Exploiting Open Functionality in SMSCapable Networks

William Enck, Patrick Traynor, Patrick McDaniel, and Thomas La Porta Systems and Internet Infrastructure Security Laboratory Department of Computer Science and Engineering The Pennsylvania State University 2005

Your host today: Stuart Saltzman 3/26/08 1

Agenda
Overview of research paper SMS/Cellular Network overview
Submitting a message Routing Delivery

SMS/Cellular Vulnerability Analysis Modeling DOS Attacks Solution(s)

3/26/08 2

Overview & Introduction

3/26/08

Cellular Overview
Cellular networks are critical component to economic and social infrastructures Cellular networks deliver alphanumeric text messages via Short Messaging Service (SMS) Telecommunication companies offer connections between their networks and the internet
Open functionality creates negative consequences

3/26/08

Goal of Paper
To evaluate the security impact of SMS interface on the availability of the cellular phone network Demonstrate the ability to deny voice service to cities the size of Washington, D.C. and Manhattan Provide countermeasures that mitigate or eliminate DoS threats
3/26/08 5

SMS/Cellular Network (GSM)

Two methods to send a text message
1) via another mobile device 2) through an External Short Messaging Entities (ESME)
Email Web-bases messaging portals Paging systems Software
3/26/08 6

Submitting a Message
All messages delivered to a server that handles SMS traffic known as the Short Messaging Service Center (SMSC)
Provider (Verizon, AT&T, etc.) MUST provide at least SMSC

If necessary, the message is converted to SMS format

Example: internet originated message. Once formatted, the message becomes indistinguishable from there original originator

Queued in SMSC for forwarding

3/26/08 7

Routing
Home Location Register (HLR)
Queried by the SMSC for message routing Permanent repository of user data
Subscriber information (call waiting, text messaging) Billing data Availability of targeted user

Determines routing information for the destination device

3/26/08 8

Routing

(cont.)

If SMSC receives a reply stating that the current user is unavailable, it stores the text message for later delivery
It is queued

Otherwise, HLR responds with address of Mobile Switching Center (MSC) providing service to user/device
3/26/08 9

Routing Mobile Switching Center

MSC Responsible for mobile device authentication Location management for attached Base Stations (BS) Act as gateways to Public Switched Telephone Network (PSTN) Queries Visitor Location Register (VLR)
Local copy of the targeted devices information when away from its HLR

Forwards text message on to the appropriate base station for transmission over the air interface

3/26/08

10

Routing Figure

3/26/08

11

Delivery
Air Interface
1) Control Channels (CCH)
A) Common CCH
Logical channels: 1) Paging Channel (PCH) 2) Random Access Channel (RACH) Used by base station (BS) to initiate the delivery of voice and SMS data All connected mobile devices are constantly listening to the Common CCH for voice and SMS signaling

B) Dedicated CCHs

2) Traffic Channels (TCH)

3/26/08 12

SMS Delivery Diagram

1) Base Station (BS) sends message on the Paging channel (PCH) containing the Temporary Mobile Subscriber ID (TMSI) 2) Network uses the TMSI instead of the targeted devices phone number in order to thwart eavesdroppers

MH1 = Mobile Host 1

3/26/08 13

SMS Delivery Diagram

(cont.)

3) Devices contacts BS over the Random Access Channel (RACH) and alerts the network of its availability to receive incoming call or text data 4) Response (from above) arrives at BS, the BS instructs targeted device to listen to a specific Standalone Dedicated Control Channel (SDCCH) SDCCH
Authentication Encryption

3/26/08

14

SMS/Cellular Network Vulnerability

3/26/08

15

Delivery Discipline - Analysis

Goal: find delivery discipline for each provider Study the flow of the message Standards documentation provides the framework from which the system is built, but it lacks implementation specific details SMSC are the locus of all SMS message flow SMSC queues only a finite number of messages per a user
Message is held until:
target device successfully receives it It is dropped (buffer capacity, eviction policy)
3/26/08 16

Delivery Discipline
Overall system response is a composite of multiple queuing points (SMSC & target device) Experiment:
AT&T, Verizon & Sprint Slowly inject messages while device is powered off (400 messages, 1 every 60 seconds) Turn device back on The range of sequence number indicated both buffer size and queue eviction policy
3/26/08 17

Delivery Discipline Results

AT&Ts:
buffered the entire 400 messages (160 bytes each = 62.4KB)

Verizon
Last 100 messages received (first 300 missing) Buffer of 100, FIFO eviction policy

Sprint
First 30 messages received Buffer of 30, LIFO eviction policy
3/26/08 18

Delivery Rate - Analysis

3/26/08

19

Delivery Rate - Analysis

Definition: the speed at which a collection of nodes can process and forward a message Goal: Find bottlenecks - compare injection rates with delivery rates Exact number of SMSCs in a network is not publicly known or discoverable
3/26/08 20

Delivery Rate

(cont.)

