The insecurity of telecom stacks in the wake of Salt Typhoon

The author admits to having zero experience with carrier-level infrastructure, but their suspicions are essentially correct. I actually have done a fair bit of 4G and 5G specific pentesting and security research for a number of major carriers. While it varies between carriers and between product vendors, it's still an absolute horror show. Until very recently, the security was entirely achieved through obscurity. The 4G and 5G standards have started to address this, but there are still gaps big enough to be deeply concerning. I don't think it's overly hyperbolic to assume that any moderately sophisticated threat actor who wants a beachhead on a carrier can achieve it. I've demonstrated this multiple times, professionally. IMHO the hardware vendors from a certain East Asian state have such poorly written software stacks, that they could almost be classified as APTs - security is non-existent. There are valid reasons Western countries have banned them. Western hardware vendors have significantly more mature software, but are still many years behind what most of us would consider modern security best practices.

One thing I absolutely don&#x27;t understand about telecom security is how, in 2025, we&#x27;re still using pre-shared keys in our mobile phone standards.<p>RSA and Diffie Hellman[1] have existed for decades, so have CA systems, yet SIM cards are still provisioned with a pre-shared key that only the card and the operator knows, and all further authentication and encryption is based on that key[2]. If the operator is ever hacked and the keys are stolen, there&#x27;s nothing you can do.<p>To make things even worse, those keys have to be sent to the operator by the SIM card manufacturer (often a company based in a different country and hence subject to demands of foreign governments), so there are certainly opportunities to hack these companies and&#x2F;or steal the keys in transit.<p>To me, this absolutely feels like a NOBUS vulnerability, if the SIM manufacturers and&#x2F;or core network equipment vendors are in cahoots with the NSA and let the NSA take those keys, they can potentially listen in on all mobile phone traffic in the world.<p>[1] I&#x27;m aware that those algorithms are not considered best practices any more and that elliptic curves would be a better idea, but better RSA than what we have now.<p>[2] <a href="https:&#x2F;&#x2F;nickvsnetworking.com&#x2F;hss-usim-authentication-in-lte-nr-4g-5g&#x2F;" rel="nofollow">https:&#x2F;&#x2F;nickvsnetworking.com&#x2F;hss-usim-authentication-in-lte-...</a>

To be honest, the conclusion of the blog post that Freeswitch are not budging from their community release schedule does not surpise me one iota.<p>Freeswitch used to have a strong community spirit.<p>Things all changed since they took a more agressive commercial turn, a couple of years ago IIRC.<p>Since that point you now have to jump through the &quot;register&quot; hoop to gain access to stuff that should be open (I can&#x27;t remember what it is, IIRC something like the APT repos being hidden behind a &quot;register&quot; wall, something like that).<p>I don&#x27;t want to &quot;register&quot; with a commercial company to gain access to the foss community content. Because we all know what happens in the tech world if you give your details to a commercial company, the salesdroids start pestering you for an upsell&#x2F;cross-sell, you get put in mailing lists you never asked to be put on, etc.

I think it&#x27;s fair to assume that between foreign threat actors, the Five Eyes&#x2F;other Western pacts, and the demand to make the line go up, there&#x27;s no <i>real</i> anonymity online. If they want you, they&#x27;ve got the means to get you.<p>In reality that&#x27;s really no different than the pre-internet age. If you don&#x27;t want your stuff intercepted, you need to encrypt it by means that aren&#x27;t trivial to access electronically for a major security apparatus. Physical notes, word-of-mouth, hand signals, etc.<p>Also, you need to be ready for the consequences of what you say and do online should a state actor decide to allocate the resources to actually act upon the data they have.

From the article I am not totally convinced that &quot;Telecom security sucks today&quot;, given they just randomly picked Freeswitch to find a buffer overflow. &quot;Telecom stacks&quot; might or might be not insecure but what&#x27;s done here is very weak evidence. The Salt Typhoon attacks allegedly exploited a Cisco vulnerability, although the analysts suggest the attackers have been using proper credentials (<a href="https:&#x2F;&#x2F;cyberscoop.com&#x2F;cisco-talos-salt-typhoon-initial-access&#x2F;" rel="nofollow">https:&#x2F;&#x2F;cyberscoop.com&#x2F;cisco-talos-salt-typhoon-initial-acce...</a>) So nothing to do with Freeswitch or anything.

One area where freeswitch is probably used quite often (and without support contract) are BigBlueButton installations (virtual classroom system) in schools and universities. I am more worried about them then about telcos.

I wonder how many people are even using the XML RPC module. It doesn&#x27;t get loaded by default.<p>Edit: 468 according to Shodan. I&#x27;m wondering if senddirectorydocument gets used at all by the XML RPC module.

The really good hacks happen with CAMEL MAP injection. Controls all sorts of goodness like SMS, USSD, and the crown jewel: location services.<p>Many a &quot;bulk SMS&quot; provider in places like the richer carribean islands, and Indonesia that do a lot more than send spam.

No major carrier is running FreeSwitch or Asterisk at the core.

