3/26/081 Exploiting Open Functionality in SMS- Capable Networks William Enck, Patrick Traynor,...
-
Upload
shana-payne -
Category
Documents
-
view
213 -
download
0
Transcript of 3/26/081 Exploiting Open Functionality in SMS- Capable Networks William Enck, Patrick Traynor,...
3/26/083/26/08 11
Exploiting Open Functionality in SMS-
CapableNetworks
William Enck, Patrick Traynor, Patrick McDaniel, and Thomas La PortaSystems and Internet Infrastructure Security Laboratory
Department of Computer Science and EngineeringThe Pennsylvania State University
2005
Your host today: Stuart SaltzmanYour host today: Stuart Saltzman
3/26/083/26/08 22
AgendaAgenda
Overview of research paperOverview of research paper SMS/Cellular Network overviewSMS/Cellular Network overview
Submitting a messageSubmitting a message RoutingRouting DeliveryDelivery
SMS/Cellular Vulnerability AnalysisSMS/Cellular Vulnerability Analysis Modeling DOS AttacksModeling DOS Attacks Solution(s)Solution(s)
3/26/083/26/08 33
Overview & Overview & IntroductionIntroduction
3/26/083/26/08 44
Cellular OverviewCellular Overview
Cellular networks are critical component to Cellular networks are critical component to economic and social infrastructureseconomic and social infrastructures
Cellular networks deliver alphanumeric text Cellular networks deliver alphanumeric text messages via messages via Short Messaging ServiceShort Messaging Service (SMS) (SMS)
Telecommunication companies offer Telecommunication companies offer connections between their networks and the connections between their networks and the internetinternet Open functionality creates negative consequencesOpen functionality creates negative consequences
3/26/083/26/08 55
Goal of PaperGoal of Paper
To evaluate the security impact of SMS To evaluate the security impact of SMS interface on the availability of the cellular interface on the availability of the cellular phonephone network network
Demonstrate the ability to deny voice Demonstrate the ability to deny voice service to cities the size of Washington, service to cities the size of Washington, D.C. and ManhattanD.C. and Manhattan
Provide countermeasures that mitigate or Provide countermeasures that mitigate or eliminate DoS threatseliminate DoS threats
3/26/083/26/08 66
SMS/Cellular Network SMS/Cellular Network (GSM)(GSM)
Two methods to send a text messageTwo methods to send a text message 1) via another mobile device1) via another mobile device 2) through an External Short Messaging 2) through an External Short Messaging
Entities (ESME)Entities (ESME) EmailEmail Web-bases messaging portalsWeb-bases messaging portals Paging systemsPaging systems SoftwareSoftware
3/26/083/26/08 77
Submitting a MessageSubmitting a Message
All messages delivered to a server that All messages delivered to a server that handles SMS traffic known as the handles SMS traffic known as the Short Short Messaging Service Center Messaging Service Center (SMSC)(SMSC) Provider (Verizon, AT&T, etc.) MUST provide at Provider (Verizon, AT&T, etc.) MUST provide at
least SMSCleast SMSC If necessary, the message is converted to SMS If necessary, the message is converted to SMS
formatformat Example: internet originated message. Once Example: internet originated message. Once
formatted, the message becomes indistinguishable formatted, the message becomes indistinguishable from there original originatorfrom there original originator
Queued in SMSC for forwardingQueued in SMSC for forwarding
3/26/083/26/08 88
RoutingRouting
Home Location RegisterHome Location Register (HLR) (HLR) Queried by the SMSC for message routingQueried by the SMSC for message routing Permanent repository of user dataPermanent repository of user data
Subscriber information (call waiting, text Subscriber information (call waiting, text messaging)messaging)
Billing dataBilling data AvailabilityAvailability of targeted user of targeted user
Determines routing information for the Determines routing information for the destination devicedestination device
3/26/083/26/08 99
Routing Routing (cont.)(cont.)