Short Messaging Peer Protocol (SMPP)

Dedicated connections to service provider to send messages Service provider plans offer 30-35 messages per second

Problem: when a message delivery time exceeds that of message submission, a system is subject to DoS attack Experiment:
Compare the time it takes for serially injected messages to be submitted and then delivered to the targeted mobile device via web interfaces PERL script serially inject messages approximately once per a second into each providers web interface (avg. send time: 0.71
seconds)
3/26/08 21

Delivery Rate - Results

Verizon & AT&T: 7-8 seconds for delivery Sprint: Unknown Conclusion: imbalance between the time to submit and the time to receive SMS message size Maximum: 160 bytes Using TcpDump:
HTTP Post and IP headers = approximately 700 bytes to send SMS message (not considering TCP overhead) Web page upload sizes: Verizon: 1600 bytes Spring: 1300 bytes AT&T: 1100 bytes Email submission: All emails less then 900 bytes to send

3/26/08

22

Interfaces - Analysis

3/26/08

23

Interfaces - Analysis

Lost messages and negatively acknowledged submit attempts were observed Believe it was a result of web interface limitations imposed by the service providers Goal: find the mechanism used to achieve rate limitation on these interfaces and the conditions necessary to activate them Experiment used delivery rate analysis
Verizon:
After 44 messages, negative acknowledgements resulted Blocked messages by subnet value

AT&T:
Blindly acknowledged all submissions, but stopped delivering after 50 messages sent to single phone Subnet value didnt matter Differentiated between its inputs

Conclusion:
SMSCs typically hold far more messages than the mobile devices To launch successfully DoS attack that exploits the limitations of the cellular air interface, an adversary must target multiple end devices (must have valid phone numbers)

3/26/08

24

Hit-List Creation
NPA/NXX Web Scraping Web Interface

3/26/08

25

Hit-List Creation NPA/NXX

The ability to launch a successful assault on a mobile phone network requires the attacker to do more then simply attempt to send text messages to every possibly phone number North American Numbering Plan (NANP) created: number formatting NPA-NXX-XXXX
Numbering plan area, exchange code, terminal number Traditionally terminal numbers were administered by a single service provider
Example:
814-876-XXXX => AT&T Wireless 814-404-XXXX => Verizon wireless 814-769-XXXX => Sprint PCS

Numbering system is very useful for an attacker as it reduces the size of the domain November 24th, 2004 => number portability went into affect

3/26/08

26

Hit-List Creation

Web Scraping

Technique commonly used by spammers to collect information on potential targets through the use of search engines and scripting tools Individual is able to gather mobile phone numbers
Example: Google search 865 unique numbers from the greater State College, PA region 7,308 from New York City 6,184 from Washington D.C.

Downside numbers might not be active

3/26/08 27

Web Interface Interaction

All major wireless service providers offer a website interface through which anyone can at no charge to the sender submit a SMS message Web user is given acknowledgement when submitting SMS message

Hit-List Creation

3/26/08

28

Modeling DoS Attacks

3/26/08

29

Session Saturation

Question: How many SMS messages are needed to induce saturation? Air interface overview needed to understand SMS saturation

3/26/08

30

Air Interface Overview

Voice call establishment is very similar to SMS delivery, except a Traffic Channel (TCH) is allocated for voice traffic at the completion of control signaling Voice and SMS traffic do NOT compete for TCHs which are held for significantly longer periods of time. BOTH voice and SMS traffic use the same channels for session establishment, thus contention for these limited resources still occur! Given enough SMS messages, the channels needed for session establishment will become saturated, thus preventing voice traffic in a given area

3/26/08

31

Air Interface Overview

GSM networks (CDMA equally vulnerable to attacks) GSM is a timesharing system
Equal distribution of resources between parties Each channel is divided into 8 timeslots
8 timeslots = 1 frame = 4.65ms transmission 1 timeslot is assigned to a user who receives full control of the channel

User assigned to a given TCH is able to transmit voice data once per a frame
3/26/08 32

Air Interface Overview

4 carriers, each a single frame First time slot of the first carrier is the Common CCH Second time slot of the first channel is reserved for SDCCH connections Capacity for 8 users is allocated over the use of a multiframe Remaining timeslots across all carriers are designated for voice data

3/26/08

33

Air Interface Overview

Bandwidth is limited within frame, therefore data must span over multiple frames => multiframe => typically 51 frames (or 26, 51,21 standards) Timeslot 1 from each frame in a multiframe creates the logical SDCCH channel Within a single multiframe, up to 8 users can receive SDCCH access

3/26/08

34

Air Interface Overview

PCH is used to signal each incoming call and text message, its commitment to each session is limited to the transmission of a TMSI TCHs remain occupied for the duration of a call which averages minutes SDCCH is occupied for a number of seconds per session establishment (typo in paper)
This SDCCH channel becomes the bottleneck! Must find/understand the bandwidth of the bottleneck
3/26/08 35

Air Interface - Bottleneck

Each SDCCH spans four logically consecutive timeslots in a multiframe Bandwidth: With 184 bits per a control channel unit and a multiframe cycle time of 235.36 ms => 782 bps Given authentication, TMSI renewal, encryption and the 160 byte text message, the SDCCH is held by an individual session for 4-5 seconds (note: testing form Delivery Discipline
demonstrated the same gray-box testing results)

