Professional Documents
Culture Documents
Submittin a messae
Submittin a messae
-outin
-outin
Deli!ery
Deli!ery
Solution0s1
Solution0s1
3/26/08 3/26/08 3 3
&'#('$) 2
*pen functionality creates neati!e conse4uences *pen functionality creates neati!e conse4uences
&'#('$) %
Email Email
Soft+are Soft+are
&'#('$) 9
Pro!ider 0.eri5on, /T:T, etc61 M"ST pro!ide at Pro!ider 0.eri5on, /T:T, etc61 M"ST pro!ide at
least SMSC least SMSC
E3ample; internet oriinated messae6 *nce E3ample; internet oriinated messae6 *nce
formatted, the messae becomes indistinuishable formatted, the messae becomes indistinuishable
from there oriinal oriinator from there oriinal oriinator
Subscriber information 0call +aitin, te3t Subscriber information 0call +aitin, te3t
messain1 messain1
It is 4ueued
It is 4ueued
MSC MSC
-esponsible for mobile de!ice authentication -esponsible for mobile de!ice authentication
Location manaement for attached >ase Stations 0>S1 Location manaement for attached >ase Stations 0>S1
/ct as ate+ays to Public S+itched Telephone /ct as ate+ays to Public S+itched Telephone
,et+ork 0PST,1 ,et+ork 0PST,1
<ueries .isitor Location -eister 0.L-1 <ueries .isitor Location -eister 0.L-1
Local copy of the tareted de!ices information +hen a+ay Local copy of the tareted de!ices information +hen a+ay
from its =L- from its =L-
@or+ards te3t messae on to the appropriate base @or+ards te3t messae on to the appropriate base
station for transmission o!er the air interface station for transmission o!er the air interface
&'#('$) 77
&'#('$) 7#
/ir Interface
/ir Interface
"sed by base station 0>S1 to initiate the deli!ery of !oice and "sed by base station 0>S1 to initiate the deli!ery of !oice and
SMS data SMS data
/ll connected mobile de!ices are constantly listenin to the /ll connected mobile de!ices are constantly listenin to the
Common CC= for !oice and SMS sinalin Common CC= for !oice and SMS sinalin
&1 De!ices contacts >S o!er the -andom /ccess &1 De!ices contacts >S o!er the -andom /ccess
Channel 0-/C=1 and alerts the net+ork of its Channel 0-/C=1 and alerts the net+ork of its
a!ailability to recei!e incomin call or te3t data a!ailability to recei!e incomin call or te3t data
21 -esponse 0from abo!e1 arri!es at >S, the >S 21 -esponse 0from abo!e1 arri!es at >S, the >S
instructs tareted de!ice to listen to a specific instructs tareted de!ice to listen to a specific
Standalone Dedicated Control Channel 0SDCC=1 Standalone Dedicated Control Channel 0SDCC=1
SDCC= SDCC=
/uthentication /uthentication
Encryption Encryption
&'#('$) 7%
&'#('$) 7(
Boal
Boal
; find deli!ery discipline for each pro!ider
; find deli!ery discipline for each pro!ider
It is dropped 0buffer capacity, e!iction policy1 It is dropped 0buffer capacity, e!iction policy1
&'#('$) 79
E3periment;
E3periment;
/T:TDs;
/T:TDs;
buffered the entire 2$$ messaes 07($ bytes each buffered the entire 2$$ messaes 07($ bytes each
A (#62E>1 A (#62E>1
.eri5on
.eri5on
Last 7$$ messaes recei!ed Last 7$$ messaes recei!ed 0first &$$ missin1 0first &$$ missin1
>uffer of 7$$, @I@* e!iction policy >uffer of 7$$, @I@* e!iction policy
Sprint
Sprint
>uffer of &$, LI@* e!iction policy >uffer of &$, LI@* e!iction policy
&'#('$) 7?
