3/26/081 Exploiting Open Functionality in SMS- Capable Networks William Enck, Patrick Traynor,...

3/26/083/26/08 11

Exploiting Open Functionality in SMS-

CapableNetworks

William Enck, Patrick Traynor, Patrick McDaniel, and Thomas La PortaSystems and Internet Infrastructure Security Laboratory

Department of Computer Science and EngineeringThe Pennsylvania State University

2005

Your host today: Stuart SaltzmanYour host today: Stuart Saltzman

3/26/083/26/08 22

AgendaAgenda

Overview of research paperOverview of research paper SMS/Cellular Network overviewSMS/Cellular Network overview

Submitting a messageSubmitting a message RoutingRouting DeliveryDelivery

SMS/Cellular Vulnerability AnalysisSMS/Cellular Vulnerability Analysis Modeling DOS AttacksModeling DOS Attacks Solution(s)Solution(s)

3/26/083/26/08 33

Overview & Overview & IntroductionIntroduction

3/26/083/26/08 44

Cellular OverviewCellular Overview

Cellular networks are critical component to Cellular networks are critical component to economic and social infrastructureseconomic and social infrastructures

Cellular networks deliver alphanumeric text Cellular networks deliver alphanumeric text messages via messages via Short Messaging ServiceShort Messaging Service (SMS) (SMS)

Telecommunication companies offer Telecommunication companies offer connections between their networks and the connections between their networks and the internetinternet Open functionality creates negative consequencesOpen functionality creates negative consequences

3/26/083/26/08 55

Goal of PaperGoal of Paper

To evaluate the security impact of SMS To evaluate the security impact of SMS interface on the availability of the cellular interface on the availability of the cellular phonephone network network

Demonstrate the ability to deny voice Demonstrate the ability to deny voice service to cities the size of Washington, service to cities the size of Washington, D.C. and ManhattanD.C. and Manhattan

Provide countermeasures that mitigate or Provide countermeasures that mitigate or eliminate DoS threatseliminate DoS threats

3/26/083/26/08 66

SMS/Cellular Network SMS/Cellular Network (GSM)(GSM)

Two methods to send a text messageTwo methods to send a text message 1) via another mobile device1) via another mobile device 2) through an External Short Messaging 2) through an External Short Messaging

Entities (ESME)Entities (ESME) EmailEmail Web-bases messaging portalsWeb-bases messaging portals Paging systemsPaging systems SoftwareSoftware

3/26/083/26/08 77

Submitting a MessageSubmitting a Message

All messages delivered to a server that All messages delivered to a server that handles SMS traffic known as the handles SMS traffic known as the Short Short Messaging Service Center Messaging Service Center (SMSC)(SMSC) Provider (Verizon, AT&T, etc.) MUST provide at Provider (Verizon, AT&T, etc.) MUST provide at

least SMSCleast SMSC If necessary, the message is converted to SMS If necessary, the message is converted to SMS

formatformat Example: internet originated message. Once Example: internet originated message. Once

formatted, the message becomes indistinguishable formatted, the message becomes indistinguishable from there original originatorfrom there original originator

Queued in SMSC for forwardingQueued in SMSC for forwarding

3/26/083/26/08 88

RoutingRouting

Home Location RegisterHome Location Register (HLR) (HLR) Queried by the SMSC for message routingQueried by the SMSC for message routing Permanent repository of user dataPermanent repository of user data

Subscriber information (call waiting, text Subscriber information (call waiting, text messaging)messaging)

Billing dataBilling data AvailabilityAvailability of targeted user of targeted user

Determines routing information for the Determines routing information for the destination devicedestination device

3/26/083/26/08 99

Routing Routing (cont.)(cont.)

