Welcome to Scribd. Sign in or start your free trial to enjoy unlimited e-books, audiobooks & documents.Find out more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Exploiting Open Functionality in SMSCapable Cellular Networks (2005)

Exploiting Open Functionality in SMSCapable Cellular Networks (2005)

Ratings: (0)|Views: 20|Likes:
Published by Dhruv Jain
Uploaded by Hack Archives - http://undergroundlegacy.co.cc -
Uploaded by Hack Archives - http://undergroundlegacy.co.cc -

More info:

Published by: Dhruv Jain on Mar 19, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Exploiting Open Functionality in SMS-Capable CellularNetworks
William Enck, Patrick Traynor, Patrick McDaniel, and Thomas La Porta
Systems and Internet Infrastructure Security LaboratoryDepartment of Computer Science and EngineeringThe Pennsylvania State UniversityUniversity Park, PA 16802
enck, traynor, mcdaniel, tlp
Cellular networks are a critical component of the economic andsocial infrastructures in which we live. In addition to voice ser-vices, these networks deliver alphanumeric text messages to thevast majority of wireless subscribers. To encourage the expansionof this new service, telecommunications companies offer connec-tions between their networks and the Internet. The ramificationsof such connections, however, have not been fully recognized. Inthis paper, we evaluate the security impact of the SMS interfaceon the availability of the cellular phone network. Specifically, wedemonstrate the ability to deny voice service to cities the size of Washington D.C. and Manhattan with little more than a cable mo-dem. Moreover, attacks targeting the entire United States are fea-sible with resources available to medium-sized zombie networks.This analysis begins with an exploration of the structure of cellu-lar networks. We then characterize network behavior and explorea number of reconnaissance techniques aimed at effectively target-ing attacks on these systems. We conclude by discussing counter-measures that mitigate or eliminate the threats introduced by theseattacks.
Categories and Subject Descriptors
C.2.0 [
Computers-Communication Networks
]: General—
Secu-rity and protection
General Terms
telecommunications, sms, denial-of-service, open-functionality
The majority of mobile phone subscribers are able to receivebothvoiceandalphanumerictextvia
(SMS)transmissions. Text messaging allows users to interact with each
Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.
November 7–11, 2005, Alexandria, Virginia, USA.Copyright 2005 ACM 1595932267/05/0011 ...
other in situations where voice calls are not appropriate or possi-ble. With countries such as the UK experiencing volumes of 69million messages per day [16], this service is rapidly becoming asingrained into modern culture as its voice counterpart [13, 11].Text messaging services are extremely popular with the telecom-munications industry. Whereas voice traffic typically yields a fixedamount of revenue per user, service providers earn up to US$0.10per text message sent or received by a mobile device [45, 60, 19].Seeing this tremendous potential for revenue, cellular providershave opened their networks to a number of additional services de-signed to increase SMS messaging volume. Through service provi-der website interfaces, email, and a wide variety of applicationsincluding instant messaging, users across the Internet can contactmobile subscribers without the use of a cell phone. Such
open func-tionality
, however, has serious negative consequences for these net-works.This paper evaluates the security impact of Internet-originatedtext messages on cellular voice and SMS services. The connectionsbetween the Internet and phone networks introduce open function-ality that detrimentally affects the fidelity of a cellular provider’sservice. Through the generation and use of large, highly accuratephone hit-lists, we demonstrate the ability to
deny voice service
tocities the size of Washington D.C. and Manhattan with little morethan a cable modem. Moreover, attacks targeting the entire UnitedStates are feasible with resources available to medium-sized zom-bie networks. Even with small hit-lists, we show that these cyber-warfare attacks are sustainable for tens of minutes. These attacksare especially threatening when compared to traditional signal jam-ming in that they can be invoked from anywhere in the world, oftenwithout physical involvement of the adversary.There are many dangers of connecting digital and physical do-mains. For example, a wide array of systems with varying degreesof connectivity to the Internet were indirectly affected by the Slam-mer worm. The traffic generated by this worm was enough to ren-der systems including Bank of America’s ATMs and emergency911 services in Bellevue, Washington unresponsive [40].Thereisnothingfundamentallydifferentaboutthewaysinwhichthese victimized systems and cellular networks are connected to theInternet; all of the above systems were at one time both logicallyand physically isolated from external networks, but have now at-tached themselves to the largest open system on the planet. Ac-cordingly, we show that mobile phone networks are equally as vul-nerable to the influence of the Internet.In evaluating Internet-originated SMS attacks on cellular net-works, we make the following contributions:
Throughanalysisofpubliclyavail-able cellular standards and gray-box testing, we character-
ize the resilience of cellular networks to elevated messagingloads.
Wediscussavarietyoftech-niques that, when used in combination, result in an accuratedatabase of targets (“hit-lists”) for directed attacks on cellu-lar networks. These lists are absolutely essential to mountingeffective attacks against these networks.
