The insecurity of telecom stacks in the wake of Salt Typhoon

Original Article ↗ Hacker News Discussion ↗

Article’s Evidence and Scope

  • Several commenters argue the post overgeneralizes from a single FreeSWITCH buffer overflow and maintainer interaction to “telecom security sucks,” without tying it concretely to Salt Typhoon or carrier‑grade systems.
  • Others reply that while FreeSWITCH isn’t used in major cores, its age, C code, and attitudes around security are representative of broader telecom software culture.

Real‑World Telecom Security Posture

  • Practitioners in mobile and carrier security describe 4G/5G stacks and core infrastructure as “horror shows,” historically secured by obscurity and still far behind modern best practices.
  • Telecom gear often parses complex, legacy protocols in C/C++, with large technical debt and minimal security attention.
  • Many carriers still run unencrypted SIP trunks over UDP with IP‑based auth; some cable providers even disable DOCSIS link encryption.

Legacy Protocols and Architecture Issues

  • SS7, MAP, CAMEL, and related signaling protocols were designed for trusted, monopoly environments; many “vulnerabilities” are effectively features now dangerous on an open, interconnected world.
  • Firewalls and wrappers exist but are costly and can break functionality. Legacy 2G/3G/SS7 infrastructure persists because shutting it down globally is slow and politically/economically hard.

SIM, Mobile Crypto, and Lawful Intercept

  • Commenters criticize pre‑shared keys on SIMs and the key‑distribution chain (SIM vendor → operator), noting past SIM‑vendor compromises.
  • Debate: asymmetric schemes could limit blast radius vs. “once the telco is compromised, any scheme fails.”
  • Lawful intercept requirements are seen as a major structural barrier to end‑to‑end encryption in telco‑native services.

Role of Open Source Stacks (FreeSWITCH/Asterisk)

  • Major carrier cores don’t run FreeSWITCH/Asterisk, but many business PBXs, contact centers, 911 systems, and educational platforms do, so bugs there still affect sensitive traffic.
  • Dispute over FreeSWITCH’s handling of the reported bug: some see treating it as a normal bug (no security advisory, no accelerated release) as reasonable; others find sprintf-style flaws in 2025 inexcusable in telecom software.

Economics, Incentives, and Governance

  • Telcos are portrayed as culturally hostile to security: uptime and billing trump hardening; large outsourcing erodes in‑house expertise; scammers are lucrative customers.
  • Governments are seen both as potential funders of better open‑source stacks and as entities that benefit from weak encryption, reducing incentive to improve.

Vendors and Geopolitics

  • Western vendors (Cisco, Oracle, etc.) are described as insecure but “audit‑able.”
  • Some carriers’ experiences with certain East Asian vendors report code so low‑quality it’s effectively unreviewable and phones home unexpectedly, feeding support for bans—though some commenters suspect economic motives and note limited public technical detail.

Proposed Technical Fixes

  • Rewriting in Rust or on seL4 would solve memory‑safety/kernel issues but not protocol design flaws, legacy interoperability, or legal mandates.
  • Commenters emphasize that real improvement would require architectural redesign plus changed incentives, not just language or microkernel swaps.