If SMSC receives a reply stating that the If SMSC receives a reply stating that the current user is unavailable, it stores the current user is unavailable, it stores the text message for later delivery text message for later delivery It is queuedIt is queued

Otherwise, HLR responds with address Otherwise, HLR responds with address of Mobile Switching Center (MSC) of Mobile Switching Center (MSC) providing service to user/deviceproviding service to user/device

3/26/083/26/08 1010

Routing – Mobile Switching Routing – Mobile Switching

CenterCenter MSCMSC Responsible for mobile device authenticationResponsible for mobile device authentication Location management for attached Base Stations (BS)Location management for attached Base Stations (BS) Act as gateways to Public Switched Telephone Act as gateways to Public Switched Telephone

Network (PSTN)Network (PSTN) Queries Visitor Location Register (VLR) Queries Visitor Location Register (VLR)

Local copy of the targeted devices information when away Local copy of the targeted devices information when away from its HLRfrom its HLR

Forwards text message on to the appropriate base Forwards text message on to the appropriate base station for transmission over the air interfacestation for transmission over the air interface

3/26/083/26/08 1111

Routing FigureRouting Figure

3/26/083/26/08 1212

DeliveryDelivery

Air InterfaceAir Interface 1) Control Channels (CCH)1) Control Channels (CCH)

A) Common CCHA) Common CCH Logical channels:Logical channels:

1) Paging Channel (PCH)1) Paging Channel (PCH) 2) Random Access Channel (RACH)2) Random Access Channel (RACH)

Used by base station (BS) to initiate the delivery of voice and Used by base station (BS) to initiate the delivery of voice and SMS dataSMS data

All connected mobile devices are constantly listening to the All connected mobile devices are constantly listening to the Common CCH for voice and SMS signalingCommon CCH for voice and SMS signaling

B) Dedicated CCHsB) Dedicated CCHs 2) Traffic Channels (TCH)2) Traffic Channels (TCH)

3/26/083/26/08 1313

SMS Delivery DiagramSMS Delivery Diagram 1) Base Station (BS) sends message on the 1) Base Station (BS) sends message on the

Paging channel (PCH) containing the Paging channel (PCH) containing the Temporary Mobile Subscriber ID (TMSI)Temporary Mobile Subscriber ID (TMSI)

2) Network uses the TMSI instead of the 2) Network uses the TMSI instead of the targeted devices phone number in order to targeted devices phone number in order to thwart eavesdroppersthwart eavesdroppers

MH1 = Mobile Host 1

3/26/083/26/08 1414

SMS Delivery Diagram SMS Delivery Diagram (cont.)(cont.)

3) Devices contacts BS over the Random Access 3) Devices contacts BS over the Random Access Channel (RACH) and alerts the network of its Channel (RACH) and alerts the network of its availability to receive incoming call or text dataavailability to receive incoming call or text data

4) Response (from above) arrives at BS, the BS 4) Response (from above) arrives at BS, the BS instructs targeted device to listen to a specific instructs targeted device to listen to a specific Standalone Dedicated Control Channel (SDCCH)Standalone Dedicated Control Channel (SDCCH) SDCCHSDCCH

AuthenticationAuthentication EncryptionEncryption

3/26/083/26/08 1515

SMS/Cellular Network SMS/Cellular Network VulnerabilityVulnerability

3/26/083/26/08 1616

Delivery Discipline - AnalysisDelivery Discipline - Analysis

GoalGoal: find delivery discipline for each provider: find delivery discipline for each provider Study the flow of the messageStudy the flow of the message Standards documentation provides the Standards documentation provides the

framework from which the system is built, but it framework from which the system is built, but it lacks implementation specific detailslacks implementation specific details

SMSC are the locus of all SMS message flowSMSC are the locus of all SMS message flow SMSC queues only a finite number of SMSC queues only a finite number of

messages per a usermessages per a user Message is held until:Message is held until:

target device successfully receives it target device successfully receives it It is dropped (buffer capacity, eviction policy)It is dropped (buffer capacity, eviction policy)

3/26/083/26/08 1717

Delivery DisciplineDelivery Discipline

Overall system response is a composite Overall system response is a composite of multiple queuing points of multiple queuing points (SMSC & target device)(SMSC & target device)

Experiment:Experiment: AT&T, Verizon & SprintAT&T, Verizon & Sprint Slowly inject messages while device is Slowly inject messages while device is

powered off powered off (400 messages, 1 every 60 seconds)(400 messages, 1 every 60 seconds) Turn device back onTurn device back on

The range of sequence number indicated The range of sequence number indicated both buffer size and queue eviction policyboth buffer size and queue eviction policy

3/26/083/26/08 1818

Delivery Discipline – ResultsDelivery Discipline – Results

AT&T’s:AT&T’s: buffered the entire 400 messages (160 bytes each buffered the entire 400 messages (160 bytes each

= 62.4KB)= 62.4KB)

