network (Score:3, Funny)
I was wondering why my router was playing the William Tell Overture.
What was in this packet? (Score:3, Funny)
Taco Bell Fire Sauce?
Re: (Score:1)
+++ATH0
The RF portion of the standards is well designed (Score:5, Interesting)
Re: (Score:3, Funny)
Thankfully there are no examples of 'inter-networking' actually working in the wild, much less crazy stuff like hardware that can connect easily to almost any of those 'inter-networked' networks through standardized interfaces and protocols, so we can cut them some slack for failing to achieve such an absurdly difficult task...
Re: (Score:2, Troll)
GSM, UMTS and LTE are not complex because they need to be, they are complex because a lot of entities with massive patent portfolios spent billions of dollars ensuring that they are complex (by finding ways to get as many of their patents as possible into the standards)
Re: (Score:2)
I suspect that the telco desire to resist moving intelligence to the edges of the network has something to do with it. Ye olde intertubes are not so dumb as they seem; but they are rather closer to just carrying packets and leaving the rest to consenting adults than the cell networks are.
Re: (Score:2)
I usually... (Score:1, Funny)
Re: (Score:1)
Your hand accomodates about anything, doesn't it?
Sometimes you don't even need a malformed packet (Score:4, Interesting)
When I was testing a broadband access server at my first job, I've seen a case ping with explicitly specified packet size of 0 caused a divByZeroException on the receiving end. I couldn't resist reporting this bug in person to see the reaction on the developper's face. It was priceless. =)
Someone else had also found a TFTP packet of death, when broadcasted all boxes under test crashed.
Now when you factor in maliciously malformed packets, it doesn't surprise me these things happen at all.
Kinda reminds me of this (Score:2)
#include
#include
#include
#include
#include
#include
#include
#define dport 139 /* Attack port: 139 is what we want */
int x, s; /* Makes no diff */
char *str = "Bye";
struct sockaddr_in addr, spoofedaddr;
struct hostent *host;
int open_sock(int sock, char *server, int port) {
struct sockaddr_in blah;
struct hostent *he;
I'm sorry (Score:1)
But this sounds more like a feature...
Remember the Ping-O-Death (Score:4, Interesting)
Re: (Score:2)
That was always fun to do in the labs, so much fun.
Authorities deny second packet, let truth prevail! (Score:2)
Check the Zapruder trace man, there was clearly a second packet on the grassy knoll! If you trace the first one, it came in via the ethernet port, out the USB, then back in via an SD card - which I say is impossible. Had to be a second packet.
The reason for this is (Score:2)
Kind of how the Bell System used audio tones to control network functions until finally moving to out of band signalling.
Their thinking at the time was that it offered a solution for sending information across the voice ne
Meh (Score:1)