SMS/Cellular Network Vulnerability Analysis:
We illu-minate the fragility of cellular phone networks in the pres-ence of even low-bandwidth attacks. We demonstrate andquantify the ability to incapacitate voice and SMS serviceto neighborhoods, major metropolitan areas and entire conti-nents.The remainder of this paper is organized as follows: Section 2gives a high-level overview of GSM network architecture and de-scribes text message delivery; Section 3 investigates cellular net-works from an attacker’s perspective and identifies the mechanismsnecessary to launch
Denial of Service
(DoS) attacks; Section 4models and quantifies DoS attacks in multiple environments; Sec-tion 5 discusses a number of attacks inherent to attaching generalpurpose computing platforms to the Internet; Section 6 proposesvarious solutions to help alleviate these problems; Section 7 dis-cusses important related works; Section 8 presents concluding re-marks.
This section offers a simplified view of an SMS message travers-ing a GSM-based system from submission to delivery. These pro-cedures are similar in other cellular networks including CDMA.
2.1 Submitting a Message
There are two methods of sending a text message to a mobiledevice - via another mobile device or through a variety of 
Exter-nal Short Messaging Entities
(ESMEs). ESMEs include a largenumber of diverse devices and interfaces ranging from email andweb-based messaging portals at service provider websites to voicemail services, paging systems and software applications. Whetherthese systems connect to the mobile phone network via the Inter-net or specific dedicated channels, messages are first delivered toa server that handles SMS traffic known as the
Short MessagingService Center 
(SMSC). A service provider supporting text mes-saging must have at least one SMSC in their network. Due to therising popularity of this service, however, it is becoming increas-ingly common for service providers to support multiple SMSCs inorder to increase capacity.Upon receiving a message, the contents of incoming packets areexamined and, if necessary, converted and copied into SMS mes-sage format. At this point in the system, messages from the Internetbecome indistinguishable from those that originated from mobilephones. Messages are then placed into an SMSC queue for for-warding.
2.2 Routing a Message
The SMSC needs to determine how to route messages to theirtargeted mobile devices. The SMSC queries a
Home Location Reg-ister 
(HLR) database, which serves as the permanent repository of user data and includes subscriber information (e.g. call waiting andtext messaging), billing data, availability of the targeted user andtheir current location. Through interaction with other network el-ements, the HLR determines the routing information for the desti-nation device. If the SMSC receives a reply stating that the current
(a) SMS Network 
ESME SMSC HLR MSC VLR BS MHSubmit SMObtainRoutingInformationForward SMObtainSubscriberInformationForward SMDeliver SMACKACKACK
(b) SMS Flow
Figure 1: Simplified examples of an SMS Network and messageflow
user is unavailable, it stores the text message for later delivery. Oth-erwise, the response will contain the address of the
Mobile Switch-ing Center 
(MSC) currently providing service. In addition to callrouting, MSCs are responsible for facilitating mobile device au-thentication, location management for attached
base stations
(BS),performing handoffs and acting as gateways to the
Public Switched Telephone Network 
(PSTN).When a text message arrives from the SMSC, the MSC fetchesinformationspecifictothetargetdevice. TheMSCqueriesadatabaseknown as the
Visitor Location Register 
, which returns a local copyof the targeted device’s information when it is away from its HLR.The MSC then forwards the text message on to the appropriate basestation for transmission over the air interface. A diagram of a mo-bile phone network is depicted in Figure 1(a), followed by a sim-plified SMS message flow in Figure 1(b).
2.3 Wireless Delivery
The air interface is divided into two parts - the
Control Chan-nels
(CCH) and
Traffic Channels
(TCH). The CCH is further di-videdintotwotypesofchannels-theCommonCCHandDedicatedCCHs. The Common CCH, which consists of logical channels in-cluding the
Paging Channel
(PCH) and
Random Access Channel
(RACH), is the mechanism used by the base station to initiate thedelivery of voice and SMS data. Accordingly, all connected mobiledevices are constantly listening to the Common CCH for voice andSMS signaling.The base station sends a message on the PCH containing the
BS MH1PCH [ MH1, MH2 ]RACH [ MH1 -> BS ]SDCCH [ MH1: Auth, TMSI, SM ]
Figure 2: A simplified SMS air interface communication. Thebase station notifies two mobile hosts (MH1 and MH2) of newmessages. MH1 hears its identifier and responds. After authen-ticating and establishing an encrypted channel, the text mes-sage is delivered over a dedicated control channel.
Temporary Mobile Subscriber ID
(TMSI) associated with the enddestination. The network uses the TMSI instead of the targeted de-vice’s phone number in order to thwart eavesdroppers attempting todetermine the identity of the receiving phone. When a device hearsits TMSI, it attempts to contact the base station over the RACH andalerts the network of its availability to receive incoming call or textdata
. When the response arrives, the base station instructs the tar-geted device to listen to a specific
Standalone Dedicated ControlChannel