VerizonVerizon Last 100 messages received Last 100 messages received (first 300 missing)(first 300 missing)

Buffer of 100, FIFO eviction policyBuffer of 100, FIFO eviction policy

SprintSprint First 30 messages receivedFirst 30 messages received Buffer of 30, LIFO eviction policyBuffer of 30, LIFO eviction policy

3/26/083/26/08 1919

Delivery Rate - AnalysisDelivery Rate - Analysis

3/26/083/26/08 2020

Delivery Rate - AnalysisDelivery Rate - Analysis

Definition: the speed at which a collection Definition: the speed at which a collection of nodes can process and forward a of nodes can process and forward a messagemessage

GoalGoal: Find bottlenecks - compare : Find bottlenecks - compare injection rates with delivery ratesinjection rates with delivery rates

Exact number of SMSCs in a network is Exact number of SMSCs in a network is not publicly known or discoverablenot publicly known or discoverable

3/26/083/26/08 2121

Delivery Rate Delivery Rate (cont.)(cont.)

Short Messaging Peer Protocol (SMPP)Short Messaging Peer Protocol (SMPP) Dedicated connections to service provider to send messagesDedicated connections to service provider to send messages Service provider plans offer 30-35 messages per secondService provider plans offer 30-35 messages per second

Problem: when a message delivery time exceeds that Problem: when a message delivery time exceeds that of message submission, a system is subject to DoS of message submission, a system is subject to DoS attackattack

Experiment:Experiment: Compare the time it takes for serially injected messages to be Compare the time it takes for serially injected messages to be

submitted and then delivered to the targeted mobile device submitted and then delivered to the targeted mobile device via via web interfacesweb interfaces

PERL script – serially inject messages approximately once per PERL script – serially inject messages approximately once per a second into each providers web interface a second into each providers web interface (avg. send time: 0.71 (avg. send time: 0.71 seconds)seconds)

3/26/083/26/08 2222

Delivery Rate - ResultsDelivery Rate - Results

Verizon & AT&T: 7-8 seconds for deliveryVerizon & AT&T: 7-8 seconds for delivery Sprint: UnknownSprint: Unknown Conclusion: imbalance between the time to submit and the time to Conclusion: imbalance between the time to submit and the time to

receivereceive SMS message size – Maximum: 160 bytesSMS message size – Maximum: 160 bytes Using TcpDump:Using TcpDump:

HTTP Post and IP headers = approximately 700 bytes to send SMS HTTP Post and IP headers = approximately 700 bytes to send SMS message (not considering TCP overhead)message (not considering TCP overhead)

Web page upload sizes:Web page upload sizes: Verizon: 1600 bytesVerizon: 1600 bytes Spring: 1300 bytesSpring: 1300 bytes AT&T: 1100 bytesAT&T: 1100 bytes

Email submission:Email submission: All emails less then 900 bytes to sendAll emails less then 900 bytes to send

3/26/083/26/08 2323

Interfaces - AnalysisInterfaces - Analysis

3/26/083/26/08 2424

Interfaces - AnalysisInterfaces - Analysis Lost messages and negatively acknowledged submit attempts were Lost messages and negatively acknowledged submit attempts were

observedobserved Believe it was a result of web interface limitations imposed by the service Believe it was a result of web interface limitations imposed by the service

providersproviders GoalGoal: find the mechanism used to achieve rate limitation on these : find the mechanism used to achieve rate limitation on these

interfaces and the conditions necessary to activate theminterfaces and the conditions necessary to activate them ExperimentExperiment – used delivery rate analysis – used delivery rate analysis

Verizon:Verizon: After 44 messages, negative acknowledgements resultedAfter 44 messages, negative acknowledgements resulted Blocked messages by subnet valueBlocked messages by subnet value

AT&T:AT&T: Blindly acknowledged all submissions, but stopped delivering after 50 messages Blindly acknowledged all submissions, but stopped delivering after 50 messages

sent to single phonesent to single phone Subnet value didn’t matterSubnet value didn’t matter Differentiated between its inputsDifferentiated between its inputs

Conclusion:Conclusion: SMSC’s typically hold SMSC’s typically hold far far more messages than the mobile devicesmore messages than the mobile devices To launch successfully DoS attack that exploits the limitations of the cellular To launch successfully DoS attack that exploits the limitations of the cellular

air interface, an adversary must target multiple end devices (must have air interface, an adversary must target multiple end devices (must have valid valid phone numbers)phone numbers)

