December 11, 2025 • 14 mins
An extensive overview of security in telecommunications networks, particularly focusing on cellular systems and their convergence with the Internet. The text first establishes core security concepts and cryptographic principles before thoroughly examining vulnerabilities in both traditional voice networks and modern cellular data services like GSM and GPRS. A significant portion is dedicated to analyzing the impact and mitigation of Denial of Service (DoS) attacks via Short Messaging Service (SMS) and cellular data teardown mechanisms, demonstrating how network rigidities create exploitable weaknesses. Finally, the text explores the architecture and security challenges of Voice over IP (VoIP), contrasting its open, packet-switched nature with the circuit-switched design of traditional telephony systems.
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cyber_security_summary
Get the Book now from Amazon:
https://www.amazon.com/Security-Telecommunications-Networks-Advances-Information-ebook/dp/B002C73P2E?&linkCode=ll1&tag=cvthunderx-20&linkId=06f3f684c83b009971360ebb99dd2032&language=en_US&ref_=as_li_ss_tl
Discover our free courses in tech and cybersecurity, Start learning today:
https://linktr.ee/cybercode_academy
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cyber_security_summary
Get the Book now from Amazon:
https://www.amazon.com/Security-Telecommunications-Networks-Advances-Information-ebook/dp/B002C73P2E?&linkCode=ll1&tag=cvthunderx-20&linkId=06f3f684c83b009971360ebb99dd2032&language=en_US&ref_=as_li_ss_tl
Discover our free courses in tech and cybersecurity, Start learning today:
https://linktr.ee/cybercode_academy
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome back to the deep dive. Today, we are cracking
open the essential digital infrastructure that connects us all telecommunications networks.
Speaker 2 (00:09):
Yeah, absolutely essential.
Speaker 1 (00:11):
We depend on them for everything, I mean really.
Speaker 2 (00:13):
Everything, which makes them, you know, incredibly attractive targets for.
Speaker 1 (00:16):
Any serious adversary, right, nation states, organized crime exactly.
Speaker 2 (00:21):
So our mission today is a deep dive into the
emerging state of security in these crucial systems. Okay, we've
pulled together analysis on vulnerabilities cellular data, SMS, voiceover IP, and.
Speaker 1 (00:36):
We're focusing on why, right, why are these networks sometimes
so fragile?
Speaker 2 (00:39):
Precisely, the sources suggest it really comes down to this
collision old meets new.
Speaker 1 (00:45):
The old phone system architecture, yeah.
Speaker 2 (00:47):
The legacy stuff bumping right into the modern Internet.
Speaker 1 (00:49):
But maybe first let's quickly define security in this context.
Our sources put it pretty simply.
Speaker 2 (00:55):
Right, Security is just the expectation that a system will
behave like.
Speaker 1 (00:58):
You think it should as anticipate.
Speaker 2 (01:00):
Yeah, and we're going to look at where that expectition
just gets completely well betrayed. We'll show how these fundamental
conflicts in the design things inherited from frankly an era
of blind trust. They don't just create gaps, They actually
create mechanisms for amplification. Amplification meaning meaning simple low effort
attacks can cause catastrophic denial of service, much bigger impact
(01:24):
than you'd expect.
Speaker 1 (01:25):
Okay, so let's dig into those roots. The historical side.
You mentioned blind trust.
Speaker 2 (01:30):
Yeah, the first failure point was really architectural. It was
built on trust.
Speaker 1 (01:34):
Traditional systems like the old digital backbone SS seven Signaling
System number seven exactly.
Speaker 2 (01:40):
They were built assuming a totally controlled.
Speaker 1 (01:43):
Environment like a walled garden.
Speaker 2 (01:44):
Pretty much the phone company was a fortress. Why authenticate
signals between core machines if they're all supposedly inside your trusted.
Speaker 1 (01:52):
Walls, right, makes sense in that old context.
Speaker 2 (01:54):
But that lack of authentication between say, routers and switches
back then, that vulnerability state echoes today in parts of
our cellular infrastructure. It's foundational.
Speaker 1 (02:04):
And even before s S seven was really a big target,
you had the originals, the phone freaks.
Speaker 2 (02:10):
The phone freaks, yes, which is just wild when you
think about it.
Speaker 1 (02:14):
They proved you could exploit that trust with like the
simplest tools.
Speaker 2 (02:19):
It's true. Back then, the signals managing your call routing,
set up billing traveled on the same physical line as your.
Speaker 1 (02:26):
Voice that was inband signaling.
Speaker 2 (02:28):
In band signaling, and the freaks figured out that if
they played a specific tone twenty six hundred hertz, the
magic twenty six hundred hertz tone. Yeah, the network heard
that and thought, okay, hang up the trunk line, stop billing.
Speaker 1 (02:41):
But the call was already connected exactly.