If SMSC receives a reply stating that the If SMSC receives a reply stating that the current user is unavailable, it stores the current user is unavailable, it stores the text message for later delivery text message for later delivery It is queuedIt is queued
Otherwise, HLR responds with address Otherwise, HLR responds with address of Mobile Switching Center (MSC) of Mobile Switching Center (MSC) providing service to user/deviceproviding service to user/device
3/26/083/26/08 1010
Routing – Mobile Switching Routing – Mobile Switching
CenterCenter MSCMSC Responsible for mobile device authenticationResponsible for mobile device authentication Location management for attached Base Stations (BS)Location management for attached Base Stations (BS) Act as gateways to Public Switched Telephone Act as gateways to Public Switched Telephone
Network (PSTN)Network (PSTN) Queries Visitor Location Register (VLR) Queries Visitor Location Register (VLR)
Local copy of the targeted devices information when away Local copy of the targeted devices information when away from its HLRfrom its HLR
Forwards text message on to the appropriate base Forwards text message on to the appropriate base station for transmission over the air interfacestation for transmission over the air interface
3/26/083/26/08 1111
Routing FigureRouting Figure
3/26/083/26/08 1212
DeliveryDelivery
Air InterfaceAir Interface 1) Control Channels (CCH)1) Control Channels (CCH)
A) Common CCHA) Common CCH Logical channels:Logical channels:
1) Paging Channel (PCH)1) Paging Channel (PCH) 2) Random Access Channel (RACH)2) Random Access Channel (RACH)
Used by base station (BS) to initiate the delivery of voice and Used by base station (BS) to initiate the delivery of voice and SMS dataSMS data
All connected mobile devices are constantly listening to the All connected mobile devices are constantly listening to the Common CCH for voice and SMS signalingCommon CCH for voice and SMS signaling
B) Dedicated CCHsB) Dedicated CCHs 2) Traffic Channels (TCH)2) Traffic Channels (TCH)
3/26/083/26/08 1313
SMS Delivery DiagramSMS Delivery Diagram 1) Base Station (BS) sends message on the 1) Base Station (BS) sends message on the
Paging channel (PCH) containing the Paging channel (PCH) containing the Temporary Mobile Subscriber ID (TMSI)Temporary Mobile Subscriber ID (TMSI)
2) Network uses the TMSI instead of the 2) Network uses the TMSI instead of the targeted devices phone number in order to targeted devices phone number in order to thwart eavesdroppersthwart eavesdroppers
MH1 = Mobile Host 1
3/26/083/26/08 1414
SMS Delivery Diagram SMS Delivery Diagram (cont.)(cont.)
3) Devices contacts BS over the Random Access 3) Devices contacts BS over the Random Access Channel (RACH) and alerts the network of its Channel (RACH) and alerts the network of its availability to receive incoming call or text dataavailability to receive incoming call or text data
4) Response (from above) arrives at BS, the BS 4) Response (from above) arrives at BS, the BS instructs targeted device to listen to a specific instructs targeted device to listen to a specific Standalone Dedicated Control Channel (SDCCH)Standalone Dedicated Control Channel (SDCCH) SDCCHSDCCH
AuthenticationAuthentication EncryptionEncryption
3/26/083/26/08 1515
SMS/Cellular Network SMS/Cellular Network VulnerabilityVulnerability
3/26/083/26/08 1616
Delivery Discipline - AnalysisDelivery Discipline - Analysis
GoalGoal: find delivery discipline for each provider: find delivery discipline for each provider Study the flow of the messageStudy the flow of the message Standards documentation provides the Standards documentation provides the
framework from which the system is built, but it framework from which the system is built, but it lacks implementation specific detailslacks implementation specific details
SMSC are the locus of all SMS message flowSMSC are the locus of all SMS message flow SMSC queues only a finite number of SMSC queues only a finite number of
messages per a usermessages per a user Message is held until:Message is held until:
target device successfully receives it target device successfully receives it It is dropped (buffer capacity, eviction policy)It is dropped (buffer capacity, eviction policy)
3/26/083/26/08 1717
Delivery DisciplineDelivery Discipline
Overall system response is a composite Overall system response is a composite of multiple queuing points of multiple queuing points (SMSC & target device)(SMSC & target device)
Experiment:Experiment: AT&T, Verizon & SprintAT&T, Verizon & Sprint Slowly inject messages while device is Slowly inject messages while device is
powered off powered off (400 messages, 1 every 60 seconds)(400 messages, 1 every 60 seconds) Turn device back onTurn device back on
The range of sequence number indicated The range of sequence number indicated both buffer size and queue eviction policyboth buffer size and queue eviction policy
3/26/083/26/08 1818
Delivery Discipline – ResultsDelivery Discipline – Results
AT&T’s:AT&T’s: buffered the entire 400 messages (160 bytes each buffered the entire 400 messages (160 bytes each
= 62.4KB)= 62.4KB)
VerizonVerizon Last 100 messages received Last 100 messages received (first 300 missing)(first 300 missing)
Buffer of 100, FIFO eviction policyBuffer of 100, FIFO eviction policy
SprintSprint First 30 messages receivedFirst 30 messages received Buffer of 30, LIFO eviction policyBuffer of 30, LIFO eviction policy
3/26/083/26/08 1919
Delivery Rate - AnalysisDelivery Rate - Analysis
3/26/083/26/08 2020
Delivery Rate - AnalysisDelivery Rate - Analysis
Definition: the speed at which a collection Definition: the speed at which a collection of nodes can process and forward a of nodes can process and forward a messagemessage
GoalGoal: Find bottlenecks - compare : Find bottlenecks - compare injection rates with delivery ratesinjection rates with delivery rates
Exact number of SMSCs in a network is Exact number of SMSCs in a network is not publicly known or discoverablenot publicly known or discoverable
3/26/083/26/08 2121
Delivery Rate Delivery Rate (cont.)(cont.)
