Exploiting Open Functionality in SMS-Capable Cellular Networks
description
Transcript of Exploiting Open Functionality in SMS-Capable Cellular Networks
![Page 1: Exploiting Open Functionality in SMS-Capable Cellular Networks](https://reader035.fdocuments.us/reader035/viewer/2022062805/56814e47550346895dbbc827/html5/thumbnails/1.jpg)
Exploiting Open Functionality in SMS-Capable Cellular Networks
Authors: William Enck, Patrick Traynor, Patrick McDaniel, and Thomas La Porta
Publication:12th ACM conference on Computer and communications security, November 2005
Presenter: Brad Mundt for CAP6133 Spring ‘08
![Page 2: Exploiting Open Functionality in SMS-Capable Cellular Networks](https://reader035.fdocuments.us/reader035/viewer/2022062805/56814e47550346895dbbc827/html5/thumbnails/2.jpg)
Motivation
SMS Ingrained into modern culture
69 million messages per day in UK
10 cents per message
Popular with telecom Voice traffic is fixed revenue, unlike SMS Opened up the system- web, email, IM…
![Page 3: Exploiting Open Functionality in SMS-Capable Cellular Networks](https://reader035.fdocuments.us/reader035/viewer/2022062805/56814e47550346895dbbc827/html5/thumbnails/3.jpg)
Motivation…
Internet-originated text messages
Deny voice service to a city Zombies Hit lists
Similar to traffic from Slammer worm BoA ATMs, 911 services
![Page 4: Exploiting Open Functionality in SMS-Capable Cellular Networks](https://reader035.fdocuments.us/reader035/viewer/2022062805/56814e47550346895dbbc827/html5/thumbnails/4.jpg)
Presentation Flow
Cellular Network Overview
Vulnerability Analysis Research Discovery
Attack vectors and implements Scenario Other stuff
![Page 5: Exploiting Open Functionality in SMS-Capable Cellular Networks](https://reader035.fdocuments.us/reader035/viewer/2022062805/56814e47550346895dbbc827/html5/thumbnails/5.jpg)
SMS/Cellular Network
Sending Mobile device or ESME
External Short Messaging Entities (ESME)
Delivering Short Messaging Service Center (SMSC)
SMS formatting Queued for forwarding Query Home Location Register (HLR) for directions
![Page 6: Exploiting Open Functionality in SMS-Capable Cellular Networks](https://reader035.fdocuments.us/reader035/viewer/2022062805/56814e47550346895dbbc827/html5/thumbnails/6.jpg)
SMS/Cellular Network
Delivering (Continued) HLR
Subscriber Info, call waiting, text messaging If user is busy, store SMS for later Otherwise give address for MSC
Mobile Switching Center
![Page 7: Exploiting Open Functionality in SMS-Capable Cellular Networks](https://reader035.fdocuments.us/reader035/viewer/2022062805/56814e47550346895dbbc827/html5/thumbnails/7.jpg)
SMS/Cellular Network
Delivering (Continued) MSC
Service, Authentication
Location management for BS, no not that BS! Base Stations
Hand offs / gateway to PSTN Public Switched Telephone Network
Query Visitor Location Register (VLR) Returns Info when device is away from HLR Forwards to correct BS for delivery
![Page 8: Exploiting Open Functionality in SMS-Capable Cellular Networks](https://reader035.fdocuments.us/reader035/viewer/2022062805/56814e47550346895dbbc827/html5/thumbnails/8.jpg)
SMS/Cellular Network
![Page 9: Exploiting Open Functionality in SMS-Capable Cellular Networks](https://reader035.fdocuments.us/reader035/viewer/2022062805/56814e47550346895dbbc827/html5/thumbnails/9.jpg)
Vulnerability Analysis
Bottlenecks System is a composite of multiple Queuing Points Injection rate versus delivery rate
Targeting Queues SMSC
Finite number in queue, SMS age, policy Messages remain in SMSC buffer when device is full
Device 500 messages drained a battery
![Page 10: Exploiting Open Functionality in SMS-Capable Cellular Networks](https://reader035.fdocuments.us/reader035/viewer/2022062805/56814e47550346895dbbc827/html5/thumbnails/10.jpg)
Plan
Messages exceeding saturation levels are lost
Successful DoS needs Multiple subscribers Multiple interfaces
Hit-lists and Zombies
