3/26/08 3/26/08 1 1

William Enck, Patrick Traynor, Patrick McDaniel, and Thomas La Porta

Systems and Internet Infrastructure Security Laboratory
Department of Computer Science and Enineerin
The Pennsyl!ania State "ni!ersity
#$$%
Your host today: Stuart Saltzman Your host today: Stuart Saltzman
&'#('$) #

*!er!ie+ of research paper

*!er!ie+ of research paper

SMS'Cellular ,et+ork o!er!ie+

SMS'Cellular ,et+ork o!er!ie+

Submittin a messae
Submittin a messae

-outin
-outin

Deli!ery
Deli!ery

SMS'Cellular .ulnerability /nalysis

SMS'Cellular .ulnerability /nalysis

Modelin D*S /ttacks

Modelin D*S /ttacks

Solution0s1
Solution0s1
3/26/08 3/26/08 3 3
&'#('$) 2

Cellular net+orks are critical component to

Cellular net+orks are critical component to
economic and social infrastructures
economic and social infrastructures

Cellular net+orks deli!er alphanumeric te3t

Cellular net+orks deli!er alphanumeric te3t
messaes !ia
messaes !ia
Short Messaging Service
Short Messaging Service
0SMS1
0SMS1

Telecommunication companies offer

Telecommunication companies offer
connections bet+een their net+orks and the
connections bet+een their net+orks and the
internet
internet

*pen functionality creates neati!e conse4uences *pen functionality creates neati!e conse4uences
&'#('$) %

To e!aluate the security impact of SMS

To e!aluate the security impact of SMS
interface on the a!ailability of the cellular
interface on the a!ailability of the cellular
phone
phone
net+ork
net+ork

Demonstrate the ability to deny !oice

Demonstrate the ability to deny !oice
ser!ice to cities the si5e of Washinton,
ser!ice to cities the si5e of Washinton,
D6C6 and Manhattan
D6C6 and Manhattan

Pro!ide countermeasures that mitiate or

Pro!ide countermeasures that mitiate or
eliminate DoS threats
eliminate DoS threats
&'#('$) (

T+o methods to send a te3t messae

T+o methods to send a te3t messae

71 !ia another mobile de!ice

71 !ia another mobile de!ice

#1 throuh an E3ternal Short Messain

#1 throuh an E3ternal Short Messain
Entities 0ESME1
Entities 0ESME1

Email Email

Web8bases messain portals Web8bases messain portals

Pain systems Pain systems

Soft+are Soft+are
&'#('$) 9

/ll messaes deli!ered to a ser!er that

/ll messaes deli!ered to a ser!er that
handles SMS traffic kno+n as the
handles SMS traffic kno+n as the
Short
Short
Messaging Service Center
Messaging Service Center
0SMSC1
0SMSC1

Pro!ider 0.eri5on, /T:T, etc61 M"ST pro!ide at Pro!ider 0.eri5on, /T:T, etc61 M"ST pro!ide at
least SMSC least SMSC

If necessary, the messae is con!erted to SMS

If necessary, the messae is con!erted to SMS
format
format

E3ample; internet oriinated messae6 *nce E3ample; internet oriinated messae6 *nce
formatted, the messae becomes indistinuishable formatted, the messae becomes indistinuishable
from there oriinal oriinator from there oriinal oriinator

<ueued in SMSC for for+ardin

<ueued in SMSC for for+ardin
&'#('$) )

Home Location Register

Home Location Register
0=L-1
0=L-1

<ueried by the SMSC for messae routin

<ueried by the SMSC for messae routin

Permanent repository of user data

Permanent repository of user data

Subscriber information 0call +aitin, te3t Subscriber information 0call +aitin, te3t
messain1 messain1

>illin data >illin data

Availability Availability of tareted user of tareted user

Determines routin information for the

Determines routin information for the
destination de!ice
destination de!ice
&'#('$) ?
%cont)&
%cont)&

If SMSC recei!es a reply statin that the

If SMSC recei!es a reply statin that the
current user is una!ailable, it stores the
current user is una!ailable, it stores the
te3t messae for later deli!ery
te3t messae for later deli!ery

