Exploiting Open Functionality in SMS-Capable Cellular Networks - PowerPoint PPT Presentation

1 / 22
About This Presentation
Title:

Exploiting Open Functionality in SMS-Capable Cellular Networks

Description:

... 1 dedicated channel per 4 voice 2 dedicated channels per carrier Protocol sharing Number of dedicated channels per area ... fill buffers Targeted ... attributes ... – PowerPoint PPT presentation

Number of Views:66
Avg rating:3.0/5.0
Slides: 23
Provided by: Ent65
Learn more at: http://www.eecs.ucf.edu
Category:

less

Transcript and Presenter's Notes

Title: Exploiting Open Functionality in SMS-Capable Cellular Networks


1
Exploiting Open Functionality in SMS-Capable
Cellular Networks
  • Authors William Enck, Patrick Traynor, Patrick
    McDaniel, and Thomas La Porta
  • Publication12th ACM conference on Computer and
    communications security, November 2005
  • Presenter Brad Mundt for CAP6133 Spring 08

2
Motivation
  • SMS
  • Ingrained into modern culture
  • 69 million messages per day in UK
  • 10 cents per message
  • Popular with telecom
  • Voice traffic is fixed revenue, unlike SMS
  • Opened up the system- web, email, IM

3
Motivation
  • Internet-originated text messages
  • Deny voice service to a city
  • Zombies
  • Hit lists
  • Similar to traffic from Slammer worm
  • BoA ATMs, 911 services

4
Presentation Flow
  • Cellular Network Overview
  • Vulnerability Analysis
  • Research
  • Discovery
  • Attack vectors and implements
  • Scenario
  • Other stuff

5
SMS/Cellular Network
  • Sending
  • Mobile device or ESME
  • External Short Messaging Entities (ESME)
  • Delivering
  • Short Messaging Service Center (SMSC)
  • SMS formatting
  • Queued for forwarding
  • Query Home Location Register (HLR) for directions

6
SMS/Cellular Network
  • Delivering (Continued)
  • HLR
  • Subscriber Info, call waiting, text messaging
  • If user is busy, store SMS for later
  • Otherwise give address for MSC
  • Mobile Switching Center

7
SMS/Cellular Network
  • Delivering (Continued)
  • MSC
  • Service, Authentication
  • Location management for BS, no not that BS!
  • Base Stations
  • Hand offs / gateway to PSTN
  • Public Switched Telephone Network
  • Query Visitor Location Register (VLR)
  • Returns Info when device is away from HLR
  • Forwards to correct BS for delivery

8
SMS/Cellular Network
9
Vulnerability Analysis
  • Bottlenecks
  • System is a composite of multiple Queuing Points
  • Injection rate versus delivery rate
  • Targeting Queues
  • SMSC
  • Finite number in queue, SMS age, policy
  • Messages remain in SMSC buffer when device is
    full
  • Device
  • 500 messages drained a battery

10
Plan
  • Messages exceeding saturation levels are lost
  • Successful DoS needs
  • Multiple subscribers
  • Multiple interfaces
  • Hit-lists and Zombies

11
Hit-list Creation
  • Internet search for NPA/NXX DB
  • Target wireless numbers by domain owner name
  • Web Scraping
  • Worm
  • Device recently call lists
  • Computers that sync with device

12
Attack profile attributes
  • GSM gray-box testing
  • 900 SMS per hour on each dedicated channel
  • 1 dedicated channel per 4 voice
  • 2 dedicated channels per carrier
  • Protocol sharing
  • Number of dedicated channels per area
  • Number of carriers per area

13
Cellular device channels
  • Two Channels
  • Control Channel (CCH)
  • Common CCH
  • BS uses for voice and SMS connections
    establishment
  • All connected mobiles are listening on this for
    signaling
  • Dedicated CCH
  • Data
  • Traffic Channel (TCH)
  • Voice

14
Attack Scenario
  • 2500 numbers in hit list
  • Average 50 message device buffer
  • 8 dedicated channels, (D.C.)
  • 1 message per phone every 10.4 sec
  • 8.68 min to fill buffers

15
Targeted Attacks
  • Fill the buffers, users loose messages
  • Data loss on some devices from overflowing
  • Read messages overwritten when new ones arrive
    (Nokia 3560)
  • Message delays due to overflowing
  • Campus alert messages- blocking?
  • Deleting junk SMS, accidentally delete good ones
  • Battery depletion

16
Tomorrows email
  • SPAM
  • Phishing
  • Viruses
  • Cabir and Skulls
  • Both were bluetooth

17
SMS Spam
18
Summary
  • Cellular networks are critical part of
  • Social and economic infrastructures
  • Potential misuse from external services
  • DoS
  • InfoWar
  • Economic

19
Contributions
  • Security impact of SMS on Cellular network
  • Demonstrate ability to deny serivce to city sized
    area
  • Techniques for targeting these systems
  • How to avoid

20
Weaknesses
  • Gray-box testing
  • Documentation
  • Experimentation without EULA violations
  • Time of Day / Day of Week
  • Payload size variations
  • Estimations

21
How to Improve
  • Traffic analysis for
  • Time of Day / Day of Week
  • Vary payload size
  • If White hats, work with the telecoms
  • Validate for more facts

22
The End
  • Thank you
Write a Comment
User Comments (0)
About PowerShow.com