The insecurity of telecom stacks in the wake of Salt Typhoon
213 comments
·March 12, 20250xbadc0de5
matthewdgreen
A few years back the U.K. tried a political experiment in which it purchased Huawei equipment and also set up a special government/Huawei lab where they could analyze the source code to ensure it was safe to use. GCHQ found that the code quality made it unreviewable, and that they could not even ensure that the source code provided actually ran on the equipment (because Huawei had direct update capability.) I believe that equipment has been banned since 2020. https://www.washingtonpost.com/world/national-security/brita...
gnfargbl
You're thinking of HCSEC. In the majority of their reports they repeatedly complained that they couldn't even get binary equivalence with Huawei's deployed builds (which clearly obviates the value of any code review) but in the most recent available report from 2021 [1], they do report that Huawei had finally achieved that binary equivalence for a core product set.
The government chose to stop publishing HCSEC reports after 2021. I'm unable to work out whether HCSEC itself is still operating or not.
[1] https://assets.publishing.service.gov.uk/media/60f6b6be8fa8f...
0xbadc0de5
Correct. Both the US and Canada also did similar investigations and came to similar conclusions.
gmueckl
The ban always seemed weird to me. Not even a shred of a technical argument made it into public discourse when this was an issue. Governments just said "trust us" without giving any examples. This thread is the first time I read a hint at why that decision was made. Still, I don't know how much of this was a political stunt vs. grounded in reality. Maybe I am too jaded/cynical?
urban_winter
The media coverage at the time (which I followed closely because I worked in this space) indicated that the UK was under a great deal of pressure from the US to ban Huawei. The US was allegedly concerned that the use of Huawei equipment would allow US/UK shared intelligence to be eavesdropped by the CCP. The US pressure was widely viewed in the UK as having an economic purpose disguised as security.
A quick search found: https://www.euractiv.com/section/politics/short_news/uk-bann...
gadders
>> The US pressure was widely viewed in the UK as having an economic purpose disguised as security.
I live in the UK. This may have been part of it, but to think that a communist dictatorship that (to pick a random example) harvests organs from political opponents is above backdooring their own kit is beyond naïve.
Scoundreller
That kind of analysis needs a control.
But I guess it’s like you said: a political experiment.
Etheryte
Does it really need a control when many countries across the globe have independently tried it out and reached the same conclusion? I would say the results are pretty clear.
FreebasingLLMs
I've been personally involved in evaluating the security of a certain vendor starting with the letter H. Let us just say they are "less than honest". I had pcaps of their bullshit trying to reach out to random C2 shit on the internet, which garnered a response of "there must be a mistake, that is not our software".
Let China sell their telecom bullshit to all the poor people of the world - they will learn hard lessons.
codedokode
Does it send more data to more endpoints than US-made Windows OS (I wiresharked it in a VM so I know)?
secondcoming
Was this for phones or home routers?
markus_zhang
Just curious is there write ups on certain devices? Would love to buy one from Ali express and look into this.
Is this a good starting point?
ghostpepper
How does a regular hacker get their hands on this kind of equipment to do research?
0xbadc0de5
eBay, Alibaba, various grey-market sellers. There's no shortage of availability if you know what to look for.
null
hulitu
> IMHO the hardware vendors from a certain East Asian state have such poorly written software stacks, that they could almost be classified as APTs - security is non-existent.
Thank god we have the hardware and software vendors from a certain north american state, who take security very seroisly. Oh, wait ... /s
shakna
At least those can currently pass industry level audits.
mschuster91
Given that Cisco has RCEs and hardcoded credential CVEs at least once every half year or so, the question does arise if our current level of audits is even remotely sufficient. And it's not Cisco alone - any major vendor of VPN or firewall or general network gear suffers from the same problem.
miki123211
One thing I absolutely don't understand about telecom security is how, in 2025, we're still using pre-shared keys in our mobile phone standards.
RSA and Diffie Hellman[1] have existed for decades, so have CA systems, yet SIM cards are still provisioned with a pre-shared key that only the card and the operator knows, and all further authentication and encryption is based on that key[2]. If the operator is ever hacked and the keys are stolen, there's nothing you can do.
