1 / 22

Exploiting Open Functionality in SMS-Capable Cellular Networks

Exploiting Open Functionality in SMS-Capable Cellular Networks. Authors: William Enck, Patrick Traynor, Patrick McDaniel, and Thomas La Porta Publication: 12th ACM conference on Computer and communications security, November 2005 Presenter: Brad Mundt for CAP6133 Spring ‘08. Motivation.

willa
Download Presentation

Exploiting Open Functionality in SMS-Capable Cellular Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Exploiting Open Functionality in SMS-Capable Cellular Networks Authors: William Enck, Patrick Traynor, Patrick McDaniel, and Thomas La Porta Publication:12th ACM conference on Computer and communications security, November 2005 Presenter: Brad Mundt for CAP6133 Spring ‘08

  2. Motivation • SMS • Ingrained into modern culture • 69 million messages per day in UK • 10 cents per message • Popular with telecom • Voice traffic is fixed revenue, unlike SMS • Opened up the system- web, email, IM…

  3. Motivation… • Internet-originated text messages • Deny voice service to a city • Zombies • Hit lists • Similar to traffic from Slammer worm • BoA ATMs, 911 services

  4. Presentation Flow • Cellular Network Overview • Vulnerability Analysis • Research • Discovery • Attack vectors and implements • Scenario • Other stuff

  5. SMS/Cellular Network • Sending • Mobile device or ESME • External Short Messaging Entities (ESME) • Delivering • Short Messaging Service Center (SMSC) • SMS formatting • Queued for forwarding • Query Home Location Register (HLR) for directions

  6. SMS/Cellular Network • Delivering (Continued) • HLR • Subscriber Info, call waiting, text messaging • If user is busy, store SMS for later • Otherwise give address for MSC • Mobile Switching Center

  7. SMS/Cellular Network • Delivering (Continued) • MSC • Service, Authentication • Location management for BS, no not that BS! • Base Stations • Hand offs / gateway to PSTN • Public Switched Telephone Network • Query Visitor Location Register (VLR) • Returns Info when device is away from HLR • Forwards to correct BS for delivery

  8. SMS/Cellular Network

  9. Vulnerability Analysis • Bottlenecks • System is a composite of multiple Queuing Points • Injection rate versus delivery rate • Targeting Queues • SMSC • Finite number in queue, SMS age, policy • Messages remain in SMSC buffer when device is full • Device • 500 messages drained a battery

  10. Plan • Messages exceeding saturation levels are lost • Successful DoS needs • Multiple subscribers • Multiple interfaces • Hit-lists and Zombies

  11. Hit-list Creation • Internet search for NPA/NXX DB • Target wireless numbers by domain owner name • Web Scraping • Worm • Device recently call lists • Computers that sync with device

  12. Attack profile attributes • GSM gray-box testing • 900 SMS per hour on each dedicated channel • 1 dedicated channel per 4 voice • 2 dedicated channels per carrier • Protocol sharing • Number of dedicated channels per area • Number of carriers per area

  13. Cellular device channels • Two Channels • Control Channel (CCH) • Common CCH • BS uses for voice and SMS connections establishment • All connected mobiles are listening on this for signaling • Dedicated CCH • Data • Traffic Channel (TCH) • Voice

  14. Attack Scenario • 2500 numbers in hit list • Average 50 message device buffer • 8 dedicated channels, (D.C.) • 1 message per phone every 10.4 sec • 8.68 min to fill buffers

  15. Targeted Attacks • Fill the buffers, users loose messages • Data loss on some devices from overflowing • Read messages overwritten when new ones arrive (Nokia 3560) • Message delays due to overflowing • Campus alert messages- blocking? • Deleting junk SMS, accidentally delete good ones • Battery depletion

  16. Tomorrows email • SPAM • Phishing • Viruses • Cabir and Skulls • Both were bluetooth

  17. SMS Spam

  18. Summary • Cellular networks are critical part of • Social and economic infrastructures • Potential misuse from external services • DoS • InfoWar • Economic

  19. Contributions • Security impact of SMS on Cellular network • Demonstrate ability to deny serivce to city sized area • Techniques for targeting these systems • How to avoid

  20. Weaknesses • Gray-box testing • Documentation • Experimentation without EULA violations • Time of Day / Day of Week • Payload size variations • Estimations

  21. How to Improve • Traffic analysis for • Time of Day / Day of Week • Vary payload size • If White hats, work with the telecoms • Validate for more facts

  22. The End Thank you…

More Related