&'#('$) #$
Boal
Boal
; @ind bottlenecks 8 compare
; @ind bottlenecks 8 compare
inCection rates +ith deli!ery rates
inCection rates +ith deli!ery rates
Short Messain Peer Protocol 0SMPP1 Short Messain Peer Protocol 0SMPP1
Dedicated connections to ser!ice pro!ider to send messaes Dedicated connections to ser!ice pro!ider to send messaes
Ser!ice pro!ider plans offer &$8&% messaes per second Ser!ice pro!ider plans offer &$8&% messaes per second
Problem; +hen a messae deli!ery time e3ceeds that Problem; +hen a messae deli!ery time e3ceeds that
of messae submission, a system is subCect to DoS of messae submission, a system is subCect to DoS
attack attack
E3periment; E3periment;
Compare the time it takes for serially inCected messaes to be Compare the time it takes for serially inCected messaes to be
submitted and then deli!ered to the tareted mobile de!ice submitted and then deli!ered to the tareted mobile de!ice !ia !ia
+eb interfaces +eb interfaces
PE-L script F serially inCect messaes appro3imately once per PE-L script F serially inCect messaes appro3imately once per
a second into each pro!iders +eb interface a second into each pro!iders +eb interface 0a!6 send time; $697 0a!6 send time; $697
seconds1 seconds1
&'#('$) ##
.eri5on : /T:T; 98) seconds for deli!ery .eri5on : /T:T; 98) seconds for deli!ery
Conclusion; imbalance bet+een the time to submit and the Conclusion; imbalance bet+een the time to submit and the
time to recei!e time to recei!e
SMS messae si5e F Ma3imum; 7($ bytes SMS messae si5e F Ma3imum; 7($ bytes
=TTP Post and IP headers A appro3imately 9$$ bytes to =TTP Post and IP headers A appro3imately 9$$ bytes to
send SMS messae 0not considerin TCP o!erhead1 send SMS messae 0not considerin TCP o!erhead1
/ll emails less then ?$$ bytes to send /ll emails less then ?$$ bytes to send
&'#('$) #&
&'#('$) #2
Lost messaes and neati!ely ackno+leded submit attempts +ere Lost messaes and neati!ely ackno+leded submit attempts +ere
obser!ed obser!ed
>elie!e it +as a result of +eb interface limitations imposed by the ser!ice >elie!e it +as a result of +eb interface limitations imposed by the ser!ice
pro!iders pro!iders
Goal Goal; find the mechanism used to achie!e rate limitation on these ; find the mechanism used to achie!e rate limitation on these
interfaces and the conditions necessary to acti!ate them interfaces and the conditions necessary to acti!ate them
Experiment Experiment F used deli!ery rate analysis F used deli!ery rate analysis
.eri5on; .eri5on;
/fter 22 messaes, neati!e ackno+ledements resulted /fter 22 messaes, neati!e ackno+ledements resulted
/T:T; /T:T;
>lindly ackno+leded all submissions, but stopped deli!erin after %$ messaes >lindly ackno+leded all submissions, but stopped deli!erin after %$ messaes
sent to sinle phone sent to sinle phone
Conclusion; Conclusion;
SMSCDs typically hold SMSCDs typically hold far far more messaes than the mobile de!ices more messaes than the mobile de!ices
To launch successfully DoS attack that e3ploits the limitations of the cellular air To launch successfully DoS attack that e3ploits the limitations of the cellular air
interface, an ad!ersary must taret multiple end de!ices 0must ha!e interface, an ad!ersary must taret multiple end de!ices 0must ha!e valid valid
phone numbers1 phone numbers1
&'#('$) #%
N#A$N00
1eb Scraping
1eb nter"ace
&'#('$) #(
The ability to launch a successful assault on a mobile phone The ability to launch a successful assault on a mobile phone
net+ork re4uires the attacker to do more then simply attempt to net+ork re4uires the attacker to do more then simply attempt to
send te3t messaes to e!ery possibly phone number send te3t messaes to e!ery possibly phone number
,orth /merican ,umberin Plan 0,/,P1 created; number ,orth /merican ,umberin Plan 0,/,P1 created; number
formattin G,P/8,HH8HHHHI formattin G,P/8,HH8HHHHI
,umberin plan area, e3chane code, terminal number ,umberin plan area, e3chane code, terminal number
Traditionally terminal numbers +ere administered by a sinle ser!ice Traditionally terminal numbers +ere administered by a sinle ser!ice
pro!ider pro!ider
E3ample; E3ample;
,umberin system is !ery useful for an attacker as it reduces the si5e ,umberin system is !ery useful for an attacker as it reduces the si5e
of the domain of the domain
,o!ember #2 ,o!ember #2
th th
, #$$2 AJ number portability +ent into affect , #$$2 AJ number portability +ent into affect
&'#('$) #9
1eb
1eb
Scraping
Scraping
E3ample; 8 E3ample; 8
)(% uni4ue numbers from the reater State Collee, P/ )(% uni4ue numbers from the reater State Collee, P/
reion reion
9,&$) from ,e+ Kork City 9,&$) from ,e+ Kork City
/ll maCor +ireless ser!ice pro!iders offer a +ebsite /ll maCor +ireless ser!ice pro!iders offer a +ebsite
interface throuh +hich anyone can at no chare to the interface throuh +hich anyone can at no chare to the
sender submit a SMS messae sender submit a SMS messae
Web user is i!en ackno+ledement +hen submittin SMS Web user is i!en ackno+ledement +hen submittin SMS
messae messae
&'#('$) #?