It is 4ueued
It is 4ueued

*ther+ise, =L- responds +ith address

*ther+ise, =L- responds +ith address
of Mobile S+itchin Center 0MSC1
of Mobile S+itchin Center 0MSC1
pro!idin ser!ice to user'de!ice
pro!idin ser!ice to user'de!ice
&'#('$) 7$

MSC MSC

-esponsible for mobile de!ice authentication -esponsible for mobile de!ice authentication

Location manaement for attached >ase Stations 0>S1 Location manaement for attached >ase Stations 0>S1

/ct as ate+ays to Public S+itched Telephone /ct as ate+ays to Public S+itched Telephone
,et+ork 0PST,1 ,et+ork 0PST,1

<ueries .isitor Location -eister 0.L-1 <ueries .isitor Location -eister 0.L-1

Local copy of the tareted de!ices information +hen a+ay Local copy of the tareted de!ices information +hen a+ay
from its =L- from its =L-

@or+ards te3t messae on to the appropriate base @or+ards te3t messae on to the appropriate base
station for transmission o!er the air interface station for transmission o!er the air interface
&'#('$) 77
&'#('$) 7#

/ir Interface
/ir Interface

71 Control Channels 0CC=1 71 Control Channels 0CC=1

/1 Common CC= /1 Common CC=

Loical channels; Loical channels;

71 Pain Channel 0PC=1 71 Pain Channel 0PC=1

#1 -andom /ccess Channel 0-/C=1 #1 -andom /ccess Channel 0-/C=1

"sed by base station 0>S1 to initiate the deli!ery of !oice and "sed by base station 0>S1 to initiate the deli!ery of !oice and
SMS data SMS data

/ll connected mobile de!ices are constantly listenin to the /ll connected mobile de!ices are constantly listenin to the
Common CC= for !oice and SMS sinalin Common CC= for !oice and SMS sinalin

>1 Dedicated CC=s >1 Dedicated CC=s

#1 Traffic Channels 0TC=1 #1 Traffic Channels 0TC=1

&'#('$) 7&

71 >ase Station 0>S1 sends messae on the

71 >ase Station 0>S1 sends messae on the
Pain channel 0PC=1 containin the
Pain channel 0PC=1 containin the
Temporary Mobile Subscriber ID 0TMSI1
Temporary Mobile Subscriber ID 0TMSI1

#1 ,et+ork uses the TMSI instead of the

#1 ,et+ork uses the TMSI instead of the
tareted de!ices phone number in order to
tareted de!ices phone number in order to
th+art ea!esdroppers
th+art ea!esdroppers
M=7 A Mobile =ost 7
&'#('$) 72
%cont)&
%cont)&

&1 De!ices contacts >S o!er the -andom /ccess &1 De!ices contacts >S o!er the -andom /ccess
Channel 0-/C=1 and alerts the net+ork of its Channel 0-/C=1 and alerts the net+ork of its
a!ailability to recei!e incomin call or te3t data a!ailability to recei!e incomin call or te3t data

21 -esponse 0from abo!e1 arri!es at >S, the >S 21 -esponse 0from abo!e1 arri!es at >S, the >S
instructs tareted de!ice to listen to a specific instructs tareted de!ice to listen to a specific
Standalone Dedicated Control Channel 0SDCC=1 Standalone Dedicated Control Channel 0SDCC=1

SDCC= SDCC=

/uthentication /uthentication

Encryption Encryption
&'#('$) 7%
&'#('$) 7(

Boal
Boal
; find deli!ery discipline for each pro!ider
; find deli!ery discipline for each pro!ider

Study the flo+ of the messae

Study the flo+ of the messae

Standards documentation pro!ides the

Standards documentation pro!ides the
frame+ork from +hich the system is built, but
frame+ork from +hich the system is built, but
it lacks implementation specific details
it lacks implementation specific details

SMSC are the locus of all SMS messae flo+

SMSC are the locus of all SMS messae flo+

SMSC 4ueues only a finite number of

SMSC 4ueues only a finite number of
messaes per a user
messaes per a user

Messae is held until; Messae is held until;

taret de!ice successfully recei!es it taret de!ice successfully recei!es it

It is dropped 0buffer capacity, e!iction policy1 It is dropped 0buffer capacity, e!iction policy1
&'#('$) 79