Short Messaging Peer Protocol (SMPP)Short Messaging Peer Protocol (SMPP) Dedicated connections to service provider to send messagesDedicated connections to service provider to send messages Service provider plans offer 30-35 messages per secondService provider plans offer 30-35 messages per second
Problem: when a message delivery time exceeds that Problem: when a message delivery time exceeds that of message submission, a system is subject to DoS of message submission, a system is subject to DoS attackattack
Experiment:Experiment: Compare the time it takes for serially injected messages to be Compare the time it takes for serially injected messages to be
submitted and then delivered to the targeted mobile device submitted and then delivered to the targeted mobile device via via web interfacesweb interfaces
PERL script – serially inject messages approximately once per PERL script – serially inject messages approximately once per a second into each providers web interface a second into each providers web interface (avg. send time: 0.71 (avg. send time: 0.71 seconds)seconds)
3/26/083/26/08 2222
Delivery Rate - ResultsDelivery Rate - Results
Verizon & AT&T: 7-8 seconds for deliveryVerizon & AT&T: 7-8 seconds for delivery Sprint: UnknownSprint: Unknown Conclusion: imbalance between the time to submit and the time to Conclusion: imbalance between the time to submit and the time to
receivereceive SMS message size – Maximum: 160 bytesSMS message size – Maximum: 160 bytes Using TcpDump:Using TcpDump:
HTTP Post and IP headers = approximately 700 bytes to send SMS HTTP Post and IP headers = approximately 700 bytes to send SMS message (not considering TCP overhead)message (not considering TCP overhead)
Web page upload sizes:Web page upload sizes: Verizon: 1600 bytesVerizon: 1600 bytes Spring: 1300 bytesSpring: 1300 bytes AT&T: 1100 bytesAT&T: 1100 bytes
Email submission:Email submission: All emails less then 900 bytes to sendAll emails less then 900 bytes to send
3/26/083/26/08 2323
Interfaces - AnalysisInterfaces - Analysis
3/26/083/26/08 2424
Interfaces - AnalysisInterfaces - Analysis Lost messages and negatively acknowledged submit attempts were Lost messages and negatively acknowledged submit attempts were
observedobserved Believe it was a result of web interface limitations imposed by the service Believe it was a result of web interface limitations imposed by the service
providersproviders GoalGoal: find the mechanism used to achieve rate limitation on these : find the mechanism used to achieve rate limitation on these
interfaces and the conditions necessary to activate theminterfaces and the conditions necessary to activate them ExperimentExperiment – used delivery rate analysis – used delivery rate analysis
Verizon:Verizon: After 44 messages, negative acknowledgements resultedAfter 44 messages, negative acknowledgements resulted Blocked messages by subnet valueBlocked messages by subnet value
AT&T:AT&T: Blindly acknowledged all submissions, but stopped delivering after 50 messages Blindly acknowledged all submissions, but stopped delivering after 50 messages
sent to single phonesent to single phone Subnet value didn’t matterSubnet value didn’t matter Differentiated between its inputsDifferentiated between its inputs
Conclusion:Conclusion: SMSC’s typically hold SMSC’s typically hold far far more messages than the mobile devicesmore messages than the mobile devices To launch successfully DoS attack that exploits the limitations of the cellular To launch successfully DoS attack that exploits the limitations of the cellular
air interface, an adversary must target multiple end devices (must have air interface, an adversary must target multiple end devices (must have valid valid phone numbers)phone numbers)
3/26/083/26/08 2525
Hit-List CreationHit-List Creation
NPA/NXX Web ScrapingWeb Interface