To make things even worse, those keys have to be sent to the operator by the SIM card manufacturer (often a company based in a different country and hence subject to demands of foreign governments), so there are certainly opportunities to hack these companies and/or steal the keys in transit.
To me, this absolutely feels like a NOBUS vulnerability, if the SIM manufacturers and/or core network equipment vendors are in cahoots with the NSA and let the NSA take those keys, they can potentially listen in on all mobile phone traffic in the world.
[1] I'm aware that those algorithms are not considered best practices any more and that elliptic curves would be a better idea, but better RSA than what we have now.
[2] https://nickvsnetworking.com/hss-usim-authentication-in-lte-...
johnwayne666
Gemalto was hacked 15 years ago:
> "AMERICAN AND BRITISH spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden."
rightbyte
I have talked to telephone engineers and they said they could read all passing SMSs verbatim when they hooked up to a cell tower to debug stuff.
Dunno if that is still the case though. However, cell phones as secure communication did not use to be the case.
You would probably want to communicate with encrypted data traffic device to device.
ArnoVW
From what I remember from early 2000’s only the air interface was encrypted. Since anyway they have to provide lawful intercept capability there was not much benefit in providing end to end encryption. It’s not like it was a top of mind feature for consumers.
Scoundreller
> It’s not like it was a top of mind feature for consumers.
BlackBerry got some market share for promoting their encryption.
Of course the encryption was complete junk, possibly worse than junk because of the false sense of security, unless you were an enterprise customer.
https://www.theregister.com/2016/04/15/canada_blackberry_wat...
marcus0x62
In the late 90s/early 2000's, I would hear voice telephone conversations in central offices quite frequently. (Nobody was spying on purpose, or even paying much attention to what was being said. It was incidental to troubleshooting some problem report.)
zelon88
This is still the case when troubleshooting POTS lines on analog PBX systems.
All you need is the probe side of a tone generator and you can listen to analog phone conversations in progress with no additional configuration or hardware.
ethagnawl
I'll bet you've got some other great war stories, too.
jeroenhd
SMS is encrypted in transit between device and tower, but after that it's plaintext. Same with carrier-spec RCS over HTTP (although HTTPS is available, but then it's plain text at the carrier RCS server anyway).
Encryption between tower and device were particularly weak in 2G and 3G days, but since 4G things have been a lot better. 2G's continuing existence remains a security risk, which is why Google Pixels have a toggle to turn it off, and iOS disables it when you enable lockdown mode.
Do not use SMS or non-E2EE RCS for anything you wouldn't shout at a random telecom engineer or passing police officer.
miki123211
That's not what this is about.
Cell towers (BTSs and eNodeBs) do indeed have unencrypted access to the data passing through them. They're owned by the operator, this is fine.
An attack on SIM card keys would let anybody listen to traffic going over-the-air or impersonate a cell tower. All you need is the keys and some radio equipment to receive the traffic.
codedokode
Not only they can read, they probably record them because SMS don't use much space.
lxgr
Some of these algorithms have to run on the SIM card, and smart cards (at least in the past) don't support RSA or (non-elliptic-curve) DH without a coprocessor that makes them more expensive.
Also, symmetric algorithms are quantum safe :)
But yes, I also wish that in 2025 we'd at least support ECC, which most smart cards should support natively at this point.
> To make things even worse, those keys have to be sent to the operator by the SIM card manufacturer (often a company based in a different country and hence subject to demands of foreign governments), so there are certainly opportunities to hack these companies and/or steal the keys in transit.
If you can't trust your SIM card vendor, you're pretty much out of luck. The attack vector for an asymmetric scheme would look a bit different, but if you can't trust the software running on them, how would you know if they were exfiltrating plaintexts through their choice of randomness for all nondeterministic algorithms?
miki123211
There's a difference between asking / bribing / blackmailing / legally forcing the company to make a copy of some text files (or just figuring out a way to get those files yourself) versus forcing them to modify their software in deliberately insecure ways (which can also be discovered by others and used against you).