*!erall system response is a composite

*!erall system response is a composite
of multiple 4ueuin points
of multiple 4ueuin points 0SMSC : taret de!ice1 0SMSC : taret de!ice1

E3periment;
E3periment;

/T:T, .eri5on : Sprint

/T:T, .eri5on : Sprint

Slo+ly inCect messaes +hile de!ice is

Slo+ly inCect messaes +hile de!ice is
po+ered off
po+ered off 02$$ messaes, 7 e!ery ($ seconds1 02$$ messaes, 7 e!ery ($ seconds1

Turn de!ice back on

Turn de!ice back on

The rane of se4uence number indicated

The rane of se4uence number indicated
both buffer si5e and 4ueue e!iction policy
both buffer si5e and 4ueue e!iction policy
&'#('$) 7)

/T:TDs;
/T:TDs;

buffered the entire 2$$ messaes 07($ bytes each buffered the entire 2$$ messaes 07($ bytes each
A (#62E>1 A (#62E>1

.eri5on
.eri5on

Last 7$$ messaes recei!ed Last 7$$ messaes recei!ed 0first &$$ missin1 0first &$$ missin1

>uffer of 7$$, @I@* e!iction policy >uffer of 7$$, @I@* e!iction policy

Sprint
Sprint

@irst &$ messaes recei!ed @irst &$ messaes recei!ed

>uffer of &$, LI@* e!iction policy >uffer of &$, LI@* e!iction policy
&'#('$) 7?
&'#('$) #$

Definition; the speed at +hich a collection

Definition; the speed at +hich a collection
of nodes can process and for+ard a
of nodes can process and for+ard a
messae
messae

Boal
Boal
; @ind bottlenecks 8 compare
; @ind bottlenecks 8 compare
inCection rates +ith deli!ery rates
inCection rates +ith deli!ery rates

E3act number of SMSCs in a net+ork is

E3act number of SMSCs in a net+ork is
not publicly kno+n or disco!erable
not publicly kno+n or disco!erable
&'#('$) #7
%cont)&
%cont)&

Short Messain Peer Protocol 0SMPP1 Short Messain Peer Protocol 0SMPP1

Dedicated connections to ser!ice pro!ider to send messaes Dedicated connections to ser!ice pro!ider to send messaes

Ser!ice pro!ider plans offer &$8&% messaes per second Ser!ice pro!ider plans offer &$8&% messaes per second

Problem; +hen a messae deli!ery time e3ceeds that Problem; +hen a messae deli!ery time e3ceeds that
of messae submission, a system is subCect to DoS of messae submission, a system is subCect to DoS
attack attack

E3periment; E3periment;

Compare the time it takes for serially inCected messaes to be Compare the time it takes for serially inCected messaes to be
submitted and then deli!ered to the tareted mobile de!ice submitted and then deli!ered to the tareted mobile de!ice !ia !ia
+eb interfaces +eb interfaces

PE-L script F serially inCect messaes appro3imately once per PE-L script F serially inCect messaes appro3imately once per
a second into each pro!iders +eb interface a second into each pro!iders +eb interface 0a!6 send time; $697 0a!6 send time; $697
seconds1 seconds1
&'#('$) ##

.eri5on : /T:T; 98) seconds for deli!ery .eri5on : /T:T; 98) seconds for deli!ery

Sprint; "nkno+n Sprint; "nkno+n

Conclusion; imbalance bet+een the time to submit and the Conclusion; imbalance bet+een the time to submit and the
time to recei!e time to recei!e

SMS messae si5e F Ma3imum; 7($ bytes SMS messae si5e F Ma3imum; 7($ bytes

"sin TcpDump; "sin TcpDump;

=TTP Post and IP headers A appro3imately 9$$ bytes to =TTP Post and IP headers A appro3imately 9$$ bytes to
send SMS messae 0not considerin TCP o!erhead1 send SMS messae 0not considerin TCP o!erhead1

Web pae upload si5es; Web pae upload si5es;

.eri5on; 7($$ bytes .eri5on; 7($$ bytes

Sprin; 7&$$ bytes Sprin; 7&$$ bytes

/T:T; 77$$ bytes /T:T; 77$$ bytes

Email submission; Email submission;