3/26/083/26/08 2525

Hit-List CreationHit-List Creation

NPA/NXX Web ScrapingWeb Interface

3/26/083/26/08 2626

Hit-List Creation – Hit-List Creation – NPA/NXXNPA/NXX

The ability to launch a successful assault on a mobile phone The ability to launch a successful assault on a mobile phone network requires the attacker to do more then simply attempt to network requires the attacker to do more then simply attempt to send text messages to every possibly phone numbersend text messages to every possibly phone number

North American Numbering Plan (NANP) created: number North American Numbering Plan (NANP) created: number formatting “NPA-NXX-XXXX”formatting “NPA-NXX-XXXX” Numbering plan area, exchange code, terminal numberNumbering plan area, exchange code, terminal number Traditionally terminal numbers were administered by a single service Traditionally terminal numbers were administered by a single service

providerprovider Example: Example:

814-876-XXXX => AT&T Wireless814-876-XXXX => AT&T Wireless 814-404-XXXX => Verizon wireless814-404-XXXX => Verizon wireless 814-769-XXXX => Sprint PCS814-769-XXXX => Sprint PCS

Numbering system is very useful for an attacker as it reduces the size Numbering system is very useful for an attacker as it reduces the size of the domainof the domain

November 24November 24thth, 2004 => number portability went into affect, 2004 => number portability went into affect

3/26/083/26/08 2727

Hit-List CreationHit-List Creation – – Web Web ScrapingScraping

Technique commonly used by spammers to Technique commonly used by spammers to collect information on potential targets through collect information on potential targets through the use of search engines and scripting toolsthe use of search engines and scripting tools

Individual is able to gather mobile phone Individual is able to gather mobile phone numbersnumbers Example: -Example: -

Google searchGoogle search 865 unique numbers from the greater State College, PA 865 unique numbers from the greater State College, PA

regionregion 7,308 from New York City7,308 from New York City 6,184 from Washington D.C.6,184 from Washington D.C.

Downside – numbers might not be activeDownside – numbers might not be active

3/26/083/26/08 2828

Hit-List CreationHit-List Creation Web Interface InteractionWeb Interface Interaction

All major wireless service providers offer a website All major wireless service providers offer a website interface through which anyone can at no charge to the interface through which anyone can at no charge to the sender submit a SMS messagesender submit a SMS message

Web user is given acknowledgement when submitting SMS Web user is given acknowledgement when submitting SMS messagemessage

3/26/083/26/08 2929

Modeling DoS AttacksModeling DoS Attacks

3/26/083/26/08 3030

Session SaturationSession Saturation

QuestionQuestion: How many SMS messages : How many SMS messages are needed to induce saturation?are needed to induce saturation?

Air interface overview needed to Air interface overview needed to understand SMS saturationunderstand SMS saturation

3/26/083/26/08 3131

Air Interface OverviewAir Interface Overview

Voice call establishment is very similar to SMS delivery, Voice call establishment is very similar to SMS delivery, except a except a Traffic ChannelTraffic Channel (TCH) is allocated for voice (TCH) is allocated for voice traffic at the completion of control signalingtraffic at the completion of control signaling Voice and SMS traffic do NOT compete for TCHs Voice and SMS traffic do NOT compete for TCHs

which are held for significantly longer periods of time.which are held for significantly longer periods of time. BOTH voice and SMS traffic use the same channels BOTH voice and SMS traffic use the same channels

for session establishment, thus for session establishment, thus contentioncontention for these for these limited resources still occur!limited resources still occur!

Given enough SMS messages, the channels needed Given enough SMS messages, the channels needed for session establishment will become saturated, thus for session establishment will become saturated, thus preventing voice traffic in a given areapreventing voice traffic in a given area

3/26/083/26/08 3232


GSM networks (CDMA equally vulnerable to GSM networks (CDMA equally vulnerable to attacks)attacks)

GSM is a timesharing systemGSM is a timesharing system Equal distribution of resources between partiesEqual distribution of resources between parties Each channel is divided into 8 timeslotsEach channel is divided into 8 timeslots