3/26/083/26/08 2626
Hit-List Creation – Hit-List Creation – NPA/NXXNPA/NXX
The ability to launch a successful assault on a mobile phone The ability to launch a successful assault on a mobile phone network requires the attacker to do more then simply attempt to network requires the attacker to do more then simply attempt to send text messages to every possibly phone numbersend text messages to every possibly phone number
North American Numbering Plan (NANP) created: number North American Numbering Plan (NANP) created: number formatting “NPA-NXX-XXXX”formatting “NPA-NXX-XXXX” Numbering plan area, exchange code, terminal numberNumbering plan area, exchange code, terminal number Traditionally terminal numbers were administered by a single service Traditionally terminal numbers were administered by a single service
providerprovider Example: Example:
814-876-XXXX => AT&T Wireless814-876-XXXX => AT&T Wireless 814-404-XXXX => Verizon wireless814-404-XXXX => Verizon wireless 814-769-XXXX => Sprint PCS814-769-XXXX => Sprint PCS
Numbering system is very useful for an attacker as it reduces the size Numbering system is very useful for an attacker as it reduces the size of the domainof the domain
November 24November 24thth, 2004 => number portability went into affect, 2004 => number portability went into affect
3/26/083/26/08 2727
Hit-List CreationHit-List Creation – – Web Web ScrapingScraping
Technique commonly used by spammers to Technique commonly used by spammers to collect information on potential targets through collect information on potential targets through the use of search engines and scripting toolsthe use of search engines and scripting tools
Individual is able to gather mobile phone Individual is able to gather mobile phone numbersnumbers Example: -Example: -
Google searchGoogle search 865 unique numbers from the greater State College, PA 865 unique numbers from the greater State College, PA
regionregion 7,308 from New York City7,308 from New York City 6,184 from Washington D.C.6,184 from Washington D.C.
Downside – numbers might not be activeDownside – numbers might not be active
3/26/083/26/08 2828
Hit-List CreationHit-List Creation Web Interface InteractionWeb Interface Interaction
All major wireless service providers offer a website All major wireless service providers offer a website interface through which anyone can at no charge to the interface through which anyone can at no charge to the sender submit a SMS messagesender submit a SMS message
Web user is given acknowledgement when submitting SMS Web user is given acknowledgement when submitting SMS messagemessage
3/26/083/26/08 2929
Modeling DoS AttacksModeling DoS Attacks
3/26/083/26/08 3030
Session SaturationSession Saturation
QuestionQuestion: How many SMS messages : How many SMS messages are needed to induce saturation?are needed to induce saturation?
Air interface overview needed to Air interface overview needed to understand SMS saturationunderstand SMS saturation
3/26/083/26/08 3131
Air Interface OverviewAir Interface Overview
Voice call establishment is very similar to SMS delivery, Voice call establishment is very similar to SMS delivery, except a except a Traffic ChannelTraffic Channel (TCH) is allocated for voice (TCH) is allocated for voice traffic at the completion of control signalingtraffic at the completion of control signaling Voice and SMS traffic do NOT compete for TCHs Voice and SMS traffic do NOT compete for TCHs
which are held for significantly longer periods of time.which are held for significantly longer periods of time. BOTH voice and SMS traffic use the same channels BOTH voice and SMS traffic use the same channels
for session establishment, thus for session establishment, thus contentioncontention for these for these limited resources still occur!limited resources still occur!