/ll emails less then ?$$ bytes to send /ll emails less then ?$$ bytes to send
&'#('$) #&
&'#('$) #2

Lost messaes and neati!ely ackno+leded submit attempts +ere Lost messaes and neati!ely ackno+leded submit attempts +ere
obser!ed obser!ed

>elie!e it +as a result of +eb interface limitations imposed by the ser!ice >elie!e it +as a result of +eb interface limitations imposed by the ser!ice
pro!iders pro!iders

Goal Goal; find the mechanism used to achie!e rate limitation on these ; find the mechanism used to achie!e rate limitation on these
interfaces and the conditions necessary to acti!ate them interfaces and the conditions necessary to acti!ate them

Experiment Experiment F used deli!ery rate analysis F used deli!ery rate analysis

.eri5on; .eri5on;

/fter 22 messaes, neati!e ackno+ledements resulted /fter 22 messaes, neati!e ackno+ledements resulted

>locked messaes by subnet !alue >locked messaes by subnet !alue

/T:T; /T:T;

>lindly ackno+leded all submissions, but stopped deli!erin after %$ messaes >lindly ackno+leded all submissions, but stopped deli!erin after %$ messaes
sent to sinle phone sent to sinle phone

Subnet !alue didnDt matter Subnet !alue didnDt matter

Differentiated bet+een its inputs Differentiated bet+een its inputs

Conclusion; Conclusion;

SMSCDs typically hold SMSCDs typically hold far far more messaes than the mobile de!ices more messaes than the mobile de!ices

To launch successfully DoS attack that e3ploits the limitations of the cellular air To launch successfully DoS attack that e3ploits the limitations of the cellular air
interface, an ad!ersary must taret multiple end de!ices 0must ha!e interface, an ad!ersary must taret multiple end de!ices 0must ha!e valid valid
phone numbers1 phone numbers1
&'#('$) #%
N#A$N00
1eb Scraping
1eb nter"ace
&'#('$) #(

The ability to launch a successful assault on a mobile phone The ability to launch a successful assault on a mobile phone
net+ork re4uires the attacker to do more then simply attempt to net+ork re4uires the attacker to do more then simply attempt to
send te3t messaes to e!ery possibly phone number send te3t messaes to e!ery possibly phone number

,orth /merican ,umberin Plan 0,/,P1 created; number ,orth /merican ,umberin Plan 0,/,P1 created; number
formattin G,P/8,HH8HHHHI formattin G,P/8,HH8HHHHI

,umberin plan area, e3chane code, terminal number ,umberin plan area, e3chane code, terminal number

Traditionally terminal numbers +ere administered by a sinle ser!ice Traditionally terminal numbers +ere administered by a sinle ser!ice
pro!ider pro!ider

E3ample; E3ample;

)728)9(8HHHH AJ /T:T Wireless )728)9(8HHHH AJ /T:T Wireless

)7282$28HHHH AJ .eri5on +ireless )7282$28HHHH AJ .eri5on +ireless

)7289(?8HHHH AJ Sprint PCS )7289(?8HHHH AJ Sprint PCS

,umberin system is !ery useful for an attacker as it reduces the si5e ,umberin system is !ery useful for an attacker as it reduces the si5e
of the domain of the domain

,o!ember #2 ,o!ember #2
th th
, #$$2 AJ number portability +ent into affect , #$$2 AJ number portability +ent into affect
&'#('$) #9
1eb
1eb
Scraping
Scraping

Techni4ue commonly used by spammers to

Techni4ue commonly used by spammers to
collect information on potential tarets throuh
collect information on potential tarets throuh
the use of search enines and scriptin tools
the use of search enines and scriptin tools

Indi!idual is able to ather mobile phone

Indi!idual is able to ather mobile phone
numbers
numbers

E3ample; 8 E3ample; 8

Boole search Boole search

)(% uni4ue numbers from the reater State Collee, P/ )(% uni4ue numbers from the reater State Collee, P/
reion reion

9,&$) from ,e+ Kork City 9,&$) from ,e+ Kork City

(,7)2 from Washinton D6C6 (,7)2 from Washinton D6C6

Do+nside F numbers miht not be acti!e

Do+nside F numbers miht not be acti!e
&'#('$) #)
1eb nter"ace nteraction
1eb nter"ace nteraction