8 timeslots = 1 frame = 4.65ms transmission8 timeslots = 1 frame = 4.65ms transmission 1 timeslot is assigned to a user who receives full control of 1 timeslot is assigned to a user who receives full control of

the channelthe channel

User assigned to a given TCH is able to transmit User assigned to a given TCH is able to transmit voice data once per a framevoice data once per a frame

3/26/083/26/08 3333

Air Interface OverviewAir Interface Overview 4 carriers, each a single frame 4 carriers, each a single frame First time slot of the first carrier is the Common CCHFirst time slot of the first carrier is the Common CCH Second time slot of the first channel is reserved for SDCCH Second time slot of the first channel is reserved for SDCCH

connectionsconnections Capacity for 8 users is allocated over the use of a multiframeCapacity for 8 users is allocated over the use of a multiframe Remaining timeslots across all carriers are designated for voice dataRemaining timeslots across all carriers are designated for voice data

3/26/083/26/08 3434

Air Interface OverviewAir Interface Overview Bandwidth is limited within frame, therefore data must span over multiple Bandwidth is limited within frame, therefore data must span over multiple

frames => multiframe => typically 51 frames frames => multiframe => typically 51 frames (or 26, 51,21 standards)(or 26, 51,21 standards)

Timeslot 1 from each frame in a multiframe creates the logical SDCCH Timeslot 1 from each frame in a multiframe creates the logical SDCCH channelchannel

Within a single multiframe, up to 8 users can receive SDCCH accessWithin a single multiframe, up to 8 users can receive SDCCH access

3/26/083/26/08 3535


PCH is used to signal each incoming call and PCH is used to signal each incoming call and text message, its commitment to each session text message, its commitment to each session is limited to the transmission of a TMSIis limited to the transmission of a TMSI

TCHs remain occupied for the duration of a call TCHs remain occupied for the duration of a call which averages minuteswhich averages minutes

SDCCH is occupied for a SDCCH is occupied for a number of secondsnumber of seconds per session establishment per session establishment (typo in paper)(typo in paper)

This SDCCH channel becomes the This SDCCH channel becomes the bottleneckbottleneck!! Must find/understand the bandwidth of the Must find/understand the bandwidth of the

bottleneckbottleneck

3/26/083/26/08 3636

Air Interface - BottleneckAir Interface - Bottleneck Each SDCCH spans four logically consecutive timeslots Each SDCCH spans four logically consecutive timeslots

in a multiframein a multiframe Bandwidth: With 184 bits per a control channel unit and a Bandwidth: With 184 bits per a control channel unit and a

multiframe cycle time of 235.36 ms => multiframe cycle time of 235.36 ms => 782 bps782 bps Given authentication, TMSI renewal, encryption and the Given authentication, TMSI renewal, encryption and the

160 byte text message, the 160 byte text message, the SDCCH is held by an SDCCH is held by an individual session for 4-5 secondsindividual session for 4-5 seconds (note: testing form Delivery Discipline (note: testing form Delivery Discipline demonstrated the demonstrated the samesame gray-box testing results) gray-box testing results)

Results: Service time translates into the ability to handle Results: Service time translates into the ability to handle up to up to 900900 SMS sessions per hour on each SDCCH SMS sessions per hour on each SDCCH

3/26/083/26/08 3737

Air Interface – BottleneckAir Interface – Bottleneck CalculationsCalculations

3/26/083/26/08 3838

Air Interface – BottleneckAir Interface – Bottleneck Calculation – Example ACalculation – Example A

Study from National Communications System Study from National Communications System (NCS) (NCS) Washington D.C. has 40 cellular towersWashington D.C. has 40 cellular towers 68.2 sq miles68.2 sq miles 120 total sectors120 total sectors

Each sector 0.5 to 0.75 sq. milesEach sector 0.5 to 0.75 sq. miles Each sector has 8 SDCCHsEach sector has 8 SDCCHs

FINDFIND: Total number of messages per a : Total number of messages per a second needed to saturate the SDCCH second needed to saturate the SDCCH capacity capacity CC in Washington D.C. in Washington D.C.