Given enough SMS messages, the channels needed Given enough SMS messages, the channels needed for session establishment will become saturated, thus for session establishment will become saturated, thus preventing voice traffic in a given areapreventing voice traffic in a given area
3/26/083/26/08 3232
Air Interface OverviewAir Interface Overview
GSM networks (CDMA equally vulnerable to GSM networks (CDMA equally vulnerable to attacks)attacks)
GSM is a timesharing systemGSM is a timesharing system Equal distribution of resources between partiesEqual distribution of resources between parties Each channel is divided into 8 timeslotsEach channel is divided into 8 timeslots
8 timeslots = 1 frame = 4.65ms transmission8 timeslots = 1 frame = 4.65ms transmission 1 timeslot is assigned to a user who receives full control of 1 timeslot is assigned to a user who receives full control of
the channelthe channel
User assigned to a given TCH is able to transmit User assigned to a given TCH is able to transmit voice data once per a framevoice data once per a frame
3/26/083/26/08 3333
Air Interface OverviewAir Interface Overview 4 carriers, each a single frame 4 carriers, each a single frame First time slot of the first carrier is the Common CCHFirst time slot of the first carrier is the Common CCH Second time slot of the first channel is reserved for SDCCH Second time slot of the first channel is reserved for SDCCH
connectionsconnections Capacity for 8 users is allocated over the use of a multiframeCapacity for 8 users is allocated over the use of a multiframe Remaining timeslots across all carriers are designated for voice dataRemaining timeslots across all carriers are designated for voice data
3/26/083/26/08 3434
Air Interface OverviewAir Interface Overview Bandwidth is limited within frame, therefore data must span over multiple Bandwidth is limited within frame, therefore data must span over multiple
frames => multiframe => typically 51 frames frames => multiframe => typically 51 frames (or 26, 51,21 standards)(or 26, 51,21 standards)
Timeslot 1 from each frame in a multiframe creates the logical SDCCH Timeslot 1 from each frame in a multiframe creates the logical SDCCH channelchannel
Within a single multiframe, up to 8 users can receive SDCCH accessWithin a single multiframe, up to 8 users can receive SDCCH access
3/26/083/26/08 3535
Air Interface OverviewAir Interface Overview
PCH is used to signal each incoming call and PCH is used to signal each incoming call and text message, its commitment to each session text message, its commitment to each session is limited to the transmission of a TMSIis limited to the transmission of a TMSI
TCHs remain occupied for the duration of a call TCHs remain occupied for the duration of a call which averages minuteswhich averages minutes
SDCCH is occupied for a SDCCH is occupied for a number of secondsnumber of seconds per session establishment per session establishment (typo in paper)(typo in paper)
This SDCCH channel becomes the This SDCCH channel becomes the bottleneckbottleneck!! Must find/understand the bandwidth of the Must find/understand the bandwidth of the
bottleneckbottleneck
3/26/083/26/08 3636
Air Interface - BottleneckAir Interface - Bottleneck Each SDCCH spans four logically consecutive timeslots Each SDCCH spans four logically consecutive timeslots
in a multiframein a multiframe Bandwidth: With 184 bits per a control channel unit and a Bandwidth: With 184 bits per a control channel unit and a
multiframe cycle time of 235.36 ms => multiframe cycle time of 235.36 ms => 782 bps782 bps Given authentication, TMSI renewal, encryption and the Given authentication, TMSI renewal, encryption and the
160 byte text message, the 160 byte text message, the SDCCH is held by an SDCCH is held by an individual session for 4-5 secondsindividual session for 4-5 seconds (note: testing form Delivery Discipline (note: testing form Delivery Discipline demonstrated the demonstrated the samesame gray-box testing results) gray-box testing results)
Results: Service time translates into the ability to handle Results: Service time translates into the ability to handle up to up to 900900 SMS sessions per hour on each SDCCH SMS sessions per hour on each SDCCH
3/26/083/26/08 3737
Air Interface – BottleneckAir Interface – Bottleneck CalculationsCalculations
3/26/083/26/08 3838
Air Interface – BottleneckAir Interface – Bottleneck Calculation – Example ACalculation – Example A
Study from National Communications System Study from National Communications System (NCS) (NCS) Washington D.C. has 40 cellular towersWashington D.C. has 40 cellular towers 68.2 sq miles68.2 sq miles 120 total sectors120 total sectors
Each sector 0.5 to 0.75 sq. milesEach sector 0.5 to 0.75 sq. miles Each sector has 8 SDCCHsEach sector has 8 SDCCHs
FINDFIND: Total number of messages per a : Total number of messages per a second needed to saturate the SDCCH second needed to saturate the SDCCH capacity capacity CC in Washington D.C. in Washington D.C.