&'#('$) &$
Question
Question
; =o+ many SMS messaes
; =o+ many SMS messaes
are needed to induce saturationL
are needed to induce saturationL
/ir interface o!er!ie+ needed to
/ir interface o!er!ie+ needed to
understand SMS saturation
understand SMS saturation
&'#('$) &7
.oice call establishment is !ery similar to SMS deli!ery, .oice call establishment is !ery similar to SMS deli!ery,
e3cept a e3cept a Traffic Channel Traffic Channel 0TC=1 is allocated for !oice 0TC=1 is allocated for !oice
traffic at the completion of control sinalin traffic at the completion of control sinalin
.oice and SMS traffic do ,*T compete for TC=s .oice and SMS traffic do ,*T compete for TC=s
+hich are held for sinificantly loner periods of time6 +hich are held for sinificantly loner periods of time6
>*T= !oice and SMS traffic use the same channels >*T= !oice and SMS traffic use the same channels
for session establishment, thus for session establishment, thus contention contention for these for these
limited resources still occurM limited resources still occurM
Bi!en enouh SMS messaes, the channels needed Bi!en enouh SMS messaes, the channels needed
for session establishment +ill become saturated, thus for session establishment +ill become saturated, thus
pre!entin !oice traffic in a i!en area pre!entin !oice traffic in a i!en area
&'#('$) &#
E4ual distribution of resources bet+een parties E4ual distribution of resources bet+een parties
Each channel is di!ided into ) timeslots Each channel is di!ided into ) timeslots
7 timeslot is assined to a user +ho recei!es full control of 7 timeslot is assined to a user +ho recei!es full control of
the channel the channel
"ser assined to a i!en TC= is able to transmit "ser assined to a i!en TC= is able to transmit
!oice data once per a frame !oice data once per a frame
&'#('$) &&
@irst time slot of the first carrier is the Common CC= @irst time slot of the first carrier is the Common CC=
Second time slot of the first channel is reser!ed for SDCC= Second time slot of the first channel is reser!ed for SDCC=
connections connections
Capacity for ) users is allocated o!er the use of a multiframe Capacity for ) users is allocated o!er the use of a multiframe
-emainin timeslots across all carriers are desinated for !oice data -emainin timeslots across all carriers are desinated for !oice data
&'#('$) &2
>and+idth is limited +ithin frame, therefore data must span o!er multiple >and+idth is limited +ithin frame, therefore data must span o!er multiple
frames AJ multiframe AJ typically %7 frames frames AJ multiframe AJ typically %7 frames 0or #(, %7,#7 standards1 0or #(, %7,#7 standards1
Timeslot 7 from each frame in a multiframe creates the loical SDCC= Timeslot 7 from each frame in a multiframe creates the loical SDCC=
channel channel
Within a sinle multiframe, up to ) users can recei!e SDCC= access Within a sinle multiframe, up to ) users can recei!e SDCC= access
&'#('$) &%
This SDCC= channel becomes the This SDCC= channel becomes the bottleneck bottleneckM M
Must find'understand the band+idth of the Must find'understand the band+idth of the
bottleneck bottleneck
&'#('$) &(
Each SDCC= spans four loically consecuti!e timeslots Each SDCC= spans four loically consecuti!e timeslots
in a multiframe in a multiframe
>and+idth; With 7)2 bits per a control channel unit and a >and+idth; With 7)2 bits per a control channel unit and a
multiframe cycle time of #&%6&( ms AJ multiframe cycle time of #&%6&( ms AJ 9)# bps 9)# bps
Bi!en authentication, TMSI rene+al, encryption and the Bi!en authentication, TMSI rene+al, encryption and the
7($ byte te3t messae, the 7($ byte te3t messae, the SDCCH is held by an SDCCH is held by an