3/26/083/26/08 3939

Air Interface – BottleneckAir Interface – Bottleneck Calculations – Example ACalculations – Example A

900 msg/hr from service time translation 900 msg/hr from service time translation

240240 messages a second will saturate the messages a second will saturate the SDCCH channelSDCCH channel

3/26/083/26/08 4040

Air Interface – BottleneckAir Interface – Bottleneck Calculations – Example BCalculations – Example B

Study from National Communications System Study from National Communications System (NCS) (NCS) Manhattan Manhattan 31.1 sq miles31.1 sq miles 55 total sectors55 total sectors

Each sector 0.5 to 0.75 sq. milesEach sector 0.5 to 0.75 sq. miles Each sector has 12 SDCCHsEach sector has 12 SDCCHs

FINDFIND: Total number of messages per a : Total number of messages per a second needed to saturate the SDCCH second needed to saturate the SDCCH capacity capacity CC in Manhattan in Manhattan

3/26/083/26/08 4141

Air Interface – BottleneckAir Interface – Bottleneck Calculations – Example BCalculations – Example B

900 msg/hr from service time translation 900 msg/hr from service time translation (previous step)(previous step)

165165 messages a second will saturate the SDCCH messages a second will saturate the SDCCH channelchannel

3/26/083/26/08 4242

Air Interface – BottleneckAir Interface – Bottleneck Calculation ResultsCalculation Results

Use a source transmission size of 1500 bytes Use a source transmission size of 1500 bytes described in the Delivery Discipline section to described in the Delivery Discipline section to submit an SMS from the internetsubmit an SMS from the internet

Table shows the bandwidth required to saturate Table shows the bandwidth required to saturate the control channels and thus incapacitate the control channels and thus incapacitate legitimate voice and text messaging serviceslegitimate voice and text messaging services

3/26/083/26/08 4343

Air Interface – BottleneckAir Interface – Bottleneck ConclusionConclusion

Due to the analysis and the results from the delivery Due to the analysis and the results from the delivery discipline and delivery rate sections, sending that many discipline and delivery rate sections, sending that many messages to a small number of recipients would messages to a small number of recipients would degrade the effectiveness of any attackdegrade the effectiveness of any attack Phones buffers would reach capacityPhones buffers would reach capacity Undeliverable messages would be buffered on the network Undeliverable messages would be buffered on the network

until user allocated space was exhausteduntil user allocated space was exhausted Accounts could possibly be disabled temporarilyAccounts could possibly be disabled temporarily

Hit-lists would prevent individual phones from reaching Hit-lists would prevent individual phones from reaching capacity and below possible service provider capacity and below possible service provider thresholdsthresholds

Is it possible?Is it possible?

3/26/083/26/08 4444

Air Interface DoS Attack Air Interface DoS Attack Attack AAttack A

To saturate Washington DC:To saturate Washington DC: Assumptions:Assumptions:

Washington D.C. has 572,000 peopleWashington D.C. has 572,000 people 60% wireless penetration 60% wireless penetration 8 SDCCHs8 SDCCHs All devices powered onAll devices powered on 50% of Washington D.C. use the same service provider50% of Washington D.C. use the same service provider

Result:Result: An even distribution of messages would be 5.04 messages An even distribution of messages would be 5.04 messages

to each phone per an hour (1 message every 11.92 to each phone per an hour (1 message every 11.92 minutes)minutes)

3/26/083/26/08 4545

Air Interface DoS Attack Air Interface DoS Attack Attack BAttack B

Same assumptions from attack A, except:Same assumptions from attack A, except: Hit-list of 2500 phone numbersHit-list of 2500 phone numbers Phone buffer size: 50Phone buffer size: 50

Results:Results: An even distribution of messages would delivery a An even distribution of messages would delivery a

message every 10.4 secondsmessage every 10.4 seconds Attack would last 8.68 minutes before buffer was Attack would last 8.68 minutes before buffer was

exhaustedexhausted Previous bandwidth table shows these attacks are feasible Previous bandwidth table shows these attacks are feasible

from a standard high-speed internet connectionfrom a standard high-speed internet connection

3/26/083/26/08 4646

Air Interface DoS Attack Air Interface DoS Attack Prevention/SolutionPrevention/Solution

New SMSCs are each capable of processing New SMSCs are each capable of processing some 20,000 SMS messages per a secondsome 20,000 SMS messages per a second

General Packet Radio ServiceGeneral Packet Radio Service (GPRS) and (GPRS) and Enhance Data rates for GSMEnhance Data rates for GSM Evolution (EDGE) Evolution (EDGE) provide high-speed data connections to the provide high-speed data connections to the internet for mobile devicesinternet for mobile devices Complimentary to SMS and will NOT replace SMS’s Complimentary to SMS and will NOT replace SMS’s

functionalityfunctionality

3/26/083/26/08 4747


Current mechanism are NOT adequate to Current mechanism are NOT adequate to protect these networksprotect these networks

