Exploiting Open Functionality in SMS-Capable Cellular Networks

Authors: William Enck, Patrick Traynor, Patrick McDaniel, and Thomas La Porta

Publication:12th ACM conference on Computer and communications security, November 2005

Presenter: Brad Mundt for CAP6133 Spring ‘08

Motivation

SMS Ingrained into modern culture

69 million messages per day in UK

10 cents per message

Popular with telecom Voice traffic is fixed revenue, unlike SMS Opened up the system- web, email, IM…

Motivation…

Internet-originated text messages

Deny voice service to a city Zombies Hit lists

Similar to traffic from Slammer worm BoA ATMs, 911 services

Presentation Flow

Cellular Network Overview

Vulnerability Analysis Research Discovery

Attack vectors and implements Scenario Other stuff

SMS/Cellular Network

Sending Mobile device or ESME

External Short Messaging Entities (ESME)

Delivering Short Messaging Service Center (SMSC)

SMS formatting Queued for forwarding Query Home Location Register (HLR) for directions

SMS/Cellular Network

Delivering (Continued) HLR

Subscriber Info, call waiting, text messaging If user is busy, store SMS for later Otherwise give address for MSC

Mobile Switching Center

SMS/Cellular Network

Delivering (Continued) MSC

Service, Authentication

Location management for BS, no not that BS! Base Stations

Hand offs / gateway to PSTN Public Switched Telephone Network

Query Visitor Location Register (VLR) Returns Info when device is away from HLR Forwards to correct BS for delivery

SMS/Cellular Network

Vulnerability Analysis

Bottlenecks System is a composite of multiple Queuing Points Injection rate versus delivery rate

Targeting Queues SMSC

Finite number in queue, SMS age, policy Messages remain in SMSC buffer when device is full

Device 500 messages drained a battery

Plan

Messages exceeding saturation levels are lost

Successful DoS needs Multiple subscribers Multiple interfaces

Hit-lists and Zombies

Hit-list Creation

Internet search for NPA/NXX DB Target wireless numbers by domain owner name

Web Scraping

Worm Device recently call lists Computers that sync with device

Attack profile attributes

GSM gray-box testing 900 SMS per hour on each dedicated channel 1 dedicated channel per 4 voice 2 dedicated channels per carrier

Protocol sharing Number of dedicated channels per area Number of carriers per area

Cellular device channels

Two Channels Control Channel (CCH)

Common CCH BS uses for voice and SMS connections establishment All connected mobiles are listening on this for signaling

Dedicated CCH Data

Traffic Channel (TCH) Voice

Attack Scenario

2500 numbers in hit list

Average 50 message device buffer

8 dedicated channels, (D.C.)

1 message per phone every 10.4 sec

8.68 min to fill buffers

Targeted Attacks

Fill the buffers, users loose messages

Data loss on some devices from overflowing Read messages overwritten when new ones arrive (Nokia

3560)

Message delays due to overflowing Campus alert messages- blocking?

Deleting junk SMS, accidentally delete good ones

Battery depletion

Tomorrows email

SPAM

Phishing

Viruses Cabir and Skulls

Both were bluetooth

SMS Spam

Summary

Cellular networks are critical part of Social and economic infrastructures

Potential misuse from external services DoS InfoWar Economic

Contributions

Security impact of SMS on Cellular network

Demonstrate ability to deny serivce to city sized area

Techniques for targeting these systems

How to avoid

Weaknesses

Gray-box testing Documentation Experimentation without EULA violations

Time of Day / Day of Week

Payload size variations

Estimations

How to Improve

Traffic analysis for Time of Day / Day of Week

Vary payload size

If White hats, work with the telecoms

Validate for more facts

The End

Thank you…