The former is a true NOBUS, the second one is not (though you're right that governments would probably treat this as one).
tptacek
If you have the ability to distribute keys directly, asymmetric cryptography adds complexity without much payoff. Certainly the idea that introducing RSA to a symmetrical system makes it more sound isn't well supported; the opposite is true.
The "NOBUS vulnerability" thing is especially silly, since the root of trust of all these systems are telecom providers. You don't have to ask if your American telecom provider is "in cahoots" with the US intelligence community; they are.
miki123211
> American telecom provider
Who said anything about American telecom providers specifically?
> If you have the ability to distribute keys directly, asymmetric cryptography adds complexity without much payoff.
It's hard for me to believe that a symmetric key, touched by at least three systems (SIM card, operator HSS, SIM manufacturer), the former two of which can't be completely airgapped for obvious reasons, with no ability to rekey, is more secure than a key that is physically unable to leave a single device.
With a TLS-like system, you'd have to somehow hack every single SIM card to get anywhere. Hacking the manufacturer wouldn't help unless you could make them flash custom software that would exfiltrate the keys, and the consequences of an operator hack could be contained by revoking an immediate certificate and generating a new one, presumably from the operator's root cert, sitting somewhere safe in a completely airgapped HSM.
newsclues
I worked for a major telco in technical support/customer service.
I saw numerous security issues, and when I brought them up, with solutions to improve the service for customers, I was informed the the company would lose money.
Scammers are big customers for telcos, and when they get caught, and banned, they come back again and pay a new connection fee and start the cycle again. Scammers also enable feature upselling, another way to profit from not solving the problem.
whyever
Are you suggesting end-to-end encryption? Telecom providers have to implement "lawful intercept" interfaces to comply with the law in many jurisdictions.
toast0
I think they're just suggesting improvements on device-to-network encryption. Requiring the sim card secret to live on the sim card and the network means it needs to be transmitted from manufacturing to the network, which increases exposure.
If it were a public/private key pair, and you could generate it on the sim card during manufacturing, the private key would never need to be anywhere but the sim card. Maybe that's infeasible because of seeding, but even if the private key was generated on the manufacturing/programming equipment and stored on the sim card, it wouldn't need to be stored or transmitted and could only be intercepted while the equipment was actively compromised.
lxgr
This really is the least concern in the entire mess that is phone network security. (Credit and debit card issuers have the same key distribution and derivation problem, but it's ~fine, and there are robust standard solutions, such as deriving per-card keys at the personalization site using tamper-proof HSMs.)
Even if SIM cards were to feature an asymmetric private key: What would you do with it? How would you look it up, and what would you use it for? There is simply no provision for end-to-end encryption in the phone network at the moment.
If there were, it would be a different story, of course, but I doubt that will ever happen.
dylan604
That's fine. Let them have lawful intercept into my encrypted communications. Let them eat static
immibis
As part of lawful intercept, they can't encrypt the traffic and then send the NSA the encrypted traffic. They have to send the unencrypted traffic. Or they go to jail.
secondcoming
If it's all encrypted you wouldn't be able to call land lines.
ngneer
You appear to be neglecting the need for symmetric stream ciphers to achieve realtime communications (needed for performance reasons). No matter what you do, you are going to have a symmetric key in there somewhere for adversaries to extract. Once the adversary owns the telco, it is over (i.e., calls can be decrypted), no matter how strong the cryptography is. Your strongest cryptography cannot withstand a key leak.
andrewflnr
Do you know how TLS works? The asymmetric keys are used to negotiate temporary symmetric keys, which are used for the actual data. That's exactly what the mentioned Diffie-Hellman algorithm does. Also check out "perfect forward secrecy".
