ize the resilience of cellular networks to elevated messagingloads.
Wediscussavarietyoftech-niques that, when used in combination, result in an accuratedatabase of targets (“hit-lists”) for directed attacks on cellu-lar networks. These lists are absolutely essential to mountingeffective attacks against these networks.
SMS/Cellular Network Vulnerability Analysis:
We illu-minate the fragility of cellular phone networks in the pres-ence of even low-bandwidth attacks. We demonstrate andquantify the ability to incapacitate voice and SMS serviceto neighborhoods, major metropolitan areas and entire conti-nents.The remainder of this paper is organized as follows: Section 2gives a high-level overview of GSM network architecture and de-scribes text message delivery; Section 3 investigates cellular net-works from an attacker’s perspective and identiﬁes the mechanismsnecessary to launch
Denial of Service
(DoS) attacks; Section 4models and quantiﬁes DoS attacks in multiple environments; Sec-tion 5 discusses a number of attacks inherent to attaching generalpurpose computing platforms to the Internet; Section 6 proposesvarious solutions to help alleviate these problems; Section 7 dis-cusses important related works; Section 8 presents concluding re-marks.
This section offers a simpliﬁed view of an SMS message travers-ing a GSM-based system from submission to delivery. These pro-cedures are similar in other cellular networks including CDMA.
2.1 Submitting a Message
There are two methods of sending a text message to a mobiledevice - via another mobile device or through a variety of
Exter-nal Short Messaging Entities
(ESMEs). ESMEs include a largenumber of diverse devices and interfaces ranging from email andweb-based messaging portals at service provider websites to voicemail services, paging systems and software applications. Whetherthese systems connect to the mobile phone network via the Inter-net or speciﬁc dedicated channels, messages are ﬁrst delivered toa server that handles SMS trafﬁc known as the
Short MessagingService Center
(SMSC). A service provider supporting text mes-saging must have at least one SMSC in their network. Due to therising popularity of this service, however, it is becoming increas-ingly common for service providers to support multiple SMSCs inorder to increase capacity.Upon receiving a message, the contents of incoming packets areexamined and, if necessary, converted and copied into SMS mes-sage format. At this point in the system, messages from the Internetbecome indistinguishable from those that originated from mobilephones. Messages are then placed into an SMSC queue for for-warding.
2.2 Routing a Message
The SMSC needs to determine how to route messages to theirtargeted mobile devices. The SMSC queries a
Home Location Reg-ister
(HLR) database, which serves as the permanent repository of user data and includes subscriber information (e.g. call waiting andtext messaging), billing data, availability of the targeted user andtheir current location. Through interaction with other network el-ements, the HLR determines the routing information for the desti-nation device. If the SMSC receives a reply stating that the current
(a) SMS Network
ESME SMSC HLR MSC VLR BS MHSubmit SMObtainRoutingInformationForward SMObtainSubscriberInformationForward SMDeliver SMACKACKACK
(b) SMS Flow
Figure 1: Simpliﬁed examples of an SMS Network and messageﬂow
user is unavailable, it stores the text message for later delivery. Oth-erwise, the response will contain the address of the
Mobile Switch-ing Center
(MSC) currently providing service. In addition to callrouting, MSCs are responsible for facilitating mobile device au-thentication, location management for attached
(BS),performing handoffs and acting as gateways to the
Public Switched Telephone Network
(PSTN).When a text message arrives from the SMSC, the MSC fetchesinformationspeciﬁctothetargetdevice. TheMSCqueriesadatabaseknown as the
Visitor Location Register
, which returns a local copyof the targeted device’s information when it is away from its HLR.The MSC then forwards the text message on to the appropriate basestation for transmission over the air interface. A diagram of a mo-bile phone network is depicted in Figure 1(a), followed by a sim-pliﬁed SMS message ﬂow in Figure 1(b).
2.3 Wireless Delivery
The air interface is divided into two parts - the
(TCH). The CCH is further di-videdintotwotypesofchannels-theCommonCCHandDedicatedCCHs. The Common CCH, which consists of logical channels in-cluding the
Random Access Channel
(RACH), is the mechanism used by the base station to initiate thedelivery of voice and SMS data. Accordingly, all connected mobiledevices are constantly listening to the Common CCH for voice andSMS signaling.The base station sends a message on the PCH containing the