the dangers of in-band signalling



(1) hello!

there are two fundamental parts of a phone call: sound and signalling. sound is obvious, but what is signalling?

signalling is split into two sections, address signalling ("what phone number am i calling") and supervision signalling ("tell me when the other party answers"). now, if you've ever used a landline telephone (show of hands? yeah.) you might know that the supervision is communicated by whether your phone is on or off the hook. this gets sent to the phone company, and from there over their lines to the other person you're talking to, by a bunch of different ways.


(2) Frequencies

the simplest is dc signalling, which is what the very first phone systems used. note, telephones are backwards compatible all the way to 1900. this is a very old system. in dc signalling, the onhook/offhook state is communicated by whether current is flowing through the phone line. a little bit of current = onhook, a lot of current = offhook. so the signalling is at a very low frequency (dc is 0 hertz), and the sound is from 300 to 3000 hertz. this separates them in a way that the phone company machinery can easily distinguish them.



but this really only works when you have a physical wire per phone conversation. when you're taking hundreds of calls thousands of miles, the cost of metal adds up! so the next step in the story is to put multiple conversations on the same pair of wires, at different frequencies. this is the same fundamental principle as radio, really - you can take sound and shift it up and down in frequency, but get the same sound back by reversing the process. but where does the dc go? you still have only one wire, so only one dc "signalling channel".

from library of congress on flickr

the solution we use here in the 21st century is we have a little data link next to the sound, indicating by packets when the conversation has started and ended. but remember, this was the 1940s and 1950s: packet data communications was ... expensive at best. the solution that the phone company came up with was a tone, applied to the communications link when on-hook, and no tone when conversation was happening.



the conversation portion, 300 to 3000 hertz, is amplified and transmitted through to the far side of the network. anything outside of that is liable to be removed or mangled, because it's not considered part of the call. so if you want to make it through, you have to put it "in-band". some equipment was designed to have the tone be at 3,700 hertz, out of band. that meant it had to be detected, converted to dc signalling, and re-imposed, at every intermediate location where the circuits were rearranged. another design of equipment had the tone at 2,600 hertz, which is within the speech band.

nice! we can save a ton of money on repeater equipment! but then! some people discovered they could whistle into the phone at a particular tone, and the call would disconnect unexpectedly.



From "Classic Tandem Stacking", by Evan Doorbell

so it turns out that what's happening here is this: when nothing is happening, the two sides are singing at each other. when a conversation is happening, the two sides aren't singing. at hangup, one side sings to the other side, which sings back, and then we're back to the "nothing is happening" state. but if you whistle into the line, the remote equipment will hear that you've hung up, but your local equipment will still think the call is up! so now you have a half-set-up phone call, and you can play all kinds of games with it. because the originating equipment is in charge of billing the call, you can (for example) call a toll-free number and not create a billing record, then get rid of the tail of the circuit and use the stubby thing that remains to call the pope for free or whatever, untraceably.


(6) how does this relate to modern computers?

these are ALL due to the system designers failing to fully distinguish content from control, or data from metadata, or however you wish to call it. they're all results of mishandling in-band signalling, losing track of where your data ends and your metadata starts. at root, it's a disagreement of what means what.


(7) SQL Injection

because i've only got fifteen minutes, i'll only talk about one of these, sql injection. here's an sql example.

database_perform("SELECT * FROM users WHERE name = '$username' AND pass = '$password';") username: astrid password: Password1 database_perform("SELECT * FROM users WHERE name = 'astrid' AND pass = 'password1';") username: astrid'; -- password: nevermind database_perform("SELECT * FROM users WHERE name = 'astrid'; --' AND pass = 'nevermind';")

this gets parsed as so, and because the apostrophe is an in-band signal, you get in to my account regardless of what password you put in. the out-of-band equivalent is to use prepared statements:

database_perform("SELECT * FROM users WHERE name = ? AND pass = ?;", $username, $password)

in this example, the database is now passed the data out of band and can't get confused.


(8) thanks!

I'm Astrid, and now it's Sarah's turn. Thanks for listening!