Exploiting Open Functionality in SMS-Capable Cellular Networks

1
Exploiting Open Functionality in SMS-Capable
Cellular Networks

• Authors William Enck, Patrick Traynor, Patrick
  McDaniel, and Thomas La Porta
• Publication12th ACM conference on Computer and
  communications security, November 2005
• Presenter Brad Mundt for CAP6133 Spring 08

2
Motivation

• SMS
• Ingrained into modern culture
• 69 million messages per day in UK
• 10 cents per message
• Popular with telecom
• Voice traffic is fixed revenue, unlike SMS
• Opened up the system- web, email, IM

3
Motivation

• Internet-originated text messages
• Deny voice service to a city
• Zombies
• Hit lists
• Similar to traffic from Slammer worm
• BoA ATMs, 911 services

4
Presentation Flow

• Cellular Network Overview
• Vulnerability Analysis
• Research
• Discovery
• Attack vectors and implements
• Scenario
• Other stuff

5
SMS/Cellular Network

• Sending
• Mobile device or ESME
• External Short Messaging Entities (ESME)
• Delivering
• Short Messaging Service Center (SMSC)
• SMS formatting
• Queued for forwarding
• Query Home Location Register (HLR) for directions

6
SMS/Cellular Network

• Delivering (Continued)
• HLR
• Subscriber Info, call waiting, text messaging
• If user is busy, store SMS for later
• Otherwise give address for MSC
• Mobile Switching Center

7
SMS/Cellular Network

• Delivering (Continued)
• MSC
• Service, Authentication
• Location management for BS, no not that BS!
• Base Stations
• Hand offs / gateway to PSTN
• Public Switched Telephone Network
• Query Visitor Location Register (VLR)
• Returns Info when device is away from HLR
• Forwards to correct BS for delivery

8
SMS/Cellular Network
9
Vulnerability Analysis

• Bottlenecks
• System is a composite of multiple Queuing Points
• Injection rate versus delivery rate
• Targeting Queues
• SMSC
• Finite number in queue, SMS age, policy
• Messages remain in SMSC buffer when device is
  full
• Device
• 500 messages drained a battery

10
Plan

• Messages exceeding saturation levels are lost
• Successful DoS needs
• Multiple subscribers
• Multiple interfaces
• Hit-lists and Zombies

11
Hit-list Creation

• Internet search for NPA/NXX DB
• Target wireless numbers by domain owner name
• Web Scraping
• Worm
• Device recently call lists
• Computers that sync with device

12
Attack profile attributes

• GSM gray-box testing
• 900 SMS per hour on each dedicated channel
• 1 dedicated channel per 4 voice
• 2 dedicated channels per carrier
• Protocol sharing
• Number of dedicated channels per area
• Number of carriers per area

13
Cellular device channels

• Two Channels
• Control Channel (CCH)
• Common CCH
• BS uses for voice and SMS connections
  establishment
• All connected mobiles are listening on this for
  signaling
• Dedicated CCH
• Data
• Traffic Channel (TCH)
• Voice

14
Attack Scenario

• 2500 numbers in hit list
• Average 50 message device buffer
• 8 dedicated channels, (D.C.)
• 1 message per phone every 10.4 sec
• 8.68 min to fill buffers

15
Targeted Attacks

• Fill the buffers, users loose messages
• Data loss on some devices from overflowing
• Read messages overwritten when new ones arrive
  (Nokia 3560)
• Message delays due to overflowing
• Campus alert messages- blocking?
• Deleting junk SMS, accidentally delete good ones
• Battery depletion

16
Tomorrows email

• SPAM
• Phishing
• Viruses
• Cabir and Skulls
• Both were bluetooth

17
SMS Spam
18
Summary

• Cellular networks are critical part of
• Social and economic infrastructures
• Potential misuse from external services
• DoS
• InfoWar
• Economic

19
Contributions

• Security impact of SMS on Cellular network
• Demonstrate ability to deny serivce to city sized
  area
• Techniques for targeting these systems
• How to avoid

20
Weaknesses

• Gray-box testing
• Documentation
• Experimentation without EULA violations
• Time of Day / Day of Week
• Payload size variations
• Estimations

21
How to Improve

• Traffic analysis for
• Time of Day / Day of Week
• Vary payload size
• If White hats, work with the telecoms
• Validate for more facts

22
The End

• Thank you