I highly recommend checking out P1 Security&#x27;s presentations around mobile telco security: <a href="https:&#x2F;&#x2F;www.slideshare.net&#x2F;slideshow&#x2F;day1-hacking-telcoequipmentthehlrhsslaurentghigonisp1sec&#x2F;34291135" rel="nofollow">https:&#x2F;&#x2F;www.slideshare.net&#x2F;slideshow&#x2F;day1-hacking-telcoequip...</a>.<p>It&#x27;s old but there&#x27;s no reason to believe things have improved as there are zero incentives to. Also, software security vulnerabilities are only part of the problem - the other part is that telcos <i>willingly</i> outsource control and critical access to the lowest bidder: <a href="https:&#x2F;&#x2F;berthub.eu&#x2F;articles&#x2F;posts&#x2F;5g-elephant-in-the-room&#x2F;" rel="nofollow">https:&#x2F;&#x2F;berthub.eu&#x2F;articles&#x2F;posts&#x2F;5g-elephant-in-the-room&#x2F;</a>

From the article. &quot;This is not typically a problem, since most browsers don’t support URLs longer than 2048 characters, but the relevant RFCs support up to about 8 KB in most cases. (CloudFlare supports up to 32KB.)&quot;<p>So obviously relying on browsers is not enough, but a nitpick. The article links to a stackoverflow which actually notes browsers support a lot more.<p><pre><code> Browser Address bar document.location or anchor tag ------------------------------------------ Chrome 32779 &gt;64k Android 8192 &gt;64k Firefox &gt;300k &gt;300k Safari &gt;64k &gt;64k IE11 2047 5120 Edge 16 2047 10240</code></pre>

I imagine most of the people running Freeswitch have their own patches on top of the community releases anyway so we&#x27;re compiling those security fixes in to our own builds. That&#x27;s what we did anyway when I worked for a place using Asterisk, Freeswitch, and OpenSER&#x2F;Kamailio whatever it is called this decade.<p>&quot;potentially thousands of telecom stacks around the world that SignalWire has decided to keep vulnerable until the Summer, even after they published the patches on GitHub.&quot;

I would dare to whisper that the lack of security suits the NSA just fine. However you can add just about every technically competent nation state, organised crime, major corporations, and a collection of non-state actors. About the only group besides us nomies who I think might really care about this are the payment rails folks as this insecurity facilitates more fraud.

Three thoughts.<p>1) To be slightly annoyingly contrarian, there is money to be made in secure telecom; Skype founders made a bundle, no?<p>2) This article conflates freeswitch with major telecom carrier infeastructure. My impression is that 30+% of the problem with security is not technical but economic. Carriers outsource a ton of their operations, effectively outsourcing most efforts to care about security... which never helps security posture unless the outsourcer considers their core value proposition, which they generally don&#x27;t, instead pushing themselves as a cost&#x2F;capitalization play.<p>3) No discussion of Matrix here as where things are headed, security-wise? <a href="https:&#x2F;&#x2F;matrix.org&#x2F;blog&#x2F;2024&#x2F;10&#x2F;29&#x2F;matrix-2.0-is-here&#x2F;" rel="nofollow">https:&#x2F;&#x2F;matrix.org&#x2F;blog&#x2F;2024&#x2F;10&#x2F;29&#x2F;matrix-2.0-is-here&#x2F;</a>

Why was FreeSWITCH written in C? Even in 2006 there were more secure alternatives.<p>We as an industry keep poking each ourselves in our collective eye with a sharp stick, wondering why it hurts.

I have gone on about this before but most carriers have a psychological aversion to security, and most of their vendors adopt the same.<p>They see themselves as the wire, and thus completely incapable of being targeted by hostile third parties.<p>Non exhaustive list of problems I have seen:<p>Credit cards stored in plaintext on the carriers wordpress website. esxi and drac ports publicly available to the internet, not patched. inbound authentication not dropped by core infrastructure, log files just filling up with brute force attempts (often successful) Software vendors not implementing <i>carrier network</i> standards and telling everyone they know better. tech support opening socks proxy ports for technical support reasons and then leaving them open, where they get abused for netflix traffic. Field techs running around with core infrastructure passwords written on their paperwork Vulnerable hardware remaining unpatched and available to the internet for years - particularly fortigate stuff. Technicians building unencrypted pptp vpns on client infrastructure and leaving them open for years.<p>It doesnt surprise me that freepbx&#x2F;asterisk etc are full of issues. They only get yelled at when they push a change that knocks some eccentric sip config offline, no one cares if they maintain vulnerable code as long as it works. Doubly so because theres a cottage industry in locating and using vulnerable SIP credentials for fraudulent phone calls.

In a past life I worked at AWS as a support engineer<p>I once got a ticket from T-Mobile (US) asking what &quot;AWS&#x27;s best practices were around security patching. How long should we wait?&quot;<p>A week later they admitted to an enormous data breach<p>I&#x27;d say I switched phone carriers after that, but after working in the ISP market I already knew they were all absolute clown shows where all the money only went to C-levels and not infrastructure or security

Time to rewrite telecom software in Rust?

the paid version is probably not much better

SS7 again... ofc. Kinda tiresome now.<p>Yes, insecure, but needed. Unless you want to shut down 2G and 3G worldwide. It is happening, slowly.<p>The FreeSwitch stuff? Telcom buy from vendors like Nokia, Cisco, Ericsson, Huawei where they can&#x27;t see src anyway.

I wonder who in practice runs XMLRPC today. My feeling id that nobody looked at that code in decades, because nobody cares.

This made me think, how many people have tried feeding some of this critical code to the best LLM models and asking it to point out any bugs?

I&#x27;ve been beating the drum about this to everyone who will listen lately, but I&#x27;ll beat it here too! Why don&#x27;t we use seL4 for everything? People are talking about moving to a smart grid, having IoT devices everywhere, putting chips inside of peoples&#x27; brains (!!!), cars connect to the internet, etc.<p>Anyway, it&#x27;s insane that we have a mathematically-proven secure kernel, we should use it! Surely there&#x27;s a startup in this somewhere..