Researchers from the Systems and Internet Infrastructure Security Lab of the Pennsylvania State University made public this week some research they have done about what it may take to shut down mobile cell phone networks using low volumes of text messaging.
SIIS Lab students William Enck, Patrick Traynor, SIIS Lab Director Patrick McDaniel and NSRC Director Thomas La Porta have written a paper on what they found out about text messaging (also called Short Messaging Service [SMS]) and the cell networks vulnerability to DoS attacks. The paper is available at www.smsanalysis.org.
The group looked at GSM (Global System for Mobile) networks in their research, but state upfront that the vulnerabilities unearthed may not be limited to only GSM systems.
First, a quick architecture review.
Cell networks use "control" channels to enable the transmission of voice information on "traffic" channels. They also use these control channels to handle SMS traffic.
There are usually far fewer control channels allocated in a system than there are traffic channels. The idea is that the control channels will be reused quickly (after they have done a handoff of the call to a traffic channel) and will not be used for extended periods of time on a single call.
What these guys did was to figure out how much bandwidth it would take to choke the control channel with lots of SMS handling requests until there would be no slots left to handle placing voice calls.
By choking the smaller bandwidth of the control channel, they leverage a DoS for the larger bandwidth of traffic channels.
It takes surprisingly few SMS messages to do this, too. They found that the 68 square miles of Washington D.C. (and its 120 cell sectors) could be taken out by 281.25K bps of multirecipient SMS messages of 1500 bytes each. That works out to about 240 messages per second.
The 31 square miles of Manhattan and its 55 cell sectors is even easier. 128.91K bps of the same kind of message will do it, and thats only 110 messages per second.
Whoa. I can do that with just lots of extra thumbs. Of course, the SMS messages have to be crafted so that they go to actual cell phones, not just a random number.
The lack of easily accessible machine-readable lists of cell phone numbers may explain why this kind of DoS (denial of service) hasnt been seen in the wild.
The researchers summarize their message this way:
"The fundamental issue at hand is that a connection exists between the Internet and cellular networks that allows adversaries to flood the phone network.
"In so doing, an attacker can use the Internet to attack cellular voice networks and prevent phone calls from connecting.
"Even if SMS is run over its own dedicated channel so as not to interfere with voice traffic, an attacker can still prevent or delay legitimate SMS messages from being delivered by injecting enough messages to fill these channels to capacity."
The cell operators may say by way of defense that the same software that blocks SMS spam would kick in here, but Im not so sure of that. It may be possible to spoof the software into thinking they are legitimate requests.
The paper has been accepted for the 12th ACM CCS 05 (Conference on Computer and Communications Security), taking place November 7-11, 2005 in Alexandria, Va. I sure would like to see what comes out of that session.
Larry Loeb was consulting editor for BYTE magazine and senior editor of WebWeek. He serves as a subject matter expert for the Department of Defenses Information Assurance Technology Analysis Center, and is on the American Dental Associations WG-1 and MD 156 electronic medical records working groups. Larrys latest book is "Hackproofing XML," published by Syngress (Rockland, Mass.). If youve got a tip for Larry, contact him at firstname.lastname@example.org.