exploiting open functionality in sms-capable cellular networks
Post on 19-Jan-2016
18 Views
Preview:
DESCRIPTION
TRANSCRIPT
Exploiting Open Functionality in SMS-Capable Cellular Networks
Authors: William Enck, Patrick Traynor, Patrick McDaniel, and Thomas La Porta
Publication:12th ACM conference on Computer and communications security, November 2005
Presenter: Brad Mundt for CAP6133 Spring ‘08
Motivation
SMS Ingrained into modern culture
69 million messages per day in UK
10 cents per message
Popular with telecom Voice traffic is fixed revenue, unlike SMS Opened up the system- web, email, IM…
Motivation…
Internet-originated text messages
Deny voice service to a city Zombies Hit lists
Similar to traffic from Slammer worm BoA ATMs, 911 services
Presentation Flow
Cellular Network Overview
Vulnerability Analysis Research Discovery
Attack vectors and implements Scenario Other stuff
SMS/Cellular Network
Sending Mobile device or ESME
External Short Messaging Entities (ESME)
Delivering Short Messaging Service Center (SMSC)
SMS formatting Queued for forwarding Query Home Location Register (HLR) for directions
SMS/Cellular Network
Delivering (Continued) HLR
Subscriber Info, call waiting, text messaging If user is busy, store SMS for later Otherwise give address for MSC
Mobile Switching Center
SMS/Cellular Network
Delivering (Continued) MSC
Service, Authentication
Location management for BS, no not that BS! Base Stations
Hand offs / gateway to PSTN Public Switched Telephone Network
Query Visitor Location Register (VLR) Returns Info when device is away from HLR Forwards to correct BS for delivery
SMS/Cellular Network
Vulnerability Analysis
Bottlenecks System is a composite of multiple Queuing Points Injection rate versus delivery rate
Targeting Queues SMSC
Finite number in queue, SMS age, policy Messages remain in SMSC buffer when device is full
Device 500 messages drained a battery
Plan
Messages exceeding saturation levels are lost
Successful DoS needs Multiple subscribers Multiple interfaces
Hit-lists and Zombies
Hit-list Creation
Internet search for NPA/NXX DB Target wireless numbers by domain owner name
Web Scraping
Worm Device recently call lists Computers that sync with device
Attack profile attributes
GSM gray-box testing 900 SMS per hour on each dedicated channel 1 dedicated channel per 4 voice 2 dedicated channels per carrier
Protocol sharing Number of dedicated channels per area Number of carriers per area
Cellular device channels
Two Channels Control Channel (CCH)
Common CCH BS uses for voice and SMS connections establishment All connected mobiles are listening on this for signaling
Dedicated CCH Data
Traffic Channel (TCH) Voice
Attack Scenario
2500 numbers in hit list
Average 50 message device buffer
8 dedicated channels, (D.C.)
1 message per phone every 10.4 sec
8.68 min to fill buffers
Targeted Attacks
Fill the buffers, users loose messages
Data loss on some devices from overflowing Read messages overwritten when new ones arrive (Nokia
3560)
Message delays due to overflowing Campus alert messages- blocking?
Deleting junk SMS, accidentally delete good ones
Battery depletion
Tomorrows email
SPAM
Phishing
Viruses Cabir and Skulls
Both were bluetooth
SMS Spam
Summary
Cellular networks are critical part of Social and economic infrastructures
Potential misuse from external services DoS InfoWar Economic
Contributions
Security impact of SMS on Cellular network
Demonstrate ability to deny serivce to city sized area
Techniques for targeting these systems
How to avoid
Weaknesses
Gray-box testing Documentation Experimentation without EULA violations
Time of Day / Day of Week
Payload size variations
Estimations
How to Improve
Traffic analysis for Time of Day / Day of Week
Vary payload size
If White hats, work with the telecoms
Validate for more facts
The End
Thank you…
top related