/ll maCor +ireless ser!ice pro!iders offer a +ebsite /ll maCor +ireless ser!ice pro!iders offer a +ebsite
interface throuh +hich anyone can at no chare to the interface throuh +hich anyone can at no chare to the
sender submit a SMS messae sender submit a SMS messae

Web user is i!en ackno+ledement +hen submittin SMS Web user is i!en ackno+ledement +hen submittin SMS
messae messae
&'#('$) #?
&'#('$) &$
Question
Question
; =o+ many SMS messaes
; =o+ many SMS messaes
are needed to induce saturationL
are needed to induce saturationL
/ir interface o!er!ie+ needed to
/ir interface o!er!ie+ needed to
understand SMS saturation
understand SMS saturation
&'#('$) &7

.oice call establishment is !ery similar to SMS deli!ery, .oice call establishment is !ery similar to SMS deli!ery,
e3cept a e3cept a Traffic Channel Traffic Channel 0TC=1 is allocated for !oice 0TC=1 is allocated for !oice
traffic at the completion of control sinalin traffic at the completion of control sinalin

.oice and SMS traffic do ,*T compete for TC=s .oice and SMS traffic do ,*T compete for TC=s
+hich are held for sinificantly loner periods of time6 +hich are held for sinificantly loner periods of time6

>*T= !oice and SMS traffic use the same channels >*T= !oice and SMS traffic use the same channels
for session establishment, thus for session establishment, thus contention contention for these for these
limited resources still occurM limited resources still occurM

Bi!en enouh SMS messaes, the channels needed Bi!en enouh SMS messaes, the channels needed
for session establishment +ill become saturated, thus for session establishment +ill become saturated, thus
pre!entin !oice traffic in a i!en area pre!entin !oice traffic in a i!en area
&'#('$) &#

BSM net+orks 0CDM/ e4ually !ulnerable to

BSM net+orks 0CDM/ e4ually !ulnerable to
attacks1
attacks1

BSM is a timesharin system

BSM is a timesharin system

E4ual distribution of resources bet+een parties E4ual distribution of resources bet+een parties

Each channel is di!ided into ) timeslots Each channel is di!ided into ) timeslots

) timeslots A 7 frame A 26(%ms transmission ) timeslots A 7 frame A 26(%ms transmission

7 timeslot is assined to a user +ho recei!es full control of 7 timeslot is assined to a user +ho recei!es full control of
the channel the channel

"ser assined to a i!en TC= is able to transmit "ser assined to a i!en TC= is able to transmit
!oice data once per a frame !oice data once per a frame
&'#('$) &&

2 carriers, each a sinle frame 2 carriers, each a sinle frame

@irst time slot of the first carrier is the Common CC= @irst time slot of the first carrier is the Common CC=

Second time slot of the first channel is reser!ed for SDCC= Second time slot of the first channel is reser!ed for SDCC=
connections connections

Capacity for ) users is allocated o!er the use of a multiframe Capacity for ) users is allocated o!er the use of a multiframe

-emainin timeslots across all carriers are desinated for !oice data -emainin timeslots across all carriers are desinated for !oice data
&'#('$) &2

>and+idth is limited +ithin frame, therefore data must span o!er multiple >and+idth is limited +ithin frame, therefore data must span o!er multiple
frames AJ multiframe AJ typically %7 frames frames AJ multiframe AJ typically %7 frames 0or #(, %7,#7 standards1 0or #(, %7,#7 standards1

Timeslot 7 from each frame in a multiframe creates the loical SDCC= Timeslot 7 from each frame in a multiframe creates the loical SDCC=
channel channel

Within a sinle multiframe, up to ) users can recei!e SDCC= access Within a sinle multiframe, up to ) users can recei!e SDCC= access
&'#('$) &%

PC= is used to sinal each incomin call and

PC= is used to sinal each incomin call and
te3t messae, its commitment to each session
te3t messae, its commitment to each session
is limited to the transmission of a TMSI
is limited to the transmission of a TMSI

TC=s remain occupied for the duration of a call

TC=s remain occupied for the duration of a call
+hich a!eraes minutes
+hich a!eraes minutes