Speaker 2 (02:43):
So they just kept talking free long distance.
Speaker 1 (02:45):
Using things like a blue box or I love this
the whistle from a cap'n Crunch cereal box.
Speaker 2 (02:52):
Yeah, the cap'n Crunch whistle. It's almost unbelievable. A kid's
toy defeated this massive infrastructure just.
Speaker 1 (02:58):
By speaking the network's interurn old secret language.
Speaker 2 (03:01):
That vulnerability was so deep they had to completely rip
out in band signaling, move it.
Speaker 1 (03:05):
Out of ban a whole redesign.
Speaker 2 (03:07):
But then history repeats. We moved to digital celluler GSM.
Speaker 1 (03:11):
Networks and made a similar mistake.
Speaker 2 (03:13):
Basically, yes, this time with weak cryptography.
Speaker 1 (03:15):
Okay crypto. We hear about strong crypto, and there's this
core idea Kirkoff's principle, right.
Speaker 2 (03:21):
Kirkhoff's principle says, a strong system assumes the bad guy
knows how it works. The only secret should be.
Speaker 1 (03:27):
The key, the algorithm itself should be public.
Speaker 2 (03:30):
And strong, precisely, But early GSM ciphers like A fifty one,
and especially the deliberately weakened export version.
Speaker 1 (03:38):
A fifty two, they weren't strong.
Speaker 2 (03:40):
Not even close, and they relied on keeping the algorithm's secret,
which is the opposite of Kirkoff's why weakened Well, The
sources point to political pressure. Back then, governments didn't want
strong encryption getting out, especially overseas.
Speaker 1 (03:53):
A export controls.
Speaker 2 (03:54):
Yeah, but that political choice led directly to a massive
security failure. How bad was Researchers like ber Ucov later
showed A fifty one the main cipher. You could get
the key on a standard PC.
Speaker 1 (04:05):
Yeah, how long did it take?
Speaker 2 (04:06):
Under a second?
Speaker 1 (04:07):
Wow?
Speaker 2 (04:07):
And a fifty two the weekend one ten milliseconds basically instantaneous.
Speaker 1 (04:12):
So real time decryption of calls was.
Speaker 2 (04:14):
Possible, absolutely, and it wasn't just eavesdropping. The authentication algorithm comp.
Speaker 1 (04:20):
One eight, the one that checks if your phone is legit.
Speaker 2 (04:23):
Yeah, it was so flawed attackers could potentially clone sim
cards or worse craft messages to lock legitimate users out
completely denial of service.
Speaker 1 (04:33):
Again, that sounds like a nightmare to fix it was.
Speaker 2 (04:35):
Took years replacing millions of SIM cards worldwide to patch
those fundamental digital holes.
Speaker 1 (04:41):
Okay, so we had trust issues, crypto issues. Let's talk
architecture now. Yeah, where's the design conflict causing these new problems?
Speaker 2 (04:49):
Right? The core conflict now is really rigidity versus flexibility,
Meaning well, think about how old phone networks were built
for voice calls. Right, that's rigid.
Speaker 1 (05:00):
Get switched traffic, like reserving a dedicated pipe for.
Speaker 2 (05:02):
The whole call exactly, a guaranteed connection, no sharing, no interruptions, ideally,
very predictable, very rigid.
Speaker 1 (05:09):
But now everything runs on packet switch data the Internet model.
Speaker 2 (05:13):
Right, data chopped into little packets, routed flexibly, sharing the
network efficiently. Total opposite philosophy, and this clashes massively. It
leads to violations of a key Internet principle, the end
to end argument.
Speaker 1 (05:26):
Okay, what's that argue?
Speaker 2 (05:27):
It basically says the network itself should be done just
forward packets, keep it simple.
Speaker 1 (05:32):
All the complex of like making sure data arives reliably
or managing a session you should happen.
Speaker 2 (05:37):
At the ends on your phone, on the server, not
in the middle of the network.
Speaker 1 (05:41):
But cellular networks do put intelligence in the middle, don't they.
Speaker 2 (05:44):
They absolutely do. They have to think about it. They
need to know where your phone is, manage battery life
by putting it to sleep.
Speaker 1 (05:51):
Stuff. The basic Internet doesn't worry.
Speaker 2 (05:53):
About exactly, but building that intelligence, that state management into
the network core that creates rigidity.
Speaker 1 (06:00):
And that rigidity that's the weakness.
Speaker 2 (06:03):
It creates the opportunity for weakness, especially amplification. Here's why.
In the packet world, the basic unit is one small packet. Okay,
in the cellular world, especially older standards, receiving even one
packet can trigger this expensive, complex sequence of actions to
do what to set up a much larger virtual resource
(06:23):
for your phone, a channel. It allocates resources based on
that old voice model.
