Exploiting Open Functionality in SMS-Capable Cellular Networks Authors: William Enck, Patrick Traynor, Patrick McDaniel, and Thomas La Porta Publication: 12th ACM conference on Computer and communications security, November 2005 Presenter: Brad Mundt for CAP6133 Spring ‘08

Motivation SMS  Ingrained into modern culture  69 million messages per day in UK  10 cents per message  Popular with telecom Voice traffic is fixed revenue, unlike SMS Opened up the system- web, , IM…

Motivation… Internet-originated text messages Deny voice service to a city  Zombies  Hit lists Similar to traffic from Slammer worm  BoA ATMs, 911 services

Presentation Flow Cellular Network Overview Vulnerability Analysis  Research  Discovery Attack vectors and implements Scenario Other stuff

SMS/Cellular Network Sending  Mobile device or ESME External Short Messaging Entities (ESME) Delivering  Short Messaging Service Center (SMSC) SMS formatting Queued for forwarding Query Home Location Register (HLR) for directions

SMS/Cellular Network Delivering (Continued)  HLR Subscriber Info, call waiting, text messaging If user is busy, store SMS for later Otherwise give address for MSC  Mobile Switching Center

SMS/Cellular Network Delivering (Continued)  MSC Service, Authentication Location management for BS, no not that BS!  Base Stations Hand offs / gateway to PSTN  Public Switched Telephone Network Query Visitor Location Register (VLR)  Returns Info when device is away from HLR  Forwards to correct BS for delivery

SMS/Cellular Network

Vulnerability Analysis Bottlenecks  System is a composite of multiple Queuing Points  Injection rate versus delivery rate Targeting Queues  SMSC Finite number in queue, SMS age, policy Messages remain in SMSC buffer when device is full  Device 500 messages drained a battery

Plan Messages exceeding saturation levels are lost  Successful DoS needs Multiple subscribers Multiple interfaces Hit-lists and Zombies

Hit-list Creation Internet search for NPA/NXX DB  Target wireless numbers by domain owner name Web Scraping Worm  Device recently call lists  Computers that sync with device

Attack profile attributes GSM gray-box testing  900 SMS per hour on each dedicated channel  1 dedicated channel per 4 voice  2 dedicated channels per carrier Protocol sharing Number of dedicated channels per area Number of carriers per area

Cellular device channels Two Channels  Control Channel (CCH) Common CCH  BS uses for voice and SMS connections establishment  All connected mobiles are listening on this for signaling Dedicated CCH  Data  Traffic Channel (TCH) Voice

Attack Scenario 2500 numbers in hit list Average 50 message device buffer 8 dedicated channels, (D.C.) 1 message per phone every 10.4 sec 8.68 min to fill buffers

Targeted Attacks Fill the buffers, users loose messages Data loss on some devices from overflowing  Read messages overwritten when new ones arrive (Nokia 3560) Message delays due to overflowing  Campus alert messages- blocking? Deleting junk SMS, accidentally delete good ones Battery depletion

Tomorrows SPAM Phishing Viruses  Cabir and Skulls Both were bluetooth

SMS Spam

Summary Cellular networks are critical part of  Social and economic infrastructures Potential misuse from external services  DoS  InfoWar  Economic

Contributions Security impact of SMS on Cellular network Demonstrate ability to deny serivce to city sized area Techniques for targeting these systems How to avoid

Weaknesses Gray-box testing  Documentation  Experimentation without EULA violations Time of Day / Day of Week Payload size variations Estimations

How to Improve Traffic analysis for  Time of Day / Day of Week Vary payload size If White hats, work with the telecoms Validate for more facts

The End Thank you…