Proven practicality of address spoofing or Proven practicality of address spoofing or distributed attacks via zombie networks makes distributed attacks via zombie networks makes the use of authentication based upon source IP the use of authentication based upon source IP addresses an ineffective solutionaddresses an ineffective solution

Due to service provider earnings ($) from SMS Due to service provider earnings ($) from SMS messages, they are unlikely to restrict access messages, they are unlikely to restrict access to SMS messagingto SMS messaging

3/26/083/26/08 4848


Separation of Voice and DataSeparation of Voice and Data Most effective solution would be to separate all voice and data Most effective solution would be to separate all voice and data

communicationscommunications Insertion of data into cellular networks will no longer degrade the fidelity of voice Insertion of data into cellular networks will no longer degrade the fidelity of voice

servicesservices Dedicating a carrier on the air interface for data signaling and delivery Dedicating a carrier on the air interface for data signaling and delivery

eliminates an attacker’s ability to take down voice communicationseliminates an attacker’s ability to take down voice communications Ineffective use of the spectrumIneffective use of the spectrum Creates bottleneck on air interfaceCreates bottleneck on air interface

Until the offloading schemes are created, origin priority should be implementedUntil the offloading schemes are created, origin priority should be implemented Internet originated messages => low priorityInternet originated messages => low priority Messages from outside network => low priorityMessages from outside network => low priority Messages from within network => high priorityMessages from within network => high priority

Resource ProvisioningResource Provisioning Temporary SolutionsTemporary Solutions

Additional Mobile Switching Center (MSC) and Base Stations (BS)Additional Mobile Switching Center (MSC) and Base Stations (BS) Events such as the OlympicsEvents such as the Olympics

Cellular-on-Wheels (COW)Cellular-on-Wheels (COW) United States United States

The increased number of ‘handoff’ puts more strain on the networkThe increased number of ‘handoff’ puts more strain on the network

3/26/083/26/08 4949

Air Interface DoS Attack Air Interface DoS Attack SolutionsSolutions

Rate LimitationRate Limitation Within the air interface, the number of SDCCS channels allowed to Within the air interface, the number of SDCCS channels allowed to

deliver text messages should be restricteddeliver text messages should be restricted Attack still successful, but it would only affect a small number of peopleAttack still successful, but it would only affect a small number of people Slows the rate of legitimate messages can be deliveredSlows the rate of legitimate messages can be delivered

Prevent hit-listsPrevent hit-lists Do NOT show successfulness of internet based submissionDo NOT show successfulness of internet based submission

Web interfaces should limit the number of recipients to which a single Web interfaces should limit the number of recipients to which a single SMS submission is sentSMS submission is sent

Verizon and Cingular allow 10 recipients per a submissionVerizon and Cingular allow 10 recipients per a submission Reduce the ability to automate submissionReduce the ability to automate submission

Force the computer to calculate some algorithm prior to submittingForce the computer to calculate some algorithm prior to submitting Close web interfacesClose web interfaces

Not likelyNot likely

3/26/083/26/08 5050

ConclusionConclusion

Cellular networks are a critical part of the economic Cellular networks are a critical part of the economic and social infrastructuresand social infrastructures

Systems typically experience below 300 seconds of Systems typically experience below 300 seconds of communication outages per year (“five nines” communication outages per year (“five nines” availability)availability)

The proliferation of external services on these networks The proliferation of external services on these networks introduces significant potential for misuseintroduces significant potential for misuse

An adversary injecting messages from the internet can An adversary injecting messages from the internet can cause almost twice the yearly expected network cause almost twice the yearly expected network downtime using hit-lists as few as 2,500 targetsdowntime using hit-lists as few as 2,500 targets

The service providers potential problems outlined in The service providers potential problems outlined in this paper must be addressed in order to preserve the this paper must be addressed in order to preserve the usability of these critical servicesusability of these critical services

3/26/081 Exploiting Open Functionality in SMS- Capable Networks William Enck, Patrick Traynor,...

Documents

Transcript of 3/26/081 Exploiting Open Functionality in SMS- Capable Networks William Enck, Patrick Traynor,...