Speaker 1 (06:28):
So a tiny input triggers a big, heavyweight response from
the network.
Speaker 2 (06:32):
Precisely, It's like you knock lightly on a bank vault door,
and instead of just checking who's there, they swing the
whole mass door open, call in extra guards, block off
the hallway.
Speaker 1 (06:42):
Okay, I get the analogy.
Speaker 2 (06:43):
When an attacker sends thousands of those little knocks, the
network exhausts itself doing these heavyweight setups over and over.
Speaker 1 (06:50):
It overreacts based on its rigid design.
Speaker 2 (06:52):
That's the amplification exploiting the network's mandatory, expensive procedures.
Speaker 1 (06:57):
Okay, let's see this amplification play out the SMS bottleneck attack.
It sounds counterintuitive, it really does.
Speaker 2 (07:04):
But yeah, you can weaponize text messages to block voice calls.
Speaker 1 (07:07):
How on earth does that work? It seems like such
a basic function.
Speaker 2 (07:11):
It works because of a shared resource conflict deep in
the architecture. Both voice calls and incoming SMS messages need
the same thing to get started, which is these things
called standalone dedicated control channels sdcchs. Okay, sdcs, think of
them as the on ramps or the setup coordinators for
the cell tower. Very limited capacity. How limited The sources
(07:33):
give examples like maybe only nine hundred SMS sessions per
hour per channel.
Speaker 1 (07:37):
That sounds tiny, especially for a busy city.
Speaker 2 (07:40):
It is incredibly low, So the exploit is painfully simple.
An attacker uses just a little bit of bandwidth like
a home internet connection, yeah, comparable to a cable modem.
They just pump enough bogus SMS set up requests into
the network to keep those sdcchs constantly busy.
Speaker 1 (07:57):
Like creating a traffic jam on those critical on.
Speaker 2 (07:59):
Ramp exactly gridlock. And here's the aha moment. As you said, ye,
once those sdcchs are saturated with fake SMS traffic, they
can't be used to set up voice calls either.
Speaker 1 (08:12):
Oh wow, So blocking texts also blocks calls because they
share that initial choke point.
Speaker 2 (08:17):
That's it. Legitimate calls, legitimate texts, nothing can get established.
Speaker 1 (08:20):
What's the impact In reality?
Speaker 2 (08:22):
The researchers modeled this for a major city like Manhattan,
minimal attack resources could block seventy one percent of call and.
Speaker 1 (08:28):
Text attempts seventy one percent. That's basically taking the network.
Speaker 2 (08:31):
Down pretty much, near total denial of service with almost
no attack or bandwidth, just by exhausting those rigid set
up resources.
Speaker 1 (08:38):
And this extends to data too. GPRS edge the older
data standards.
Speaker 2 (08:44):
Directly similar principle, different mechanism. Remember the network managing device
states idly standby ready to save battery.
Speaker 1 (08:52):
Right.
Speaker 2 (08:53):
Getting a device into that ready state where it can
actually send and receive data involves paging it, locating it,
setting up this packet data protocol context. It's expensive for.
Speaker 1 (09:03):
The network, lots of overhead each time, right.
Speaker 2 (09:06):
So to avoid doing that constantly. The network uses delayed teardown,
meaning it keeps your phone in that costly ready state
for a few seconds after the last data packet goes through,
just in case more data is coming.
Speaker 1 (09:16):
Okay, seems sensible, but exploitable highly.
Speaker 2 (09:20):
The attacker just needs to send tiny, infrequent data packets to.
Speaker 1 (09:23):
Your phone, just enough to reset that timer exactly.
Speaker 2 (09:26):
Each tiny packet makes the network think, oh, still active,
and it keeps that expensive ready state along with associated
resources like TBFS and tfis, the traffic channels allocated indefinitely.
Speaker 1 (09:38):
Like keeping the bank vault door open with the toothpick.
Speaker 2 (09:40):
That's a good way to put it, and the impact
is huge. The analysis showed just one hundred and sixty
kilobits per second of attack praffic. That's minuscule, tiny, It
was enough to block over ninety six percent of legitimate
data requests across Manhattan.
Speaker 1 (09:55):
Ninety six percent. Yeah.
Speaker 2 (09:57):
Again, the attack isn't flooding the data pipes. It's exhausting
the network's administrative resources, the virtual channels and set up
processes dictated by that rigid state management.
Speaker 1 (10:07):
So as we move more towards voiceover IP VoIP and
this ims architecture that's supposed to fix the old rigidity.
Speaker 2 (10:14):
Right.
Speaker 1 (10:15):
Yeah, moving voice onto packet networks, it.
Speaker 2 (10:17):
Solves some old problems, definitely gets rid of some of
that circuit switched baggage, but it inherits a whole new set.
Speaker 1 (10:24):
Of problems, problems from the Internet side of things.