ngneer
Of course I know how TLS works, as well as PFS. I recommend Kaufman on the subject. The general scheme you refer to is known as hybrid cryptography, and the key material that is derived is used to generate symmetric keys for the TLS session (several keys, in fact, separately for confidentiality and integrity, and for duplex communications). You missed my point completely, though. Unlike TLS sessions, which rely on packets, calls are multiplexed with TDMA or CDMA, for example. Unlike TCP, these channels have realtime requirements that necessitate stream ciphers be employed. I could ask you if you know how telecom works, but that would be childish and demeaning. As ephemeral as you wish to make it, the telco must know the secret key, for imagine if the call is being relayed to Timbuktu and must be passed in plaintext.
xen2xen1
Phase 1 and Phase 2.
bcrl
Nortel DMS100 switches are still running code written for Motorola 680x0 CPUs. There is not enough CPU power to validate an RSA key in a timely manner for any control message sent over a T1 or ISDN PRI.
traceroute66
To be honest, the conclusion of the blog post that Freeswitch are not budging from their community release schedule does not surpise me one iota.
Freeswitch used to have a strong community spirit.
Things all changed since they took a more agressive commercial turn, a couple of years ago IIRC.
Since that point you now have to jump through the "register" hoop to gain access to stuff that should be open (I can't remember what it is, IIRC something like the APT repos being hidden behind a "register" wall, something like that).
I don't want to "register" with a commercial company to gain access to the foss community content. Because we all know what happens in the tech world if you give your details to a commercial company, the salesdroids start pestering you for an upsell/cross-sell, you get put in mailing lists you never asked to be put on, etc.
BEBAA7
In Signalwire’s defence, reading through the old mailing list, I got the feeling they drove the development of Freeswitch for years without being properly compensated by downstream projects. Sadly I’ve also seen other parts of the Voip community recalibrate their generosity when it comes to open source and I honestly can’t blame them.
The team behind Matrix.org talked about a similar problem in one of their FOSDEM’25 talks: commercial vendors free loading on development.
knowitnone
It's MPL licensed. Perhaps they should have chosen a different license if they want to be compensated.
traceroute66
> It's MPL licensed. Perhaps they should have chosen a different license if they want to be compensated.
Or indeed if they wanted to be compensated, they could have moved to an open-core model.
It was their decision for many years to keep the majority of the project as foss. IIRC there were only ever two commercial optional licenses, one for the G.729 codec and one for something else. Everything elee was foss.
They could have sold licenses for this that and everything else, but it was their decision and theirs alone not to.
jeroenhd
Correct me if I'm wrong, but isn't the patched source code available? It'd be awfully nice of them to update their APT repos for free, but that's nothing more than that: awfully nice. If you rely on their code and don't wish to pay for their support, you could always build the APT packages yourself.
I don't know what kind of community spirit you should expect for a project maintained by a single company like this.
traceroute66
> It'd be awfully nice of them to update their APT repos for free, but that's nothing more than that: awfully nice.
It doesn't cost them anything metophorically or physically.
Updating the APT repo is a CI/CD script away. No doubt they do it for the commercial side anyway, so the tweak in the CI/CD is probably no more than a couple of variables.
And open-source projects can usually get freebies from everything they need. So there's unlikely to be much if anything in terms of actual hard-dollars expense for running the repos.
lenerdenator
I think it's fair to assume that between foreign threat actors, the Five Eyes/other Western pacts, and the demand to make the line go up, there's no real anonymity online. If they want you, they've got the means to get you.
In reality that's really no different than the pre-internet age. If you don't want your stuff intercepted, you need to encrypt it by means that aren't trivial to access electronically for a major security apparatus. Physical notes, word-of-mouth, hand signals, etc.
Also, you need to be ready for the consequences of what you say and do online should a state actor decide to allocate the resources to actually act upon the data they have.
ofrzeta
From the article I am not totally convinced that "Telecom security sucks today", given they just randomly picked Freeswitch to find a buffer overflow. "Telecom stacks" might or might be not insecure but what's done here is very weak evidence. The Salt Typhoon attacks allegedly exploited a Cisco vulnerability, although the analysts suggest the attackers have been using proper credentials (https://cyberscoop.com/cisco-talos-salt-typhoon-initial-acce...) So nothing to do with Freeswitch or anything.
posperson
Cisco Unified Call Manager almost certainly has vulnerabilities, as does Metaswitch which has shambled along in network cores after Microsoft publicly murdered it, Oracle SBC is often wonky just doing the basics, whatever shambling mess Teams is shipping this week for their TRouter implementation definitely has Denial of Service bugs that I can't properly isolate.
