Australia’s Second Largest Telco Went Dark, And Chaos Reigned

Engineers tend to worry about uptime, whether it’s at a corporate server farm or just our own little hobby servers at home. Every now and then, something will go wrong and take a box offline, which requires a little human intervention to fix. Ideally, you’ll still have a command link that stays up so you can fix the problem. Lose that, though, and you’re in a whole lick of trouble.

That’s precisely what happened to Australia’s second largest telecommunications provider earlier this month. Systems went down, millions lost connectivity, and company techs were left scrambling to put the pieces back together. Let’s dive in and explore what happened on Optus’s most embarrassing day in recent memory.

Continue reading “Australia’s Second Largest Telco Went Dark, And Chaos Reigned”

1700 Regulatory Approvals Revoked In South Korea

For the first time since its inception, the Korea Communications Commission this week revoked the regulatory approvals of 1,696 telecommunications devices from 378 companies, both foreign and domestic. Those companies must recall unsold inventory from the shelves, and prove conformity of existing products already sold. In addition, the companies may not submit new applications for these items for one year. It’s not clear what would happen to already-sold equipment if the manufacturer is unable to prove conformity as requested — perhaps a recall? Caught up in this are CCTV products, networking equipment, Bluetooth speakers, and drones from companies like Huawei, DJI, and even Samsung.

The heart of the issue are what’s known as Mutual Recognition Agreements (MRAs) between countries to officially recognize of each other’s certification testing laboratories (or Conformity Assessment Bodies, CAB, in the lingo of the industry). Currently ten countries (USA, Canada, Mexico, UK, Israel, Japan, Korea, Singapore, Vietnam, and Australia), the 27 member states of the EU, Taiwan and Hong Kong all have MRAs with each other. Based on these MRAs, a Korean manufacturer could have a product tested by a laboratory in Israel, for example, and all would be kosher with the KCC.

At the center of attention is the Bay Area Compliance Laboratories (BACL), established in 1996 and headquartered in Sunnyvale, California. BACL has laboratories all over the world (USA, Taiwan, Hong Kong, Vietnam, and mainland China). Except for those in mainland China, all BACL laboratories are acceptable per the MRAs. The KCC received a tip last year that some compliance test reports for some products might be defective.

A six-month investigation in cooperation with the US National Institute of Standards and Technology (NIST) resulted in the announcement this week. Korean companies, 378 of them to be exact, had submitted test reports from BACL Sunnyvale which appeared to be appropriate. But on further investigation, it was learned that the actual testing was done by BACL laboratories in mainland China and only the reports were prepared in Sunnyvale.

It’s not clear whether these companies were knowingly playing fast and loose with the rules, whether BACL was complicit, if it was just a misunderstanding of the intricacies of the regulations and MRAs, or a combination of all three. Regardless, the KCC said that intent doesn’t matter according the their rules. It also has not been suggested that the products themselves are problematic, nor has anyone suggested that BACL’s Chinese laboratories performed slipshod work — rather, the KCC says it has no choice but to proceed with the revocation based on the applicable laws.

Impersonate The President With Consumer-Grade SDR

In April of 2018, the Federal Emergency Management Agency sent out the very first “Presidential Alert”, a new class of emergency notification that could be pushed out in addition to the weather and missing child messages that most users were already familiar with. But while those other messages are localized in nature, Presidential Alerts are intended as a way for the Government to reach essentially every mobile phone in the country. But what if the next Presidential Alert that pops up on your phone was actually sent from somebody with a Software Defined Radio?

According to research recently released by a team from the University of Colorado Boulder, it’s not as far-fetched a scenario as you might think. In fact, given what they found about how the Commercial Mobile Alert Service (CMAS) works, there might not be a whole lot we can even do to prevent it. The system was designed to push out these messages in the most expedient and reliable way possible, which meant that niceties like authentication had to take a backseat.

The thirteen page report, which was presented at MobiSys 2019 in Seoul, details their findings on CMAS as well as their successful efforts to send spoofed Presidential Alerts to phones of various makes and models. The team used a BladeRF 2.0 and USRP B210 to perform their mock attacks, and even a commercially available LTE femtocell with modified software. Everything was performed within a Faraday cage to prevent fake messages from reaching the outside world.

So how does the attack work? To make a long story short, the team found that phones will accept CMAS messages even if they are not currently authenticated with a cell tower. So the first phase of the attack is to spoof a cell tower that provides a stronger signal than the real ones in the area; not very difficult in an enclosed space. When the phone sees the stronger “tower” it will attempt, but ultimately fail, to authenticate with it. After a few retries, it will give up and switch to a valid tower.

This negotiation takes around 45 seconds to complete, which gives the attacker a window of opportunity to send the fake alerts. The team says one CMAS message can be sent every 160 milliseconds, so there’s plenty of time to flood the victim’s phone with hundreds of unblockable phony messages.

The attack is possible because the system was intentionally designed to maximize the likelihood that users would receive the message. Rather than risk users missing a Presidential Alert because their phones were negotiating between different towers at the time, the decision was made to just push them through regardless. The paper concludes that one of the best ways to mitigate this attack would be to implement some kind of digital signature check in the phone’s operating system before the message gets displayed to the user. The phone might not be able to refuse the message itself, but it can at least ascertain it’s authentic before showing it to the user.

All of the team’s findings have been passed on to the appropriate Government agencies and manufacturers, but it will likely be some time before we find out what (if any) changes come from this research. Considering the cost of equipment that can spoof cell networks has dropped like a rock over the last few years, we’re hoping all the players can agree on a software fix before we start drowning in Presidential Spam.

Mechanisms: The Reed Switch

Just about everywhere you go, there’s a reed switch nearby that’s quietly going about its work. Reed switches are so ubiquitous that you’re probably never more than a few feet away from one at any given time, especially at home or in the car. You might have them on your doors and windows as part of a burglar alarm system. They keep your washing machine from running when the lid is open, and they put your laptop to sleep when you close the lid. They know if the car has enough brake fluid and whether or not your seat belt is fastened.

Reed switches are interesting devices with a ton of domestic and industrial applications. We call them switches, but they’re also sensors. In fact, they only do the work of a switch while they can sense a magnetic field. They are capable of switching AC or DC at low and high voltages, but they don’t need electricity to work. Since they’re sealed in glass, they are impervious to dirt, dust, corrosion, temperature swings, and explosive environments. They’re cheap, they’re durable, and in low-current applications they can last for about a billion actuations.

Continue reading “Mechanisms: The Reed Switch”