Speaker 2 (10:26):
Exactly all the lovely security risks we know from the
open Internet now applied directly to voice. Okay, Like what, well,
take call setup. We use protocols like SIP Session Initiation Protocol,
and there's an encrypted version SIPs using TLS.
Speaker 1 (10:39):
Like each TTPs for websites.
Speaker 2 (10:41):
Sounds secure, it is, but only hop by hop Your
phone connects securely to the first server, that server connects
securely to the next.
Speaker 1 (10:48):
What happens at the server?
Speaker 2 (10:49):
Ah, that's the catch. At every intermediate proxy server, the
session has to be decrypted, looked at, and then re
encrypted to send it to the next hop. Wait decrypted
in the middle, Yes, which means your supposedly secure call
set up information is exposed in plaintext on potentially many
machines along the.
Speaker 1 (11:09):
Path, so malicious insiders or just a compromise server.
Speaker 2 (11:13):
Can see everything about the call setup. There's no true
end to end privacy guarantee.
Speaker 1 (11:18):
There, What about entrypting the actual voice conversation itself?
Speaker 2 (11:21):
For that, we have secure RTP or SRTP that can
provide true end to end encryption of the audio.
Speaker 1 (11:28):
But there's always a butt.
Speaker 2 (11:29):
The butt is key management. How do you and the
person you're calling securely exchange the encryption keys before the
call starts without someone intercepting them. It's a hard problem.
Speaker 1 (11:38):
And sometimes it just doesn't happen.
Speaker 2 (11:40):
Worse, the standards often allow endpoints to negotiate down to
using no encryption at all the NUL cipher. So you
might think you're secure, but the call is going out
completely unencrypted. It it seems bad, it's not ideal. But honestly,
beyond these protocol issues, the biggest modern threat is probably.
Speaker 1 (11:59):
Malware on the device itself.
Speaker 2 (12:01):
Exactly, if your smartphone or your computer gets compromised, it
doesn't matter how good the network encryption is, because.
Speaker 1 (12:07):
The malware sees the data before encryption or after decryption.
Speaker 2 (12:12):
Precisely, game over for privacy at that point.
Speaker 1 (12:14):
Okay, but let's say you avoid malware, you use strong
SRTP with good key exchange. Yeah, are you safe then?
Speaker 2 (12:22):
Still maybe not completely hidden. There's this fascinating area of traffic.
Speaker 1 (12:26):
Analysis analyzing the encrypted traffic pattern.
Speaker 2 (12:28):
Yeah, even perfectly encrypted voice data leaks information. When you
speak different languages, The way voice codecs chop up the
sound results in different patterns of packet sizes, a distinct
packet length profile for each language.
Speaker 1 (12:40):
Seriously, you can tell the language just from packet sizes
even if you can't read the content.
Speaker 2 (12:44):
The research shows you can with surprisingly high accuracy, up
to ninety percent in some studies. So even if the
content is secret, an observer might figure out what language
you're speaking, which could reveal who you're talking to or
what kind of conversation it is. Sensitive metadata leakage, hashtags,
tag tag outro Okay.
Speaker 1 (13:04):
So wrapping this all up, what's the big takeaway from
this deep dive?
Speaker 2 (13:09):
I think the central lesson is pretty stark. These really
dangerous vulnerabilities, especially the denial of service ones we talked about.
Speaker 1 (13:15):
You have the SMS and data attacks.
Speaker 2 (13:17):
They're fundamentally rooted in that architectural rigidity that clash between
the old assumptions of circuit switching and the reality of
flexible packet data.
Speaker 1 (13:26):
The network trying to provide old guarantees in a new world.
Speaker 2 (13:29):
Exactly, and things like rate limiting SMS messages that's just treating.
Speaker 1 (13:33):
A symptom the band aid right.
Speaker 2 (13:36):
Real fixes require systemic change, addressing that core problem of
resource amplification and the expensive rigid session handling. Until the
architecture truly modernizes, will likely keep finding these kinds of
low effort, high impact vulnerabilities, which leads.
Speaker 1 (13:51):
Us with a final thought, maybe something for you the
listener to think about.
Speaker 2 (13:54):
Yeah, the really big challenge now is this convergence SS seven,
the old stuff, IMS, the vulip stuff, and the open Internet.
They all have to talk to each other.
Speaker 1 (14:04):
You need your cell phone VoIP call to connect to
Grandma's old landline precisely.
Speaker 2 (14:08):
But the security implications of stitching these vastly different systems together, honestly,
they're not fully understood yet.
Speaker 1 (14:15):
We're connecting systems with known but different.
Speaker 2 (14:17):
Flaws and creating new connection points between them. Could an
attacker exploit a weakness in one system, say the Internet side,
to disrupt traffic in another, like the core phone network.