individual session for 4! seconds individual session for 4! seconds 0note; testin form Deli!ery Discipline 0note; testin form Deli!ery Discipline
demonstrated the demonstrated the same same ray8bo3 testin results1 ray8bo3 testin results1
-esults; Ser!ice time translates into the ability to handle -esults; Ser!ice time translates into the ability to handle
up to up to ?$$ ?$$ SMS sessions per hour on each SDCC= SMS sessions per hour on each SDCC=
&'#('$) &9
Calculations
Calculations
&'#('$) &)
Calculation * Exa'ple A
Calculation * Exa'ple A
Washinton D6C6 has 2$ cellular to+ers Washinton D6C6 has 2$ cellular to+ers
Each sector $6% to $69% s46 miles Each sector $6% to $69% s46 miles
@I,D
@I,D
; Total number of messaes per a
; Total number of messaes per a
second needed to saturate the SDCC=
second needed to saturate the SDCC=
capacity
capacity
C
C
in Washinton D6C6
in Washinton D6C6
&'#('$) &?
Calculations * Exa'ple A
Calculations * Exa'ple A
#2$
#2$
messaes a second +ill saturate the
messaes a second +ill saturate the
SDCC= channel
SDCC= channel
&'#('$) 2$
Calculations * Exa'ple 2
Calculations * Exa'ple 2
Manhattan Manhattan
Each sector $6% to $69% s46 miles Each sector $6% to $69% s46 miles
@I,D
@I,D
; Total number of messaes per a
; Total number of messaes per a
second needed to saturate the SDCC=
second needed to saturate the SDCC=
capacity
capacity
C
C
in Manhattan
in Manhattan
&'#('$) 27
Calculations * Exa'ple 2
Calculations * Exa'ple 2
7(%
7(%
messaes a second +ill saturate the SDCC=
messaes a second +ill saturate the SDCC=
channel
channel
&'#('$) 2#
Calculation (esults
Calculation (esults
Due to the analysis and the results from the deli!ery Due to the analysis and the results from the deli!ery
discipline and deli!ery rate sections, sendin that many discipline and deli!ery rate sections, sendin that many
messaes to a small number of recipients +ould messaes to a small number of recipients +ould
derade the effecti!eness of any attack derade the effecti!eness of any attack
Phones buffers +ould reach capacity Phones buffers +ould reach capacity
"ndeli!erable messaes +ould be buffered on the net+ork "ndeli!erable messaes +ould be buffered on the net+ork
until user allocated space +as e3hausted until user allocated space +as e3hausted
/ccounts could possibly be disabled temporarily /ccounts could possibly be disabled temporarily
=it8lists +ould pre!ent indi!idual phones from reachin =it8lists +ould pre!ent indi!idual phones from reachin
capacity and belo+ possible ser!ice pro!ider capacity and belo+ possible ser!ice pro!ider
thresholds thresholds
Is it possibleL Is it possibleL
&'#('$) 22
Attack A
Attack A
/ssumptions; /ssumptions;
Washinton D6C6 has %9#,$$$ people Washinton D6C6 has %9#,$$$ people
) SDCC=s ) SDCC=s
%$N of Washinton D6C6 use the same ser!ice pro!ider %$N of Washinton D6C6 use the same ser!ice pro!ider
-esult; -esult;
/n e!en distribution of messaes +ould be %6$2 messaes /n e!en distribution of messaes +ould be %6$2 messaes
to each phone per an hour 07 messae e!ery 776?# to each phone per an hour 07 messae e!ery 776?#
minutes1 minutes1
&'#('$) 2%
Attack 2
Attack 2
-esults;
-esults;
/n e!en distribution of messaes +ould deli!ery a /n e!en distribution of messaes +ould deli!ery a
messae e!ery 7$62 seconds messae e!ery 7$62 seconds
/ttack +ould last )6() minutes before buffer +as /ttack +ould last )6() minutes before buffer +as
e3hausted e3hausted
Pre!ious band+idth table sho+s these attacks are feasible Pre!ious band+idth table sho+s these attacks are feasible
from a standard hih8speed internet connection from a standard hih8speed internet connection
&'#('$) 2(
#revention$Solution
#revention$Solution
Complimentary to SMS and +ill ,*T replace SMSDs Complimentary to SMS and +ill ,*T replace SMSDs