(SDCCH). Using the SDCCH, the base station is able tofacilitateauthenticationofthedestination device(viathesubscriberinformation at the MSC), enable encryption, deliver a fresh TMSIand then deliver the SMS message itself. In order to reduce over-head, if multiple SMS messages exist on the SMSC, more than onemessage may be transmitted over an SDCCH session [5]. If a voicecall had been waiting at the base station instead of a text message,all of the above channels would have been used in the same mannerto establish a connection on a traffic channel.An illustration of this final stage of delivery over the air interfaceis shown in Figure 2.
The majority of legitimate uses for SMS can often be character-izedasnonessential, rangingfromsocialinteractionstolowprioritybusiness-related exchanges. The salient feature of these communi-cations is that they can typically be accomplished through a num-ber of other, albeit potentially less convenient channels. During theterrorist attacks of September 11, 2001, however, the nature of textmessaging proved to be far more utilitarian.With millions of people attempting to contact friends and fam-ily, telecommunications companies witnessed tremendous spikesin cellular voice service usage. Verizon Wireless, for example, re-ported voice traffic rate increases of up to 100% above typical lev-els; Cingular Wireless recorded an increase of up to 1000% on callsdestined for the Washington D.C. area [44]. While these networksare engineered to handle elevated amounts of traffic, the sheer num-ber of calls was far greater than capacity for voice communicationsintheaffectedareas. However, withvoice-basedphoneservicesbe-ing almost entirely unavailable due to TCH saturation, SMS mes-sages were still successfully received in even the most congestedregions because the control channels responsible for their deliveryremained available.Text messaging allowed the lines of communication to remainopen for many individuals in need in spite of their inability to com-plete voice calls. Accordingly, SMS messaging is now viewed bymany as a reliable method of communication when all other meansappear unavailable.
A high number of call initiations at a given base station slowsthis response as the RACH is a shared access channel running theSlotted Aloha protocolDue to this proliferation of text messaging, we analyze Internet-originated, SMS attacks and their effects on voice and other ser-vices in cellular networks. We first characterize these systems thro-ugh an extensive study of the available standards documentationand gray-box testing. From this data, we discuss a number of attacks and the susceptibility of mobile phone networks to each.Lastly, from gray-box testing, we assess the resilience of these net-works to these attacks.Before discussing the specifics of any attack on cellular net-works, it is necessary to examine these systems from an adversary’sperspective. In this section, we present simple methods of discov-ering the most fragile portions of these networks by determiningsystem bottlenecks. We then investigate the creation of effectivetargeting systems designed to exploit these choke points.
3.1 Determining Bottlenecks in CellularNetworks
There is an inherent cost imbalance between injecting SMS mes-sages into the phone network and delivering messages to a mobileuser. Such imbalances are the root of DoS attacks.Recognizing these bottlenecks requires a thorough understand-ing of the system. The cellular network standards documentationprovides the framework from which the system is built, but it lacksimplementation specific details. In an effort to bridge this gap, weperformed gray-box testing [7, 14].We characterize these systems by delivery disciplines, deliveryrates, andinterfaces. Alltestswereperformedusingourownphones.At no time did we inject a damaging volume of packets into the sys-tem or violate any service agreement.
3.1.1 Delivery Discipline
The delivery discipline of a network dictates the way messagesmove through the system. By studying this flow, we determinesystem response to an influx of text messages. The overall systemresponse is a composite of multiple queuing points. The standardsdocumentation indicates two points of interest - the SMSC and thetarget device.SMSCs are the locus of SMS message flow; all messages passthroughthem. Duetopracticallimitations, eachSMSConlyqueuesa finite number of messages per user. As SMSCs route messagesaccording to a store and forward mechanism, each message is helduntil either the target device successfully receives it or it is droppeddue to age. The buffer capacity and eviction policy therefore deter-mine which messages reach the recipient.The SMSC buffer and eviction policy were evaluated by slowlyinjecting messages while the target device was powered off. Threeof the most prominent service providers were evaluated: AT&T(now part of Cingular), Verizon, and Sprint. For each provider, 400messages were serially injected at a rate of approximately one per60 seconds. When the device was reconnected to the network, therange of the attached sequence numbers indicated both buffer sizeand queue eviction policy.We found that AT&T’s SMSC buffered the entire 400 messages.While seemingly large, 400 160-byte messages is only 62.5KB.Tests of Verizon’s SMSC yielded different results. When the de-vice was turned on, the first message downloaded was not sequencenumber one; instead the first 300 messages were missing. Thisdemonstrates that Verizon’s SMSC has a buffer capacity of 100messages and a FIFO eviction policy. Sprint’s SMSC proved dif-ferent than both AT&T and Verizon. Upon reconnecting the deviceto the network, we found only 30 messages starting with messagenumber one. Therefore, Sprint’s SMSC has a message capacity of 30 messages and a LIFO eviction policy.

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->