3/26/083/26/08 3939
Air Interface – BottleneckAir Interface – Bottleneck Calculations – Example ACalculations – Example A
900 msg/hr from service time translation 900 msg/hr from service time translation
240240 messages a second will saturate the messages a second will saturate the SDCCH channelSDCCH channel
3/26/083/26/08 4040
Air Interface – BottleneckAir Interface – Bottleneck Calculations – Example BCalculations – Example B
Study from National Communications System Study from National Communications System (NCS) (NCS) Manhattan Manhattan 31.1 sq miles31.1 sq miles 55 total sectors55 total sectors
Each sector 0.5 to 0.75 sq. milesEach sector 0.5 to 0.75 sq. miles Each sector has 12 SDCCHsEach sector has 12 SDCCHs
FINDFIND: Total number of messages per a : Total number of messages per a second needed to saturate the SDCCH second needed to saturate the SDCCH capacity capacity CC in Manhattan in Manhattan
3/26/083/26/08 4141
Air Interface – BottleneckAir Interface – Bottleneck Calculations – Example BCalculations – Example B
900 msg/hr from service time translation 900 msg/hr from service time translation (previous step)(previous step)
165165 messages a second will saturate the SDCCH messages a second will saturate the SDCCH channelchannel
3/26/083/26/08 4242
Air Interface – BottleneckAir Interface – Bottleneck Calculation ResultsCalculation Results
Use a source transmission size of 1500 bytes Use a source transmission size of 1500 bytes described in the Delivery Discipline section to described in the Delivery Discipline section to submit an SMS from the internetsubmit an SMS from the internet
Table shows the bandwidth required to saturate Table shows the bandwidth required to saturate the control channels and thus incapacitate the control channels and thus incapacitate legitimate voice and text messaging serviceslegitimate voice and text messaging services
3/26/083/26/08 4343
Air Interface – BottleneckAir Interface – Bottleneck ConclusionConclusion
Due to the analysis and the results from the delivery Due to the analysis and the results from the delivery discipline and delivery rate sections, sending that many discipline and delivery rate sections, sending that many messages to a small number of recipients would messages to a small number of recipients would degrade the effectiveness of any attackdegrade the effectiveness of any attack Phones buffers would reach capacityPhones buffers would reach capacity Undeliverable messages would be buffered on the network Undeliverable messages would be buffered on the network
until user allocated space was exhausteduntil user allocated space was exhausted Accounts could possibly be disabled temporarilyAccounts could possibly be disabled temporarily
Hit-lists would prevent individual phones from reaching Hit-lists would prevent individual phones from reaching capacity and below possible service provider capacity and below possible service provider thresholdsthresholds
Is it possible?Is it possible?
3/26/083/26/08 4444
Air Interface DoS Attack Air Interface DoS Attack Attack AAttack A
To saturate Washington DC:To saturate Washington DC: Assumptions:Assumptions:
Washington D.C. has 572,000 peopleWashington D.C. has 572,000 people 60% wireless penetration 60% wireless penetration 8 SDCCHs8 SDCCHs All devices powered onAll devices powered on 50% of Washington D.C. use the same service provider50% of Washington D.C. use the same service provider
Result:Result: An even distribution of messages would be 5.04 messages An even distribution of messages would be 5.04 messages
to each phone per an hour (1 message every 11.92 to each phone per an hour (1 message every 11.92 minutes)minutes)
3/26/083/26/08 4545
Air Interface DoS Attack Air Interface DoS Attack Attack BAttack B
Same assumptions from attack A, except:Same assumptions from attack A, except: Hit-list of 2500 phone numbersHit-list of 2500 phone numbers Phone buffer size: 50Phone buffer size: 50
Results:Results: An even distribution of messages would delivery a An even distribution of messages would delivery a
message every 10.4 secondsmessage every 10.4 seconds Attack would last 8.68 minutes before buffer was Attack would last 8.68 minutes before buffer was
exhaustedexhausted Previous bandwidth table shows these attacks are feasible Previous bandwidth table shows these attacks are feasible
from a standard high-speed internet connectionfrom a standard high-speed internet connection
3/26/083/26/08 4646
Air Interface DoS Attack Air Interface DoS Attack Prevention/SolutionPrevention/Solution
New SMSCs are each capable of processing New SMSCs are each capable of processing some 20,000 SMS messages per a secondsome 20,000 SMS messages per a second
General Packet Radio ServiceGeneral Packet Radio Service (GPRS) and (GPRS) and Enhance Data rates for GSMEnhance Data rates for GSM Evolution (EDGE) Evolution (EDGE) provide high-speed data connections to the provide high-speed data connections to the internet for mobile devicesinternet for mobile devices Complimentary to SMS and will NOT replace SMS’s Complimentary to SMS and will NOT replace SMS’s
functionalityfunctionality