Through these new gateways across system attack vector Potentially, are
we building something more interconnected but ultimately less resilient than
the sum of its parts. That's the ongoing challenge, ensuring
(14:40):
security without breaking the performance we need for real time communication.
Speaker 1 (14:44):
Constant vigilance and research needed there.
Speaker 2 (14:47):
Absolutely, the work is far from over
Welcome back to the deep dive. Today, we are cracking
open the essential digital infrastructure that connects us all telecommunications networks.
Speaker 2 (00:09):
Yeah, absolutely essential.
Speaker 1 (00:11):
We depend on them for everything, I mean really.
Speaker 2 (00:13):
Everything, which makes them, you know, incredibly attractive targets for.
Speaker 1 (00:16):
Any serious adversary, right, nation states, organized crime exactly.
Speaker 2 (00:21):
So our mission today is a deep dive into the
emerging state of security in these crucial systems. Okay, we've
pulled together analysis on vulnerabilities cellular data, SMS, voiceover IP, and.
Speaker 1 (00:36):
We're focusing on why, right, why are these networks sometimes
so fragile?
Speaker 2 (00:39):
Precisely, the sources suggest it really comes down to this
collision old meets new.
Speaker 1 (00:45):
The old phone system architecture, yeah.
Speaker 2 (00:47):
The legacy stuff bumping right into the modern Internet.
Speaker 1 (00:49):
But maybe first let's quickly define security in this context.
Our sources put it pretty simply.
Speaker 2 (00:55):
Right, Security is just the expectation that a system will
behave like.
Speaker 1 (00:58):
You think it should as anticipate.
Speaker 2 (01:00):
Yeah, and we're going to look at where that expectition
just gets completely well betrayed. We'll show how these fundamental
conflicts in the design things inherited from frankly an era
of blind trust. They don't just create gaps, They actually
create mechanisms for amplification. Amplification meaning meaning simple low effort
attacks can cause catastrophic denial of service, much bigger impact
(01:24):
than you'd expect.
Speaker 1 (01:25):
Okay, so let's dig into those roots. The historical side.
You mentioned blind trust.
Speaker 2 (01:30):
Yeah, the first failure point was really architectural. It was
built on trust.
Speaker 1 (01:34):
Traditional systems like the old digital backbone SS seven Signaling
System number seven exactly.
Speaker 2 (01:40):
They were built assuming a totally controlled.
Speaker 1 (01:43):
Environment like a walled garden.
Speaker 2 (01:44):
Pretty much the phone company was a fortress. Why authenticate
signals between core machines if they're all supposedly inside your trusted.
Speaker 1 (01:52):
Walls, right, makes sense in that old context.
Speaker 2 (01:54):
But that lack of authentication between say, routers and switches
back then, that vulnerability state echoes today in parts of
our cellular infrastructure. It's foundational.
Speaker 1 (02:04):
And even before s S seven was really a big target,
you had the originals, the phone freaks.
Speaker 2 (02:10):
The phone freaks, yes, which is just wild when you
think about it.
Speaker 1 (02:14):
They proved you could exploit that trust with like the
simplest tools.
Speaker 2 (02:19):
It's true. Back then, the signals managing your call routing,
set up billing traveled on the same physical line as your.
Speaker 1 (02:26):
Voice that was inband signaling.
Speaker 2 (02:28):
In band signaling, and the freaks figured out that if
they played a specific tone twenty six hundred hertz, the
magic twenty six hundred hertz tone. Yeah, the network heard
that and thought, okay, hang up the trunk line, stop billing.
Speaker 1 (02:41):
But the call was already connected exactly.
Speaker 2 (02:43):
So they just kept talking free long distance.
Speaker 1 (02:45):
Using things like a blue box or I love this
the whistle from a cap'n Crunch cereal box.
Speaker 2 (02:52):
Yeah, the cap'n Crunch whistle. It's almost unbelievable. A kid's
toy defeated this massive infrastructure just.
Speaker 1 (02:58):
By speaking the network's interurn old secret language.
Speaker 2 (03:01):
That vulnerability was so deep they had to completely rip
out in band signaling, move it.
Speaker 1 (03:05):
Out of ban a whole redesign.
Speaker 2 (03:07):
But then history repeats. We moved to digital celluler GSM.
Speaker 1 (03:11):
Networks and made a similar mistake.
Speaker 2 (03:13):
Basically, yes, this time with weak cryptography.
Speaker 1 (03:15):
Okay crypto. We hear about strong crypto, and there's this
core idea Kirkoff's principle, right.
Speaker 2 (03:21):
Kirkhoff's principle says, a strong system assumes the bad guy
knows how it works. The only secret should be.
Speaker 1 (03:27):
The key, the algorithm itself should be public.
Speaker 2 (03:30):
And strong, precisely, But early GSM ciphers like A fifty one,
and especially the deliberately weakened export version.