Lets not even talk about the mess of MF Tandems or almost every carrier barebacking the web by slinging raw unencrypted UDP SIP traffic over the internet...
It is possible to build secure systems in this space, but instead we have almost every major telecom carrier running proprietary unmodifiable platforms from long dead companies or projects (Nortel, Metaswitch,etc) and piles of technical debt that are generally worse than the horribly dated and unpatched equipment that comprises their networks.
tjohns
I find it absolutely insane that the industry standard for SIP trunks is unencrypted UDP, usually using IP-based authentication.
When I asked a popular VoIP carrier about this a while back, they argued that unencrypted connections were fine because the PSTN doesn't offer any encryption and they didn't want to give their customers a false sense of security. While technically true, this doesn't mean we shouldn't at least try to implement basic security where we can - especially for traffic sent over the public Internet.
jvdvegt
PSTN starts at the home router these days, I don't think I can get an actual analog line in my house.
jauntywundrkind
Painting a dire picture here!
It'd be lovely to see some nations of the world pour some serious money into the various Linux Foundation (or other open source) telco & cellular projects.
surajrmal
Pouring money is not how you get good quality software. You need a company driving product quality. Most Linux foundation projects have companies heavily invested in productionizing the projects and that leads to them contributing to them to ensure high quality code. Code without a driving product tends to wander aimlessly.
1oooqooq
Linux foundation is the thing financing backdoors. do not confuse it with Linux. the only money from the foundation that goes to actual Linux are a couple build servers. and one event sponsorship. absolutely nothing else.
heraldgeezer
>Cisco Unified Call Manager
Is that not a kind of business/enterprise thing?
"Telecom" to me is like a network core equipment and radio towers - https://www.cisco.com/c/en/us/products/wireless/pgw-packet-d...
foobiekr
Call Manager etc have zero to do with SP networks.
some_furry
I've had a few conversations with [security nerds more familiar with telecom] since SignalWire broke embargo.
The "everything sucks and there's no motive to fix it" was a synopsis because, frankly, those conversations get really hard to follow if you don't know the jargon. And I didn't feel like trying to explain it poorly (since I don't understand the space that well, myself), so I left it at what I wrote.
(I didn't expect Hacker News to notice my blog at all.)
sunbum
As security nerd working within telecom agreed. Nobody really cares about security issues. And when people already struggle to care about the issues it gets even worse when fixing some of the issues (such as SS7 vulns) requires coordination with telcos around the world. cape[1] at least seems like its a breath of fresh air within the space.
[1] - cape.co
ikiris
Can confirm. It’s not even nonchalance, but outright hostility to security because that sounds like work and change. And if there’s anyone who hates change, it’s telcom. They still resent having to learn voip and it could have kids in college at this point.
johndoyle
Hi, CEO of Cape here. Great insights. Salt Typhoon is just the latest example of how fragile these systems are. Vulnerabilities in protocols like SS7 are just the tip of the iceberg, and the incentives to fix them are weak. Telcos prioritize uptime and revenue collection over security, and addressing these attack surfaces requires coordination between multiple entities—something that is slow and complicated. The industry tends to accept these risks rather than truly mitigate them.
1oooqooq
cape.co marketing sounds suspiciously like the cia front in Switzerland in the late 90s.
"hey you who needs privacy, here's something that somehow costs even less than the ones selling your data"
ethagnawl
I'll have to try to find a video of the HOPE presentation where I first heard about SS7 and how riddled it was with known vulnerabilities, my jaw hit the floor.
Semaphor
> (I didn't expect Hacker News to notice my blog at all.)
Your blog actually gets posted somewhat regularly [0]. I actually remembered it, because it’s one of the rare cases where I like the "cute" illustrations.
cyberax
I worked with telecom code. It's code that parses complicated network protocols with several generations of legacy, often written in secrecy (security by obscurity), and often in C/C++.