SDCC= is occupied for a

SDCC= is occupied for a
number of seconds
number of seconds

per session establishment
per session establishment 0typo in paper1 0typo in paper1

This SDCC= channel becomes the This SDCC= channel becomes the bottleneck bottleneckM M

Must find'understand the band+idth of the Must find'understand the band+idth of the
bottleneck bottleneck
&'#('$) &(

Each SDCC= spans four loically consecuti!e timeslots Each SDCC= spans four loically consecuti!e timeslots
in a multiframe in a multiframe

>and+idth; With 7)2 bits per a control channel unit and a >and+idth; With 7)2 bits per a control channel unit and a
multiframe cycle time of #&%6&( ms AJ multiframe cycle time of #&%6&( ms AJ 9)# bps 9)# bps

Bi!en authentication, TMSI rene+al, encryption and the Bi!en authentication, TMSI rene+al, encryption and the
7($ byte te3t messae, the 7($ byte te3t messae, the SDCCH is held by an SDCCH is held by an
individual session for 4! seconds individual session for 4! seconds 0note; testin form Deli!ery Discipline 0note; testin form Deli!ery Discipline
demonstrated the demonstrated the same same ray8bo3 testin results1 ray8bo3 testin results1

-esults; Ser!ice time translates into the ability to handle -esults; Ser!ice time translates into the ability to handle
up to up to ?$$ ?$$ SMS sessions per hour on each SDCC= SMS sessions per hour on each SDCC=
&'#('$) &9
Calculations
Calculations
&'#('$) &)
Calculation * Exa'ple A
Calculation * Exa'ple A

Study from ,ational Communications System

Study from ,ational Communications System
0,CS1
0,CS1

Washinton D6C6 has 2$ cellular to+ers Washinton D6C6 has 2$ cellular to+ers

()6# s4 miles ()6# s4 miles

7#$ total sectors 7#$ total sectors

Each sector $6% to $69% s46 miles Each sector $6% to $69% s46 miles

Each sector has ) SDCC=s

Each sector has ) SDCC=s

@I,D
@I,D
; Total number of messaes per a
; Total number of messaes per a
second needed to saturate the SDCC=
second needed to saturate the SDCC=
capacity
capacity
C
C
in Washinton D6C6
in Washinton D6C6
&'#('$) &?
Calculations * Exa'ple A
Calculations * Exa'ple A

?$$ ms'hr from ser!ice time translation

?$$ ms'hr from ser!ice time translation

#2$
#2$
messaes a second +ill saturate the
messaes a second +ill saturate the
SDCC= channel
SDCC= channel
&'#('$) 2$
Calculations * Exa'ple 2
Calculations * Exa'ple 2

Study from ,ational Communications System

Study from ,ational Communications System
0,CS1
0,CS1

Manhattan Manhattan

&767 s4 miles &767 s4 miles

%% total sectors %% total sectors

Each sector $6% to $69% s46 miles Each sector $6% to $69% s46 miles

Each sector has 7# SDCC=s

Each sector has 7# SDCC=s

@I,D
@I,D
; Total number of messaes per a
; Total number of messaes per a
second needed to saturate the SDCC=
second needed to saturate the SDCC=
capacity
capacity
C
C
in Manhattan
in Manhattan
&'#('$) 27
Calculations * Exa'ple 2
Calculations * Exa'ple 2

?$$ ms'hr from ser!ice time translation

?$$ ms'hr from ser!ice time translation 0pre!ious step1 0pre!ious step1

7(%
7(%
messaes a second +ill saturate the SDCC=
messaes a second +ill saturate the SDCC=
channel
channel
&'#('$) 2#
Calculation (esults
Calculation (esults

"se a source transmission si5e of 7%$$ bytes

"se a source transmission si5e of 7%$$ bytes
described in the Deli!ery Discipline section to
described in the Deli!ery Discipline section to
submit an SMS from the internet
submit an SMS from the internet

Table sho+s the band+idth re4uired to saturate

Table sho+s the band+idth re4uired to saturate
the control channels and thus incapacitate
the control channels and thus incapacitate
leitimate !oice and te3t messain ser!ices
leitimate !oice and te3t messain ser!ices
&'#('$) 2&
Conclusion
Conclusion

