William Enck
Patrick Traynor
ABSTRACT
Cellular networks are a critical component of the economic and social infrastructures in which we live. In addition to voice services, these networks deliver alphanumeric text messages to the vast majority of wireless subscribers. To encourage the expansion of this new service, telecommunications companies offer connections between their networks and the Internet. The ramifications of such connections, however, have not been fully recognized. In this paper, we evaluate the security impact of the SMS interface on the availability of the cellular phone network. Specifically, we demonstrate the ability to deny voice service to cities the size of Washington D.C. and Manhattan with little more than a cable modem. Moreover, attacks targeting the entire United States are feasible with resources available to medium-sized zombie networks. This analysis begins with an exploration of the structure of cellular networks. We then characterize network behavior and explore a number of reconnaissance techniques aimed at effectively targeting attacks on these systems. We conclude by discussing countermeasures that mitigate or eliminate the threats introduced by these attacks.
- Denial of service attacks. Technical report, CERT Coordination Center, October 1997. http://www.cert.org/tech tips/denial_of_service.html.]]Google Scholar
- Mobile networks facing overload. http://www.gateway2russia.com/st/art 187902.php, December 31, 2003.]]Google Scholar
- Record calls, text again expected for nye. http://www.itnews.com.au/newsstory.aspx?CIaNID=17434, December 31, 2004.]]Google Scholar
- 3rd Generation Partnership Project. Physical layer on the radio path; general description. Technical Report 3GPP TS 05.01 v8.9.0.]]Google Scholar
- 3rd Generation Partnership Project. Technical realization of the short message service (sms). Technical Report 3GPP TS 03.40 v7.5.0.]]Google Scholar
- Anti-Phishing Working Group. Reports of email fraud and phishing attacks increase by 180% in april; up 4,000% since november. http://www. antiphishing.org/news/05-24-04_Press%20Release-PhishingApr04.html, May 24, 2004.]]Google Scholar
- A. Arpaci-Dusseau and R. Arpaci-Dusseau. Information and control in gray-box systems. In Proceedings of Symposium on Operating Systems Principles (SOSP), pages 43--56, 2001.]] Google ScholarDigital Library
- T. Aura, P. Nikander, and J. Leiwo. Dos-resistant authentication with client puzzles. In Proceedings of Cambridge Security Protocols Workshop, 2000.]] Google ScholarDigital Library
- S. Bellovin. Security problems in the TCP/IP protocol suite. Computer Communications Review, 19(2):32--48, April 1989.]] Google ScholarDigital Library
- S. Bellovin. Inside risks: Spamming, phishing, authentication, and privacy. Communications of the ACM, 47(12):144, December 2004.]] Google ScholarDigital Library
- S. Berg, A. Taylor, and R. Harper. Mobile phones for the next generation: Device designs for teenagers. In Proceedings ACM SIGCHI Conference on Human Factors in Computing Systems, pages 433--440, 2003.]] Google ScholarDigital Library
- S. Buckingham. What is GPRS? http://www.gsmworld.com/technology/gprs/intro.shtml#5, 2000.]]Google Scholar
- J. V. D. Bulck. Text messaging as a cause of sleep interruption in adolescents, evidence from a cross-sectional study. Journal of Sleep Research, 12(3):263, September 2003.]]Google ScholarCross Ref
- N. Burnett, J. Bent, A. Arpaci-Dusseau, and R. Arpaci-Dusseau. Exploiting gray-box knowledge of buffer-cache management. In Proceedings of USENIX Annual Technical Conference, pages 29--44, 2002.]] Google ScholarDigital Library
- S. Byers, A. Rubin, and D. Kormann. Defending against an internet-based attack on the physical world. ACM Transactions on Internet Technology (TOIT), 4(3):239--254, August 2004.]] Google ScholarDigital Library
- Cellular Online. Uk sms traffic continues to rise. http://www.cellular.co.za/news 2004/may/0500404-uk sms traffic continues to rise.htm, May 2004.]]Google Scholar
- CERT. Advisory CA-1996-26 'denial-of-service attack via ping'. http://www.cert.org/advisories/CA-1996-26.html, December 1996.]]Google Scholar
- A. Choong. Wireless watch: Jammed. http://asia.cnet.com/reviews/handphones/wirelesswatch/0,39020107,39186280,00.htm, September 7, 2004.]]Google Scholar