There's just no way it can be insecure. Right.
surajrmal
That's also how the majority of network appliances are handled outside of Telecom.
cyberax
Yep. And the network appliance world also tried to make that a "feature", by making things like "management VLANs" and pretending that you don't need to be secure because of it.
ofrzeta
I don't doubt that this cruft is insecure. It's just a bit of a stretch to get to that conclusion from finding a potential buffer overflow in Freeswitch. Maybe it's not a stretch but just a conclusion by analogy but then you might just say "all software is insecure".
jeroenhd
Telecom stacks are full of questionable security decisions, some stemming from the protocol level. Protocols like SS7 were designed without any concept of hackers or malicious actors. You can slap firewalls on top of them, but those interfere with desired functionality and even if they don't they require extra investment. DIAMETER is better but still full of holes.
Security in the telecom space has been a point of priority for the past couple of years and things are improving, but there are decades of legacy hardware, software, firmware, and network designs to cover for.
I doubt anyone is running standard Freeswitch in their telco networks, but the problems Freeswitch has as an aging telecom product with a history of not looking for security as much as one might expect those are all over the place.
amiga386
This blog article is a combination of "I did a thing I do for a living" plus "recipient of my report does not share my (and the rest of the Security Industry) values", and concludes that Telecom security sucks.
It's very nice that the author spent their free time looking at code, found a bug and reported it -- I don't want to discourage that at all, that's great. But the fact that one maintainer of one piece of software didn't bow and scrape to the author and follow Security Industry Best Practises, is not a strong basis for opining that "Telecom security sucks today" (even if it does)
If someone came to you with a bug in your code, and they didn't claim it was being actively exploited, and they didn't offer a PoC to confirm it could be exploited... why shouldn't you just treat it as a regular bug? Fix it now, and it'll be in the next release. What's that? People can see the changes? Well yes, they can see all the other changes too. Good luck to them finding an exploit, you didn't.
The same thing happens in Linux distros. A security bug gets reported. Sometimes, the upstream author is literally dead, not just intransigent. If you want change on your own timeline, make your own releases.
tlb
When the code is sprintf(stackbuf, "%s", attacker_supplied_input) in 2025, I expect some serious bowing and scraping.
matthewdgreen
In fairness, with that level of vulnerability in the code, fixing it is like using paper towels to mop up the ocean.
camgunz
Yeah if anyone thinks people don't just run searches for `sprintf` they're pretty naive.
lsnd-95
One area where freeswitch is probably used quite often (and without support contract) are BigBlueButton installations (virtual classroom system) in schools and universities. I am more worried about them then about telcos.
dqv
I wonder how many people are even using the XML RPC module. It doesn't get loaded by default.
Edit: 468 according to Shodan. I'm wondering if senddirectorydocument gets used at all by the XML RPC module.
dqv
Following up on this, I was unable to get it to do anything.
curl --show-error --get --request GET --user freeswitch:works "http://localhost:8080/${SIXTEEN_THOUSAND_RANDOM_CHARACTERS}"
dangerboysteve
I maybe wrong, but I think you need to enable the module for API access.
dqv
Yeah, it's enabled with `load mod_xml_rpc`. Listening on 8080.
$ ./test3 # see above
<HTML><HEAD><TITLE>Error 408</TITLE></HEAD><BODY><H1>Error 408</H1><P>Problem getting the request header</P><p><HR><b><i><a href="http://xmlrpc-c.sourceforge.net">ABYSS Web Server for XML-RPC For C/C++</a></i></b> version 1.26.0<br></p></BODY></HTML>
ta20240528
The really good hacks happen with CAMEL MAP injection. Controls all sorts of goodness like SMS, USSD, and the crown jewel: location services.
Many a "bulk SMS" provider in places like the richer carribean islands, and Indonesia that do a lot more than send spam.
heraldgeezer
To add, MAP is 2G and 3G.
So, it is old. 2G was designed in the 90s.
I don't really know what people expect? I'm just happy it works at all, lol.
ta20240528
2G GSM piggybacked its wired backed on the ISDN telecom standard (which is which your phone number is called a MSISDN).
