A security industry veteran has criticised telecommunications equipment vendors for supressing knowledge of vulnerabilities that could result in hundreds of millions of dollars worth of network outages.
In a presentation to Hack In The Box Malaysia (pdf), P1 Security director Philippe Langlois described how a single malformed network packet could disable a carrier's GSM subscriber database.
Hackers could send malformed packets from any network, or femtocells, to crash carriers' Home Location Register server clusters, which store GSM subscriber details as part of the global SS7 network, he explained.
Eighty-three percent of telco operators did not apply traffic filtering over the SS7 network, he said.
"We were able to remotely crash HLR frontend for two minutes each by sending one malformed packet," Langlois said, citing a 2010 test.
"That means with 20 packets a minute, you would crash the world's HLR. This means there is no communication possible for a country."
Langlois said security flaws persisted in telecommunications infrastructure due to inaction by telco equipment manufacturers, the complexity of networks, and a lack of security oversight.
Telcos the world over were running networks tantamount to "technology sandwiches" where layers of legacy kit had created such high complexity that operators were unaware of glaring holes which Langlois regularly revealed in penetration tests.
One Eastern Europe telco was recently accused of routing half its traffic through a rival's network, forcing the company to fund a significant bandwidth burden. The telcos have yet to settle the case.
"It is troubling to see very talented, expert people [at telcos] who are shielded from the reality of their network by the vendor who has no interest in educating them about the telecom security and exposure of their own networks," Langlois said.
"It feels like the 1980s in terms of security."
As a penetration tester, Langlois said he often accessed telco networks using services that administrators were unaware were active.
"We accessed [an operator's] systems through their x25 network which they never knew was running because the network vendor never disclosed it -- it was just underlying technology."
"All of these change management, configuration management and monitoring systems are specific to one kind of equipment, and you need to access several of these to get a clear vision of what is on your systems."