3/26/083/26/08 4747
Air Interface DoS Attack Air Interface DoS Attack Prevention/SolutionPrevention/Solution
Current mechanism are NOT adequate to Current mechanism are NOT adequate to protect these networksprotect these networks
Proven practicality of address spoofing or Proven practicality of address spoofing or distributed attacks via zombie networks makes distributed attacks via zombie networks makes the use of authentication based upon source IP the use of authentication based upon source IP addresses an ineffective solutionaddresses an ineffective solution
Due to service provider earnings ($) from SMS Due to service provider earnings ($) from SMS messages, they are unlikely to restrict access messages, they are unlikely to restrict access to SMS messagingto SMS messaging
3/26/083/26/08 4848
Air Interface DoS Attack Air Interface DoS Attack Prevention/SolutionPrevention/Solution
Separation of Voice and DataSeparation of Voice and Data Most effective solution would be to separate all voice and data Most effective solution would be to separate all voice and data
communicationscommunications Insertion of data into cellular networks will no longer degrade the fidelity of voice Insertion of data into cellular networks will no longer degrade the fidelity of voice
servicesservices Dedicating a carrier on the air interface for data signaling and delivery Dedicating a carrier on the air interface for data signaling and delivery
eliminates an attacker’s ability to take down voice communicationseliminates an attacker’s ability to take down voice communications Ineffective use of the spectrumIneffective use of the spectrum Creates bottleneck on air interfaceCreates bottleneck on air interface
Until the offloading schemes are created, origin priority should be implementedUntil the offloading schemes are created, origin priority should be implemented Internet originated messages => low priorityInternet originated messages => low priority Messages from outside network => low priorityMessages from outside network => low priority Messages from within network => high priorityMessages from within network => high priority
Resource ProvisioningResource Provisioning Temporary SolutionsTemporary Solutions
Additional Mobile Switching Center (MSC) and Base Stations (BS)Additional Mobile Switching Center (MSC) and Base Stations (BS) Events such as the OlympicsEvents such as the Olympics
Cellular-on-Wheels (COW)Cellular-on-Wheels (COW) United States United States
The increased number of ‘handoff’ puts more strain on the networkThe increased number of ‘handoff’ puts more strain on the network
3/26/083/26/08 4949
Air Interface DoS Attack Air Interface DoS Attack SolutionsSolutions
Rate LimitationRate Limitation Within the air interface, the number of SDCCS channels allowed to Within the air interface, the number of SDCCS channels allowed to
deliver text messages should be restricteddeliver text messages should be restricted Attack still successful, but it would only affect a small number of peopleAttack still successful, but it would only affect a small number of people Slows the rate of legitimate messages can be deliveredSlows the rate of legitimate messages can be delivered
Prevent hit-listsPrevent hit-lists Do NOT show successfulness of internet based submissionDo NOT show successfulness of internet based submission
Web interfaces should limit the number of recipients to which a single Web interfaces should limit the number of recipients to which a single SMS submission is sentSMS submission is sent
Verizon and Cingular allow 10 recipients per a submissionVerizon and Cingular allow 10 recipients per a submission Reduce the ability to automate submissionReduce the ability to automate submission
Force the computer to calculate some algorithm prior to submittingForce the computer to calculate some algorithm prior to submitting Close web interfacesClose web interfaces
Not likelyNot likely
3/26/083/26/08 5050
ConclusionConclusion
Cellular networks are a critical part of the economic Cellular networks are a critical part of the economic and social infrastructuresand social infrastructures
Systems typically experience below 300 seconds of Systems typically experience below 300 seconds of communication outages per year (“five nines” communication outages per year (“five nines” availability)availability)
The proliferation of external services on these networks The proliferation of external services on these networks introduces significant potential for misuseintroduces significant potential for misuse
An adversary injecting messages from the internet can An adversary injecting messages from the internet can cause almost twice the yearly expected network cause almost twice the yearly expected network downtime using hit-lists as few as 2,500 targetsdowntime using hit-lists as few as 2,500 targets
The service providers potential problems outlined in The service providers potential problems outlined in this paper must be addressed in order to preserve the this paper must be addressed in order to preserve the usability of these critical servicesusability of these critical services