Today's CAMEL (MAP and CAP) signalling is an evolution of the ISDN signalling which traces it roots back into (amongst others) the SINAP signalling protocol and the SS7 network stack from even before that.
SS7 is early 1970s stuff. From a more innocent time.
richardwhiuk
No major carrier is running FreeSwitch or Asterisk at the core.
EvanAnderson
Motorola's low-end 911 phone system, Emergency CallWorks (ECW), is Asterisk with proprietary modules running on Linux under Proxmox. Granted, Motorola is killing the produce, but it's out there. The one I babysit is heavily firewalled but I'd imagine not all of them are.
shrubble
That is not the core, however; the core means the central pieces of a large telecom, the part that handles all the needed data to set up say, 10,000 or more calls per second.
EvanAnderson
For sure. The implicit trust that participants on the PSTN appear to give to each other, imparts a certain amount of undue influence to the constellation of dodgy systems interconnected to it.
cootsnuck
No, but plenty of businesses that process your call data, whether it's for call recording, transcription, IVRs, speech analytics, CRM integration, call queuing, auto dialing, or SMS/chat features, are liable to be running stuff like FreeSWITCH, Asterisk, or similar somewhere in their stack.
Any business with a PBX that wants to do more than just basic call routing and PSTN connectivity is likely using third party tools. And a significant number of those tools are built on FreeSWITCH, Asterisk, or similar.
kamma4434
Depends on your definition of ‘major’
heraldgeezer
I am in the same boat as OP and the blog's example is a PBX software for business. I was also confused.
Major carriers are like Vodafone, T-Mobile, O2, Telia etc :)
Narkov
This very much depends on your definition of major.
tonetegeatinst
Is that a Foss or GPL compliant codebase/OS?
Nextgrid
I highly recommend checking out P1 Security's presentations around mobile telco security: https://www.slideshare.net/slideshow/day1-hacking-telcoequip....
It's old but there's no reason to believe things have improved as there are zero incentives to. Also, software security vulnerabilities are only part of the problem - the other part is that telcos willingly outsource control and critical access to the lowest bidder: https://berthub.eu/articles/posts/5g-elephant-in-the-room/
capitainenemo
From the article. "This is not typically a problem, since most browsers don’t support URLs longer than 2048 characters, but the relevant RFCs support up to about 8 KB in most cases. (CloudFlare supports up to 32KB.)"
So obviously relying on browsers is not enough, but a nitpick. The article links to a stackoverflow which actually notes browsers support a lot more.
Browser Address bar document.location or anchor tag
------------------------------------------
Chrome 32779 >64k
Android 8192 >64k
Firefox >300k >300k
Safari >64k >64k
IE11 2047 5120
Edge 16 2047 10240some_furry
Ah, that's fair.
johann8384
I imagine most of the people running Freeswitch have their own patches on top of the community releases anyway so we're compiling those security fixes in to our own builds. That's what we did anyway when I worked for a place using Asterisk, Freeswitch, and OpenSER/Kamailio whatever it is called this decade.
"potentially thousands of telecom stacks around the world that SignalWire has decided to keep vulnerable until the Summer, even after they published the patches on GitHub."
The author admits to having zero experience with carrier-level infrastructure, but their suspicions are essentially correct. I actually have done a fair bit of 4G and 5G specific pentesting and security research for a number of major carriers. While it varies between carriers and between product vendors, it's still an absolute horror show. Until very recently, the security was entirely achieved through obscurity. The 4G and 5G standards have started to address this, but there are still gaps big enough to be deeply concerning. I don't think it's overly hyperbolic to assume that any moderately sophisticated threat actor who wants a beachhead on a carrier can achieve it. I've demonstrated this multiple times, professionally. IMHO the hardware vendors from a certain East Asian state have such poorly written software stacks, that they could almost be classified as APTs - security is non-existent. There are valid reasons Western countries have banned them. Western hardware vendors have significantly more mature software, but are still many years behind what most of us would consider modern security best practices.