- Cingular Wireless. Text messaging. https://www.cingular.com/media/text messaging purchase.]]Google Scholar
- Cisco Systems Whitepaper. A study in mobile messaging: The evolution of messaging in mobile networks, and how to efficiently and effectively manage the growing messaging traffic. Technical report, 2004. http://www.cisco.com/warp/public/cc/so/neso/mbwlso/mbmsg wp.pdf.]]Google Scholar
- Computer Associates. Carko. http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453075555.]]Google Scholar
- COSMOTE Whitepaper. COSMOTE and the 'Athens 2004' olympic sponsorship. Technical report, 2003. http://www.cosmote.gr/content/en/attachedfiles/investorrelations/COSMOTE Annual Report 2003 77--84.pdf.]]Google Scholar
- L. Cranor and B. LaMacchia. Spam! Communications of the ACM, 41(8):74--83, August 1998.]] Google ScholarDigital Library
- F-Secure Corporation. F-Secure mobile anti-virus. http://www.f-secure.com/products/fsmavs60/.]]Google Scholar
- F-Secure Corporation. F-Secure virus descriptions: Cabir.h. http://www.f-secure.com/v-descs/cabir h.shtml, December 2004.]]Google Scholar
- F-Secure Corporation. F-Secure virus descriptions: Mabir.a. http://www.f-secure.com/v-descs/mabir.shtml, April 2005.]]Google Scholar
- F-Secure Corporation. F-Secure virus descriptions: Skulls.a. http://www.f-secure.com/v-descs/skulls.shtml, January 2005.]]Google Scholar
- E. Felten, D. Balfanz, D. Dean, and D. Wallach. Web spoofing: An internet con game. Software World, 28(2):6-9, March 1997.]]Google Scholar
- G. Goth. Phishing attacks rising, but dollars losses down. IEEE Security and Privacy Magazine, 3(1):8, January 2005.]] Google ScholarDigital Library
- M. Grenville. Operators: Celebration messages overload sms network. http://www.160characters.org/news.php?action=view&nid=819, November 2003.]]Google Scholar
- K. Houle and G. Weaver. Trends in denial of service attack technology. Technical report, CERT Coordination Center, October 2001. http://www.cert.org/archive/pdf/DoS trends.pdf.]]Google Scholar
- Intel Whitepaper. SMS messaging in SS7 networks: Optimizing revenue with modular components. Technical report, 2003. http://www.intel.com/network/csp/pdf/8706wp.pdf.]]Google Scholar
- J. Ioannidis and S. Bellovin. Implementing pushback: Router-based defense against DDoS attacks. In Proceedings of Network and Distributed System Security Symposium, February 2002.]]Google Scholar
- S. Kasera, J. Pinheiro, C. L. M. Karaul, A. Hari, and T. L. Porta. Fast and robust signaling overload control. In Proceedings IEEE Conference on Network Protocols (ICNP), pages 323--331, November 2001.]] Google ScholarDigital Library
- E. Levy. Interface illusions. IEEE Security & Privacy Magazine, 2(6):66--69, December 2004.]] Google ScholarDigital Library
- G. Lorenz, T. Moore, G. Manes, J. Hale, and S. Shenoi. Securing ss7 telecommunications networks. In Proceedings of the IEEE Workshop on Information Assurance and Security, 2001.]]Google Scholar
- S. Makris. Athens 2004 games: The "extreme makeover" olympics!, April 2005. Slides presented at CQR 2005 Workshop, St. Petersburg Beach, Florida USA.]]Google Scholar
- S. Marwaha. Will success spoil sms? http://wirelessreview.com/mag/wireless success spoil sms/, March 15, 2001.]]Google Scholar
- J. Mirkovic and P. Reiher. A taxonomy of DDoS attacks and DDoS defense mechanisms. ACM SIGCOMM Computer Communication Review, 34(2):39--53, 2004.]] Google ScholarDigital Library
- D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the slammer worm. IEEE Security and Privacy, 1(4), July 2003.]] Google ScholarDigital Library
- T. Moore, T. Kosloff, J. Keller, G. Manes, and S. Shenoi. Signalling system 7 network security. In Proceedings of the IEEE 45th Midwest Symposium on Circuits and Systems, August 4-7, 2002.]]Google ScholarCross Ref
- G. Mori and J. Malik. Recognizing objects in adversarial clutter: Breaking a visual captcha. In Proc. of Computer Vision and Pattern Recognition, 2003.]]Google ScholarCross Ref
- M. Naor. Verification of human in the loop or identification via the turing test. http://www.wisdom.weizmann.ac.il/~naor/PAPERS/human.ps, 1996.]]Google Scholar
- National Communications System. SMS over SS7. Technical Report Technical Information Bulletin 03-2 (NCS TIB 03-2), December 2003. http://www.ncs.gov/library/tech bulletins/2003/tib 03-2.pdf.]]Google Scholar