Speaker 1 (03:38):
A fifty two, they weren't strong.
Speaker 2 (03:40):
Not even close, and they relied on keeping the algorithm's secret,
which is the opposite of Kirkoff's why weakened Well, The
sources point to political pressure. Back then, governments didn't want
strong encryption getting out, especially overseas.
Speaker 1 (03:53):
A export controls.
Speaker 2 (03:54):
Yeah, but that political choice led directly to a massive
security failure. How bad was Researchers like ber Ucov later
showed A fifty one the main cipher. You could get
the key on a standard PC.
Speaker 1 (04:05):
Yeah, how long did it take?
Speaker 2 (04:06):
Under a second?
Speaker 1 (04:07):
Wow?
Speaker 2 (04:07):
And a fifty two the weekend one ten milliseconds basically instantaneous.
Speaker 1 (04:12):
So real time decryption of calls was.
Speaker 2 (04:14):
Possible, absolutely, and it wasn't just eavesdropping. The authentication algorithm comp.
Speaker 1 (04:20):
One eight, the one that checks if your phone is legit.
Speaker 2 (04:23):
Yeah, it was so flawed attackers could potentially clone sim
cards or worse craft messages to lock legitimate users out
completely denial of service.
Speaker 1 (04:33):
Again, that sounds like a nightmare to fix it was.
Speaker 2 (04:35):
Took years replacing millions of SIM cards worldwide to patch
those fundamental digital holes.
Speaker 1 (04:41):
Okay, so we had trust issues, crypto issues. Let's talk
architecture now. Yeah, where's the design conflict causing these new problems?
Speaker 2 (04:49):
Right? The core conflict now is really rigidity versus flexibility,
Meaning well, think about how old phone networks were built
for voice calls. Right, that's rigid.
Speaker 1 (05:00):
Get switched traffic, like reserving a dedicated pipe for.
Speaker 2 (05:02):
The whole call exactly, a guaranteed connection, no sharing, no interruptions, ideally,
very predictable, very rigid.
Speaker 1 (05:09):
But now everything runs on packet switch data the Internet model.
Speaker 2 (05:13):
Right, data chopped into little packets, routed flexibly, sharing the
network efficiently. Total opposite philosophy, and this clashes massively. It
leads to violations of a key Internet principle, the end
to end argument.
Speaker 1 (05:26):
Okay, what's that argue?
Speaker 2 (05:27):
It basically says the network itself should be done just
forward packets, keep it simple.
Speaker 1 (05:32):
All the complex of like making sure data arives reliably
or managing a session you should happen.
Speaker 2 (05:37):
At the ends on your phone, on the server, not
in the middle of the network.
Speaker 1 (05:41):
But cellular networks do put intelligence in the middle, don't they.
Speaker 2 (05:44):
They absolutely do. They have to think about it. They
need to know where your phone is, manage battery life
by putting it to sleep.
Speaker 1 (05:51):
Stuff. The basic Internet doesn't worry.
Speaker 2 (05:53):
About exactly, but building that intelligence, that state management into
the network core that creates rigidity.
Speaker 1 (06:00):
And that rigidity that's the weakness.
Speaker 2 (06:03):
It creates the opportunity for weakness, especially amplification. Here's why.
In the packet world, the basic unit is one small packet. Okay,
in the cellular world, especially older standards, receiving even one
packet can trigger this expensive, complex sequence of actions to
do what to set up a much larger virtual resource
(06:23):
for your phone, a channel. It allocates resources based on
that old voice model.
Speaker 1 (06:28):
So a tiny input triggers a big, heavyweight response from
the network.
Speaker 2 (06:32):
Precisely, It's like you knock lightly on a bank vault door,
and instead of just checking who's there, they swing the
whole mass door open, call in extra guards, block off
the hallway.
Speaker 1 (06:42):
Okay, I get the analogy.
Speaker 2 (06:43):
When an attacker sends thousands of those little knocks, the
network exhausts itself doing these heavyweight setups over and over.
Speaker 1 (06:50):
It overreacts based on its rigid design.
Speaker 2 (06:52):
That's the amplification exploiting the network's mandatory, expensive procedures.
Speaker 1 (06:57):
Okay, let's see this amplification play out the SMS bottleneck attack.
It sounds counterintuitive, it really does.
Speaker 2 (07:04):
But yeah, you can weaponize text messages to block voice calls.
Speaker 1 (07:07):
How on earth does that work? It seems like such
a basic function.
Speaker 2 (07:11):
It works because of a shared resource conflict deep in
the architecture. Both voice calls and incoming SMS messages need
the same thing to get started, which is these things
called standalone dedicated control channels sdcchs. Okay, sdcs, think of
them as the on ramps or the setup coordinators for
the cell tower. Very limited capacity. How limited The sources
(07:33):
give examples like maybe only nine hundred SMS sessions per
hour per channel.
