Ruxcon They've been warned for years, but scores of telcos are still making bone-headed configuration mistakes in their GPRS Global Roaming Exchange (GRX) networks, leaving mail and FTP servers vulnerable.
The international phone routing system is used for passing and billing calls between providers, using encryption to funnel data over specific protocols.
It is the same network leaker Edward Snowden revealed in 2013 was the NSA's attack vector to breach Belgian telco Belgacom.
Aussie HP Enterprise Consulting Services managing principal Stephen Kho detailed in 2014 how anyone can access reams of leaky GRX data without hacking national telcos, with simple "light weight" scans.
A year later and Kho is still finding data via some 40,000 live GRX hosts which responded to pings, although numbers of exposed services have largely fallen.
He shared his results and explained how GRX data can be obtained, including detailing the workings of the network and protocols, at the Ruxcon hacking conference in Melbourne, Australia.
Listen on the Reg player above or download the presentation here
Kho listed the banner server scan results showing user services including mail servers and Cisco routers, and showed many unpatched and exposed to old, dangerous exploits including remote code execution and denial of service.
"So there's some email servers here, there's a root exploit on that, 10 year-old remote code execution on that, buffer overflow on this send mail … that's not good," Kho told the giggling assembled hackers.
"We looked at some FTP servers, a whole bunch here .. again remote code execution on that, denial of service on that, overflow on that from 2001."
"Clearly people are putting things on the GRX network that are running all services and filtering, not hardening," he says.
"If you think your old exploits aren't gunna work any more, well you're still good." ®