- Nextel. Text messaging. http://www.nextel.com/en/services/messaging/text messaging.shtml.]]Google Scholar
- J. Pearce. Mobile firms gear up for new years text-fest. http://news.zdnet.co.uk/communications/networks/0,39020345,39118812,00.htm, December 30, 2003.]]Google Scholar
- H. Project. The honeynet project. http://project.honeynet.org, 2005.]]Google Scholar
- RedTeam. o2 germany promotes sms-phishing. http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-009.txt.]]Google Scholar
- P. Roberts. Nokia phones vulnerable to dos attack. http://www.infoworld.com/article/03/02/26/HNnokiados 1.html, February 26, 2003.]]Google Scholar
- S. Savage, D. Wetherall, A. Karlin, and T. Anderson. Practical network support for IP traceback. In Proceedings of ACM SIGCOMM, pages 295--306, October 2000.]] Google ScholarDigital Library
- C. Schuba, I. Krsul, M. Kuhn, E. Spafford, A. Sundaram, and D. Zamboni. Analysis of a denial of service attack on TCP. In Proceedings of the 1997 IEEE Symposium on Security and Privacy, pages 208-223. IEEE Computer Society, May 1997.]] Google ScholarDigital Library
- G. Shannon. Security vulnerabilities in protocols. In Proceedings of ITU-T Workshop on Security, May 13-14, 2002.]]Google Scholar
- S. Staniford, V. Paxson, and N. Weaver. How to own the internet in your spare time. In Usenix Security Symposium, pages 149-167, 2002.]] Google ScholarDigital Library
- J. Swartz. Cellphones now richer targets for viruses, spam, scams. http://www.usatoday.com/printedition/news/20050428/1a bottomstrip28.art.htm, April 28, 2005.]]Google Scholar
- Telecommunication Industry Association/Electronic Industries Association (TIA/EIA) Standard. Short messaging service for spread spectrum systems. Technical Report ANSI/TIA/EIA-637-A-1999.]]Google Scholar
- Tom's Hardware. How to: Building a bluesniper rifle. http://www.tomsnetworking.com/Sections-article106.php, March 2005.]]Google Scholar
- United States Census Bureau. United states census 2000. http://www.census.gov/main/www/cen2000.html, 2000.]]Google Scholar
- United States Congress, Senate. Controlling the assault of non-solicited pornography and marketing act of 2003 (CAN-SPAM). Public Law 108-187, 108th Congress, December 16, 2003.]]Google Scholar
- S. van Zanen. Sms: Can networks handle the explosive growth? http://www. wirelessdevnet.com/channels/sms/features/smsnetworks.html, 2000.]]Google Scholar
- Verizon Wireless. About the service. http://www.vtext.com/customer site/jsp/ aboutservice.jsp.]]Google Scholar
- L. von Ahn, M. Blum, N. Hopper, and J. Langford. CAPTCHA: Using hard AI problems for security. In Proceedings of Eurocrypt, pages 294-311, 2003.]]Google ScholarDigital Library
- B. Waters, A. Juels, J. Halderman, and E. Felten. New client puzzle outsourcing techniques for DoS resistance. In Proceedings of ACM CCS'04, pages 246-256, 2004.]] Google ScholarDigital Library
- S. Wolpin. Spam comes calling. http://techworthy.com/Laptop/June2004/Spam-Comes-Calling.htm, June 2004.]]Google Scholar
Index Terms
- Exploiting open functionality in SMS-capable cellular networks
Recommendations
New Security Threats Caused by IMS-based SMS Service in 4G LTE Networks
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecuritySMS (Short Messaging Service) is a text messaging service for mobile users to exchange short text messages. It is also widely used to provide SMS-powered services (e.g., mobile banking). With the rapid deployment of all-IP 4G mobile networks, the ...
Mitigating attacks on open functionality in SMS-capable cellular networks
MobiCom '06: Proceedings of the 12th annual international conference on Mobile computing and networkingThe transformation of telecommunications networks from homogeneous closed systems providing only voice services to Internet-connected open networks that provide voice and data services presents significant security challenges. For example, recent ...
On cellular botnets: measuring the impact of malicious devices on a cellular network core
CCS '09: Proceedings of the 16th ACM conference on Computer and communications securityThe vast expansion of interconnectivity with the Internet and the rapid evolution of highly-capable but largely insecure mobile devices threatens cellular networks. In this paper, we characterize the impact of the large scale compromise and coordination ...
Comments