The insecurity of telecom stacks in the wake of Salt Typhoon

Towards the end of last year, we learned that a group (allegedly affiliated with the Chinese government, referred to as “Salt Typhoon”) breached T-Mobile and other telecommunications companies and caused all sorts of havoc. This isn’t really a blog post about that incident, but it was the catalyst that inspired a bit of curiosity within me. I can’t (legally) access most mobile phone companies’ networks to see what vulnerabilities I can find, but there are plenty of open source software projects related to telecommunications on GitHub. So when I heard about the Salt Typhoon hacks, I wondered, “Is any of this open source telecom software any good?” In a previous life, I worked with companies that used Asterisk and FreeSWITCH, but I’d never really looked into them beyond the surface-level familiarity congruent to “this uses a similar protocol as RedPhone, somewhere” (this was when Signal was still called TextSecure). I don’t know much about PBX systems, SIP, or even audio encoding. Fu ... Read full article.