![Page 11: Exploiting Open Functionality in SMS-Capable Cellular Networks](https://reader035.fdocuments.us/reader035/viewer/2022062805/56814e47550346895dbbc827/html5/thumbnails/11.jpg)
Hit-list Creation
Internet search for NPA/NXX DB Target wireless numbers by domain owner name
Web Scraping
Worm Device recently call lists Computers that sync with device
![Page 12: Exploiting Open Functionality in SMS-Capable Cellular Networks](https://reader035.fdocuments.us/reader035/viewer/2022062805/56814e47550346895dbbc827/html5/thumbnails/12.jpg)
Attack profile attributes
GSM gray-box testing 900 SMS per hour on each dedicated channel 1 dedicated channel per 4 voice 2 dedicated channels per carrier
Protocol sharing Number of dedicated channels per area Number of carriers per area
![Page 13: Exploiting Open Functionality in SMS-Capable Cellular Networks](https://reader035.fdocuments.us/reader035/viewer/2022062805/56814e47550346895dbbc827/html5/thumbnails/13.jpg)
Cellular device channels
Two Channels Control Channel (CCH)
Common CCH BS uses for voice and SMS connections establishment All connected mobiles are listening on this for signaling
Dedicated CCH Data
Traffic Channel (TCH) Voice
![Page 14: Exploiting Open Functionality in SMS-Capable Cellular Networks](https://reader035.fdocuments.us/reader035/viewer/2022062805/56814e47550346895dbbc827/html5/thumbnails/14.jpg)
Attack Scenario
2500 numbers in hit list
Average 50 message device buffer
8 dedicated channels, (D.C.)
1 message per phone every 10.4 sec
8.68 min to fill buffers
![Page 15: Exploiting Open Functionality in SMS-Capable Cellular Networks](https://reader035.fdocuments.us/reader035/viewer/2022062805/56814e47550346895dbbc827/html5/thumbnails/15.jpg)
Targeted Attacks
Fill the buffers, users loose messages
Data loss on some devices from overflowing Read messages overwritten when new ones arrive (Nokia
3560)
Message delays due to overflowing Campus alert messages- blocking?
Deleting junk SMS, accidentally delete good ones
Battery depletion
![Page 16: Exploiting Open Functionality in SMS-Capable Cellular Networks](https://reader035.fdocuments.us/reader035/viewer/2022062805/56814e47550346895dbbc827/html5/thumbnails/16.jpg)
Tomorrows email
SPAM
Phishing
Viruses Cabir and Skulls
Both were bluetooth
![Page 17: Exploiting Open Functionality in SMS-Capable Cellular Networks](https://reader035.fdocuments.us/reader035/viewer/2022062805/56814e47550346895dbbc827/html5/thumbnails/17.jpg)
SMS Spam
![Page 18: Exploiting Open Functionality in SMS-Capable Cellular Networks](https://reader035.fdocuments.us/reader035/viewer/2022062805/56814e47550346895dbbc827/html5/thumbnails/18.jpg)
Summary
Cellular networks are critical part of Social and economic infrastructures
Potential misuse from external services DoS InfoWar Economic
![Page 19: Exploiting Open Functionality in SMS-Capable Cellular Networks](https://reader035.fdocuments.us/reader035/viewer/2022062805/56814e47550346895dbbc827/html5/thumbnails/19.jpg)
Contributions
Security impact of SMS on Cellular network
Demonstrate ability to deny serivce to city sized area
Techniques for targeting these systems
How to avoid
![Page 20: Exploiting Open Functionality in SMS-Capable Cellular Networks](https://reader035.fdocuments.us/reader035/viewer/2022062805/56814e47550346895dbbc827/html5/thumbnails/20.jpg)
Weaknesses
Gray-box testing Documentation Experimentation without EULA violations
Time of Day / Day of Week
Payload size variations
Estimations
![Page 21: Exploiting Open Functionality in SMS-Capable Cellular Networks](https://reader035.fdocuments.us/reader035/viewer/2022062805/56814e47550346895dbbc827/html5/thumbnails/21.jpg)
How to Improve
Traffic analysis for Time of Day / Day of Week
Vary payload size
If White hats, work with the telecoms
Validate for more facts
![Page 22: Exploiting Open Functionality in SMS-Capable Cellular Networks](https://reader035.fdocuments.us/reader035/viewer/2022062805/56814e47550346895dbbc827/html5/thumbnails/22.jpg)
The End
Thank you…