Speaker 1 (07:37):
That sounds tiny, especially for a busy city.
Speaker 2 (07:40):
It is incredibly low, So the exploit is painfully simple.
An attacker uses just a little bit of bandwidth like
a home internet connection, yeah, comparable to a cable modem.
They just pump enough bogus SMS set up requests into
the network to keep those sdcchs constantly busy.
Speaker 1 (07:57):
Like creating a traffic jam on those critical on.
Speaker 2 (07:59):
Ramp exactly gridlock. And here's the aha moment. As you said, ye,
once those sdcchs are saturated with fake SMS traffic, they
can't be used to set up voice calls either.
Speaker 1 (08:12):
Oh wow, So blocking texts also blocks calls because they
share that initial choke point.
Speaker 2 (08:17):
That's it. Legitimate calls, legitimate texts, nothing can get established.
Speaker 1 (08:20):
What's the impact In reality?
Speaker 2 (08:22):
The researchers modeled this for a major city like Manhattan,
minimal attack resources could block seventy one percent of call and.
Speaker 1 (08:28):
Text attempts seventy one percent. That's basically taking the network.
Speaker 2 (08:31):
Down pretty much, near total denial of service with almost
no attack or bandwidth, just by exhausting those rigid set
up resources.
Speaker 1 (08:38):
And this extends to data too. GPRS edge the older
data standards.
Speaker 2 (08:44):
Directly similar principle, different mechanism. Remember the network managing device
states idly standby ready to save battery.
Speaker 1 (08:52):
Right.
Speaker 2 (08:53):
Getting a device into that ready state where it can
actually send and receive data involves paging it, locating it,
setting up this packet data protocol context. It's expensive for.
Speaker 1 (09:03):
The network, lots of overhead each time, right.
Speaker 2 (09:06):
So to avoid doing that constantly. The network uses delayed teardown,
meaning it keeps your phone in that costly ready state
for a few seconds after the last data packet goes through,
just in case more data is coming.
Speaker 1 (09:16):
Okay, seems sensible, but exploitable highly.
Speaker 2 (09:20):
The attacker just needs to send tiny, infrequent data packets to.
Speaker 1 (09:23):
Your phone, just enough to reset that timer exactly.
Speaker 2 (09:26):
Each tiny packet makes the network think, oh, still active,
and it keeps that expensive ready state along with associated
resources like TBFS and tfis, the traffic channels allocated indefinitely.
Speaker 1 (09:38):
Like keeping the bank vault door open with the toothpick.
Speaker 2 (09:40):
That's a good way to put it, and the impact
is huge. The analysis showed just one hundred and sixty
kilobits per second of attack praffic. That's minuscule, tiny, It
was enough to block over ninety six percent of legitimate
data requests across Manhattan.
Speaker 1 (09:55):
Ninety six percent. Yeah.
Speaker 2 (09:57):
Again, the attack isn't flooding the data pipes. It's exhausting
the network's administrative resources, the virtual channels and set up
processes dictated by that rigid state management.
Speaker 1 (10:07):
So as we move more towards voiceover IP VoIP and
this ims architecture that's supposed to fix the old rigidity.
Speaker 2 (10:14):
Right.
Speaker 1 (10:15):
Yeah, moving voice onto packet networks, it.
Speaker 2 (10:17):
Solves some old problems, definitely gets rid of some of
that circuit switched baggage, but it inherits a whole new set.
Speaker 1 (10:24):
Of problems, problems from the Internet side of things.
Speaker 2 (10:26):
Exactly all the lovely security risks we know from the
open Internet now applied directly to voice. Okay, Like what, well,
take call setup. We use protocols like SIP Session Initiation Protocol,
and there's an encrypted version SIPs using TLS.
Speaker 1 (10:39):
Like each TTPs for websites.
Speaker 2 (10:41):
Sounds secure, it is, but only hop by hop Your
phone connects securely to the first server, that server connects
securely to the next.
Speaker 1 (10:48):
What happens at the server?
Speaker 2 (10:49):
Ah, that's the catch. At every intermediate proxy server, the
session has to be decrypted, looked at, and then re
encrypted to send it to the next hop. Wait decrypted
in the middle, Yes, which means your supposedly secure call
set up information is exposed in plaintext on potentially many
machines along the.
Speaker 1 (11:09):
Path, so malicious insiders or just a compromise server.
Speaker 2 (11:13):
Can see everything about the call setup. There's no true
end to end privacy guarantee.
Speaker 1 (11:18):
There, What about entrypting the actual voice conversation itself?
Speaker 2 (11:21):
For that, we have secure RTP or SRTP that can
provide true end to end encryption of the audio.
Speaker 1 (11:28):
But there's always a butt.