functionality functionality
&'#('$) 29
#revention$Solution
#revention$Solution
Most effecti!e solution +ould be to separate all !oice and data Most effecti!e solution +ould be to separate all !oice and data
communications communications
Insertion of data into cellular net+orks +ill no loner derade the fidelity of !oice Insertion of data into cellular net+orks +ill no loner derade the fidelity of !oice
ser!ices ser!ices
Dedicatin a carrier on the air interface for data sinalin and deli!ery Dedicatin a carrier on the air interface for data sinalin and deli!ery
eliminates an attackerDs ability to take do+n !oice communications eliminates an attackerDs ability to take do+n !oice communications
"ntil the offloadin schemes are created, oriin priority should be implemented "ntil the offloadin schemes are created, oriin priority should be implemented
Internet oriinated messaes AJ lo+ priority Internet oriinated messaes AJ lo+ priority
Messaes from outside net+ork AJ lo+ priority Messaes from outside net+ork AJ lo+ priority
Messaes from +ithin net+ork AJ hih priority Messaes from +ithin net+ork AJ hih priority
/dditional Mobile S+itchin Center 0MSC1 and >ase Stations 0>S1 /dditional Mobile S+itchin Center 0MSC1 and >ase Stations 0>S1
The increased number of PhandoffD puts more strain on the net+ork The increased number of PhandoffD puts more strain on the net+ork
&'#('$) 2?
Solutions
Solutions
Within the air interface, the number of SDCCS channels allo+ed to Within the air interface, the number of SDCCS channels allo+ed to
deli!er te3t messaes should be restricted deli!er te3t messaes should be restricted
/ttack still successful, but it +ould only affect a small number of people /ttack still successful, but it +ould only affect a small number of people
Slo+s the rate of leitimate messaes can be deli!ered Slo+s the rate of leitimate messaes can be deli!ered
Do ,*T sho+ successfulness of internet based submission Do ,*T sho+ successfulness of internet based submission
Web interfaces should limit the number of recipients to +hich a sinle Web interfaces should limit the number of recipients to +hich a sinle
SMS submission is sent SMS submission is sent
.eri5on and Cinular allo+ 7$ recipients per a submission .eri5on and Cinular allo+ 7$ recipients per a submission
-educe the ability to automate submission -educe the ability to automate submission
@orce the computer to calculate some alorithm prior to submittin @orce the computer to calculate some alorithm prior to submittin
Cellular net+orks are a critical part of the economic Cellular net+orks are a critical part of the economic
and social infrastructures and social infrastructures
Systems typically e3perience belo+ &$$ seconds of Systems typically e3perience belo+ &$$ seconds of
communication outaes per year 0Gfi!e ninesI communication outaes per year 0Gfi!e ninesI
a!ailability1 a!ailability1
The proliferation of e3ternal ser!ices on these net+orks The proliferation of e3ternal ser!ices on these net+orks
introduces sinificant potential for misuse introduces sinificant potential for misuse
/n ad!ersary inCectin messaes from the internet can /n ad!ersary inCectin messaes from the internet can
cause almost t+ice the yearly e3pected net+ork cause almost t+ice the yearly e3pected net+ork
do+ntime usin hit8lists as fe+ as #,%$$ tarets do+ntime usin hit8lists as fe+ as #,%$$ tarets
The ser!ice pro!iders potential problems outlined in The ser!ice pro!iders potential problems outlined in
this paper must be addressed in order to preser!e the this paper must be addressed in order to preser!e the
usability of these critical ser!ices usability of these critical ser!ices