Due to the analysis and the results from the deli!ery Due to the analysis and the results from the deli!ery
discipline and deli!ery rate sections, sendin that many discipline and deli!ery rate sections, sendin that many
messaes to a small number of recipients +ould messaes to a small number of recipients +ould
derade the effecti!eness of any attack derade the effecti!eness of any attack

Phones buffers +ould reach capacity Phones buffers +ould reach capacity

"ndeli!erable messaes +ould be buffered on the net+ork "ndeli!erable messaes +ould be buffered on the net+ork
until user allocated space +as e3hausted until user allocated space +as e3hausted

/ccounts could possibly be disabled temporarily /ccounts could possibly be disabled temporarily

=it8lists +ould pre!ent indi!idual phones from reachin =it8lists +ould pre!ent indi!idual phones from reachin
capacity and belo+ possible ser!ice pro!ider capacity and belo+ possible ser!ice pro!ider
thresholds thresholds

Is it possibleL Is it possibleL
&'#('$) 22
Attack A
Attack A

To saturate Washinton DC;

To saturate Washinton DC;

/ssumptions; /ssumptions;

Washinton D6C6 has %9#,$$$ people Washinton D6C6 has %9#,$$$ people

($N +ireless penetration ($N +ireless penetration

) SDCC=s ) SDCC=s

/ll de!ices po+ered on /ll de!ices po+ered on

%$N of Washinton D6C6 use the same ser!ice pro!ider %$N of Washinton D6C6 use the same ser!ice pro!ider

-esult; -esult;

/n e!en distribution of messaes +ould be %6$2 messaes /n e!en distribution of messaes +ould be %6$2 messaes
to each phone per an hour 07 messae e!ery 776?# to each phone per an hour 07 messae e!ery 776?#
minutes1 minutes1
&'#('$) 2%
Attack 2
Attack 2

Same assumptions from attack /, e3cept;

Same assumptions from attack /, e3cept;

=it8list of #%$$ phone numbers =it8list of #%$$ phone numbers

Phone buffer si5e; %$ Phone buffer si5e; %$

-esults;
-esults;

/n e!en distribution of messaes +ould deli!ery a /n e!en distribution of messaes +ould deli!ery a
messae e!ery 7$62 seconds messae e!ery 7$62 seconds

/ttack +ould last )6() minutes before buffer +as /ttack +ould last )6() minutes before buffer +as
e3hausted e3hausted

Pre!ious band+idth table sho+s these attacks are feasible Pre!ious band+idth table sho+s these attacks are feasible
from a standard hih8speed internet connection from a standard hih8speed internet connection
&'#('$) 2(
#revention$Solution
#revention$Solution

,e+ SMSCs are each capable of processin

,e+ SMSCs are each capable of processin
some #$,$$$ SMS messaes per a second
some #$,$$$ SMS messaes per a second

General Packet Radio Service

General Packet Radio Service
0BP-S1 and
0BP-S1 and
Enhance Data rates for GSM
Enhance Data rates for GSM
E!olution 0EDBE1
E!olution 0EDBE1
pro!ide hih8speed data connections to the
pro!ide hih8speed data connections to the
internet for mobile de!ices
internet for mobile de!ices

Complimentary to SMS and +ill ,*T replace SMSDs Complimentary to SMS and +ill ,*T replace SMSDs
functionality functionality
&'#('$) 29
#revention$Solution
#revention$Solution

Current mechanism are ,*T ade4uate to

Current mechanism are ,*T ade4uate to
protect these net+orks
protect these net+orks

Pro!en practicality of address spoofin or

Pro!en practicality of address spoofin or
distributed attacks !ia 5ombie net+orks makes
distributed attacks !ia 5ombie net+orks makes
the use of authentication based upon source IP
the use of authentication based upon source IP
addresses an ineffecti!e solution
addresses an ineffecti!e solution

Due to ser!ice pro!ider earnins 0O1 from SMS

Due to ser!ice pro!ider earnins 0O1 from SMS
messaes, they are unlikely to restrict access
messaes, they are unlikely to restrict access
to SMS messain
to SMS messain
&'#('$) 2)
#revention$Solution
#revention$Solution