Results: Service time translates into the ability to handle up to 900 SMS sessions per hour on each SDCCH

3/26/08

36

Air Interface Bottleneck

Calculations

3/26/08

37

Air Interface Bottleneck

Calculation Example A

Study from National Communications System (NCS)

Washington D.C. has 40 cellular towers 68.2 sq miles 120 total sectors
Each sector 0.5 to 0.75 sq. miles

Each sector has 8 SDCCHs

FIND: Total number of messages per a second needed to saturate the SDCCH capacity C in Washington D.C.
3/26/08 38

Air Interface Bottleneck

Calculations Example A

900 msg/hr from service time translation

240 messages a second will saturate the SDCCH channel

3/26/08 39

Air Interface Bottleneck

Calculations Example B

Study from National Communications System (NCS)

Manhattan 31.1 sq miles 55 total sectors
Each sector 0.5 to 0.75 sq. miles

Each sector has 12 SDCCHs

FIND: Total number of messages per a second needed to saturate the SDCCH capacity C in Manhattan
3/26/08 40

Air Interface Bottleneck

Calculations Example B

900 msg/hr from service time translation (previous step)

165 messages a second will saturate the SDCCH channel

3/26/08 41

Air Interface Bottleneck

Calculation Results

Use a source transmission size of 1500 bytes described in the Delivery Discipline section to submit an SMS from the internet Table shows the bandwidth required to saturate the control channels and thus incapacitate legitimate voice and text messaging services

3/26/08

42

Air Interface Bottleneck

Conclusion
Due to the analysis and the results from the delivery discipline and delivery rate sections, sending that many messages to a small number of recipients would degrade the effectiveness of any attack
Phones buffers would reach capacity Undeliverable messages would be buffered on the network until user allocated space was exhausted Accounts could possibly be disabled temporarily

Hit-lists would prevent individual phones from reaching capacity and below possible service provider thresholds Is it possible?
3/26/08 43

Air Interface DoS Attack

Attack A

To saturate Washington DC:

Assumptions:
Washington D.C. has 572,000 people 60% wireless penetration 8 SDCCHs All devices powered on 50% of Washington D.C. use the same service provider

Result:
An even distribution of messages would be 5.04 messages to each phone per an hour (1 message every 11.92 minutes)

3/26/08

44

Air Interface DoS Attack

Attack B

Same assumptions from attack A, except:

Hit-list of 2500 phone numbers Phone buffer size: 50

Results:
An even distribution of messages would delivery a message every 10.4 seconds Attack would last 8.68 minutes before buffer was exhausted Previous bandwidth table shows these attacks are feasible from a standard high-speed internet connection
3/26/08 45

Air Interface DoS Attack

Prevention/Solution
New SMSCs are each capable of processing some 20,000 SMS messages per a second General Packet Radio Service (GPRS) and Enhance Data rates for GSM Evolution (EDGE) provide high-speed data connections to the internet for mobile devices
Complimentary to SMS and will NOT replace SMSs functionality

3/26/08

46

Air Interface DoS Attack

Prevention/Solution
Current mechanism are NOT adequate to protect these networks Proven practicality of address spoofing or distributed attacks via zombie networks makes the use of authentication based upon source IP addresses an ineffective solution Due to service provider earnings ($) from SMS messages, they are unlikely to restrict access to SMS messaging
3/26/08 47

Air Interface DoS Attack

Prevention/Solution
Separation of Voice and Data
Most effective solution would be to separate all voice and data communications
Insertion of data into cellular networks will no longer degrade the fidelity of voice services

Dedicating a carrier on the air interface for data signaling and delivery eliminates an attackers ability to take down voice communications
Ineffective use of the spectrum Creates bottleneck on air interface

Until the offloading schemes are created, origin priority should be implemented
Internet originated messages => low priority Messages from outside network => low priority Messages from within network => high priority

Resource Provisioning
Temporary Solutions
Additional Mobile Switching Center (MSC) and Base Stations (BS)
Events such as the Olympics United States

Cellular-on-Wheels (COW) The increased number of handoff puts more strain on the network 3/26/08 48

Air Interface DoS Attack

Solutions
Rate Limitation
Within the air interface, the number of SDCCS channels allowed to deliver text messages should be restricted
Attack still successful, but it would only affect a small number of people Slows the rate of legitimate messages can be delivered

Prevent hit-lists
Do NOT show successfulness of internet based submission

Web interfaces should limit the number of recipients to which a single SMS submission is sent
Verizon and Cingular allow 10 recipients per a submission Reduce the ability to automate submission
Force the computer to calculate some algorithm prior to submitting

Close web interfaces

Not likely

3/26/08

49

Conclusion
Cellular networks are a critical part of the economic and social infrastructures Systems typically experience below 300 seconds of communication outages per year (five nines availability) The proliferation of external services on these networks introduces significant potential for misuse An adversary injecting messages from the internet can cause almost twice the yearly expected network downtime using hit-lists as few as 2,500 targets The service providers potential problems outlined in this paper must be addressed in order to preserve the usability of these critical services
3/26/08 50