Speaker 2 (11:29):
The butt is key management. How do you and the
person you're calling securely exchange the encryption keys before the
call starts without someone intercepting them. It's a hard problem.
Speaker 1 (11:38):
And sometimes it just doesn't happen.
Speaker 2 (11:40):
Worse, the standards often allow endpoints to negotiate down to
using no encryption at all the NUL cipher. So you
might think you're secure, but the call is going out
completely unencrypted. It it seems bad, it's not ideal. But honestly,
beyond these protocol issues, the biggest modern threat is probably.
Speaker 1 (11:59):
Malware on the device itself.
Speaker 2 (12:01):
Exactly, if your smartphone or your computer gets compromised, it
doesn't matter how good the network encryption is, because.
Speaker 1 (12:07):
The malware sees the data before encryption or after decryption.
Speaker 2 (12:12):
Precisely, game over for privacy at that point.
Speaker 1 (12:14):
Okay, but let's say you avoid malware, you use strong
SRTP with good key exchange. Yeah, are you safe then?
Speaker 2 (12:22):
Still maybe not completely hidden. There's this fascinating area of traffic.
Speaker 1 (12:26):
Analysis analyzing the encrypted traffic pattern.
Speaker 2 (12:28):
Yeah, even perfectly encrypted voice data leaks information. When you
speak different languages, The way voice codecs chop up the
sound results in different patterns of packet sizes, a distinct
packet length profile for each language.
Speaker 1 (12:40):
Seriously, you can tell the language just from packet sizes
even if you can't read the content.
Speaker 2 (12:44):
The research shows you can with surprisingly high accuracy, up
to ninety percent in some studies. So even if the
content is secret, an observer might figure out what language
you're speaking, which could reveal who you're talking to or
what kind of conversation it is. Sensitive metadata leakage, hashtags,
tag tag outro Okay.
Speaker 1 (13:04):
So wrapping this all up, what's the big takeaway from
this deep dive?
Speaker 2 (13:09):
I think the central lesson is pretty stark. These really
dangerous vulnerabilities, especially the denial of service ones we talked about.
Speaker 1 (13:15):
You have the SMS and data attacks.
Speaker 2 (13:17):
They're fundamentally rooted in that architectural rigidity that clash between
the old assumptions of circuit switching and the reality of
flexible packet data.
Speaker 1 (13:26):
The network trying to provide old guarantees in a new world.
Speaker 2 (13:29):
Exactly, and things like rate limiting SMS messages that's just treating.
Speaker 1 (13:33):
A symptom the band aid right.
Speaker 2 (13:36):
Real fixes require systemic change, addressing that core problem of
resource amplification and the expensive rigid session handling. Until the
architecture truly modernizes, will likely keep finding these kinds of
low effort, high impact vulnerabilities, which leads.
Speaker 1 (13:51):
Us with a final thought, maybe something for you the
listener to think about.
Speaker 2 (13:54):
Yeah, the really big challenge now is this convergence SS seven,
the old stuff, IMS, the vulip stuff, and the open Internet.
They all have to talk to each other.
Speaker 1 (14:04):
You need your cell phone VoIP call to connect to
Grandma's old landline precisely.
Speaker 2 (14:08):
But the security implications of stitching these vastly different systems together, honestly,
they're not fully understood yet.
Speaker 1 (14:15):
We're connecting systems with known but different.
Speaker 2 (14:17):
Flaws and creating new connection points between them. Could an
attacker exploit a weakness in one system, say the Internet side,
to disrupt traffic in another, like the core phone network.
Through these new gateways across system attack vector Potentially, are
we building something more interconnected but ultimately less resilient than
the sum of its parts. That's the ongoing challenge, ensuring
(14:40):
security without breaking the performance we need for real time communication.
Speaker 1 (14:44):
Constant vigilance and research needed there.
Speaker 2 (14:47):
Absolutely, the work is far from over
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
My Favorite Murder with Karen Kilgariff and Georgia Hardstark
My Favorite Murder is a true crime comedy podcast hosted by Karen Kilgariff and Georgia Hardstark. Each week, Karen and Georgia share compelling true crimes and hometown stories from friends and listeners. Since MFM launched in January of 2016, Karen and Georgia have shared their lifelong interest in true crime and have covered stories of infamous serial killers like the Night Stalker, mysterious cold cases, captivating cults, incredible survivor stories and important events from history like the Tulsa race massacre of 1921. My Favorite Murder is part of the Exactly Right podcast network that provides a platform for bold, creative voices to bring to life provocative, entertaining and relatable stories for audiences everywhere. The Exactly Right roster of podcasts covers a variety of topics including historic true crime, comedic interviews and news, science, pop culture and more. Podcasts on the network include Buried Bones with Kate Winkler Dawson and Paul Holes, That's Messed Up: An SVU Podcast, This Podcast Will Kill You, Bananas and more.