Separation of .oice and Data Separation of .oice and Data

Most effecti!e solution +ould be to separate all !oice and data Most effecti!e solution +ould be to separate all !oice and data
communications communications

Insertion of data into cellular net+orks +ill no loner derade the fidelity of !oice Insertion of data into cellular net+orks +ill no loner derade the fidelity of !oice
ser!ices ser!ices

Dedicatin a carrier on the air interface for data sinalin and deli!ery Dedicatin a carrier on the air interface for data sinalin and deli!ery
eliminates an attackerDs ability to take do+n !oice communications eliminates an attackerDs ability to take do+n !oice communications

Ineffecti!e use of the spectrum Ineffecti!e use of the spectrum

Creates bottleneck on air interface Creates bottleneck on air interface

"ntil the offloadin schemes are created, oriin priority should be implemented "ntil the offloadin schemes are created, oriin priority should be implemented

Internet oriinated messaes AJ lo+ priority Internet oriinated messaes AJ lo+ priority

Messaes from outside net+ork AJ lo+ priority Messaes from outside net+ork AJ lo+ priority

Messaes from +ithin net+ork AJ hih priority Messaes from +ithin net+ork AJ hih priority

-esource Pro!isionin -esource Pro!isionin

Temporary Solutions Temporary Solutions

/dditional Mobile S+itchin Center 0MSC1 and >ase Stations 0>S1 /dditional Mobile S+itchin Center 0MSC1 and >ase Stations 0>S1

E!ents such as the *lympics E!ents such as the *lympics

Cellular8on8Wheels 0C*W1 Cellular8on8Wheels 0C*W1

"nited States "nited States

The increased number of PhandoffD puts more strain on the net+ork The increased number of PhandoffD puts more strain on the net+ork
&'#('$) 2?
Solutions
Solutions

-ate Limitation -ate Limitation

Within the air interface, the number of SDCCS channels allo+ed to Within the air interface, the number of SDCCS channels allo+ed to
deli!er te3t messaes should be restricted deli!er te3t messaes should be restricted

/ttack still successful, but it +ould only affect a small number of people /ttack still successful, but it +ould only affect a small number of people

Slo+s the rate of leitimate messaes can be deli!ered Slo+s the rate of leitimate messaes can be deli!ered

Pre!ent hit8lists Pre!ent hit8lists

Do ,*T sho+ successfulness of internet based submission Do ,*T sho+ successfulness of internet based submission

Web interfaces should limit the number of recipients to +hich a sinle Web interfaces should limit the number of recipients to +hich a sinle
SMS submission is sent SMS submission is sent

.eri5on and Cinular allo+ 7$ recipients per a submission .eri5on and Cinular allo+ 7$ recipients per a submission

-educe the ability to automate submission -educe the ability to automate submission

@orce the computer to calculate some alorithm prior to submittin @orce the computer to calculate some alorithm prior to submittin

Close +eb interfaces Close +eb interfaces

,ot likely ,ot likely

&'#('$) %$
Conclusion
Conclusion

Cellular net+orks are a critical part of the economic Cellular net+orks are a critical part of the economic
and social infrastructures and social infrastructures

Systems typically e3perience belo+ &$$ seconds of Systems typically e3perience belo+ &$$ seconds of
communication outaes per year 0Gfi!e ninesI communication outaes per year 0Gfi!e ninesI
a!ailability1 a!ailability1

The proliferation of e3ternal ser!ices on these net+orks The proliferation of e3ternal ser!ices on these net+orks
introduces sinificant potential for misuse introduces sinificant potential for misuse

/n ad!ersary inCectin messaes from the internet can /n ad!ersary inCectin messaes from the internet can
cause almost t+ice the yearly e3pected net+ork cause almost t+ice the yearly e3pected net+ork
do+ntime usin hit8lists as fe+ as #,%$$ tarets do+ntime usin hit8lists as fe+ as #,%$$ tarets

The ser!ice pro!iders potential problems outlined in The ser!ice pro!iders potential problems outlined in
this paper must be addressed in order to preser!e the this paper must be addressed in order to preser!e the
usability of these critical ser!ices usability of these critical ser!ices