Exploiting Open Functionality in SMS-Capable Cellular Networks

Accepted at the 12th ACM Conference on Computer and Communications Security (CCS'05)
November 7-11, 2005, Alexandria, VA, USA

September 2, 2005

Cellular networks are a critical component of the economic and social infrastructures in which we live. In addition to voice services, these networks deliver alphanumeric text messages to the vast majority of wireless subscribers. To encourage the expansion of this new service, telecommunications companies offer connections between their networks and the Internet. The ramifications of such connections, however, have not been fully recognized.

This research evaluates the security impact of the Short Messaging Service (SMS) interface on the availability of the cellular phone network. Specifically, we demonstrate the ability to deny voice service to large metropolitan areas with little more than a cable modem. Moreover, attacks targeting the entire United States are feasible with resources available to medium-sized zombie networks.

We characterize network behavior and explore a number of reconnaissance techniques aimed at effectively targeting attacks on these systems. We also discuss a number of countermeasures that mitigate or eliminate the threats introduced by these attacks that must be implemented by cellular service providers in the near future.

Cellular Networks, SMS, and the Internet

The majority of mobile phone subscribers are able to receive both voice and alphanumeric text via Short Messaging Service (SMS) transmissions. Text messaging allows users to interact with each other in situations where voice calls are not appropriate or possible. With countries such as the UK experiencing volumes of 69 million messages per day, this service is rapidly becoming as ingrained into modern culture as its voice counterpart.

Text messaging services are also extremely popular with the telecommunications industry. Whereas voice traffic typically yields a fixed amount of revenue per user, service providers earn up to US$0.10 per text message sent or received by a mobile device. Cellular providers have opened their networks to a number of additional services designed to increase SMS messaging volume. Through service provider website interfaces, email, and a wide variety of applications including instant messaging, users across the Internet can contact mobile subscribers without the use of a cell phone. Such open functionality, however, has serious negative consequences for these networks.

Our research evaluates the security impact of Internet-originated text messages on cellular voice and SMS services. The connections between the Internet and phone networks introduce open functionality that detrimentally affects the fidelity of a cellular provider's service. Through the generation and use of large, highly accurate phone hit-lists, we demonstrate the ability to deny voice service to large metropolitan areas with little more than a cable modem. Moreover, attacks targeting the entire United States are feasible with resources available to medium-sized zombie networks. Even with small number of targets, we show that these cyberwarfare attacks are sustainable for tens of minutes. These attacks are especially threatening when compared to traditional signal jamming in that they can be invoked from anywhere in the world, often without physical involvement of the adversary.

There are many dangers of connecting digital and physical domains. For example, a wide array of systems with varying degrees of connectivity to the Internet were indirectly affected by the Slammer worm. The traffic generated by this worm was enough to render systems including Bank of America's ATMs and emergency 911 services in Bellevue, Washington unresponsive.

There is nothing fundamentally different about the ways in which these victimized systems and cellular networks are connected to the Internet; all of the above systems were at one time both logically and physically isolated from external networks, but have now attached themselves to the largest open system on the planet. Accordingly, we show that mobile phone networks are equally as vulnerable to the influence of the Internet.

Identifying Vulnerabilities

In this research, we analyze the Global System for Mobile communication (GSM) so as to quantify the necessary bandwidth to perform such attacks. This particular technology was selected because, with over 1 billion GSM subscribers, these networks are by far the most widespread on the planet. As we discuss later, our analysis of GSM does not preclude other technologies from similar vulnerabilities.

We encourage readers interested in the specific details of the mechanisms used in this attack to read Section II of the paper. We offer a non-technical explanation of this material below.

Cellular networks can be broken into two chief components - the radio, or "air interface" and the wired backbone. We are chiefly interested in how traffic injected from the Internet can be used to congest the air interface as it is the more constrained of the two.

We divide the air interface into two general components - Control Channels and Traffic Channels. It helps to think of control channels as a very small portion of radio frequency that allow cellular towers to send information pertaining to call setup, SMS delivery and network conditions (such as the availability of traffic channels) to mobile phones. Traffic channels are instead used to carry actual voice conversations after they have been established via the control channels. Figure 1, below, gives an intuitive representation of this setup.

Figure 1: The air interface of a cellular network, divided into control and traffic channels. Control channels (CCHs) are used for call setup and SMS delivery. Traffic channels (TCHs) are used for the duration of voice calls. Notice that control channels have far much less bandwidth than traffic channels.

Because text messages and mobile-phone call setups rely on the same limited resource, namely control channels, it is possible to attack this system. If enough text messages are sent so that no more control channels are available, calls will begin blocking (i.e. will not be connected). Readers interested in the specific details of the mechanisms making this attack possible should read the paper.

Figure 2: On the left, a request to set up a voice call is sent to the control channels. Because a number of unused control channels are available, the call will be connected. On the right, the control channels have been filled by SMS messages. If the attacker sends enough SMS messages to this particular tower, they can ensure that voice calls will always be blocked with a very high probability.

Before continuing, it is important to establish that such an attack is actually possible. We encourage readers to view available articles to see reports of cellular networks in which voice service became unavailable due to elevated levels of legitimate SMS traffic. If an attacker were to flood the control channels with enough SMS messages to reach capacity, they could create the same Denial of Service (DoS) to a given area.

In order to quantify the bandwidth necessary to launch such an attack, we put provide three possible scenarios for control channel allocation. The first, referred to as Urban, represents the typical number of control channels in a standard urban/metropolitan setting. Super-Urban represents an extremely densely populated city. 2x Super-Urban represents a theoretically possible, super over-provisioned network.

How difficult is such an attack to launch if its effects are observed naturally? From the standards documentation, Table 1 below shows just how much bandwidth would be required to deny voice service to cities the size of Washington D.C. and Manhattan. Notice that these values are attainable by high end cable-modem connections (Numerous providers offer cable modem/DSL connections with upload speeds up to 768Kbps.). A small collection of so-called "zombie" machines could also easily accomplish the same task.

Table 1: Required upload bandwidth to saturate an empty network
Area # Sectors # Control Channels Capacity/Sector Required Bandwidth* Multi-Recipient Bandwidth*
Washington D.C.
(68.2 mi^2)
120 Urban
Super-Urban
2x Super-Urban
240 msgs/sec
360 msgs/sec
720 msgs/sec
2812.5 kbps
4218.8 kbps
8437.5 kbps
281.25 kbps
421.88 kbps
843.75 kbps
Manhattan
(31.1 mi^2)
55 Urban
Super-Urban
2x Super-Urban
110 msgs/sec
165 msgs/sec
330 msgs/sec
1289.1 kbps
1933.6 kbps
3867.2 kbps
128.91 kbps
193.66 kbps
386.72 kbps
* assuming 1500 bytes per message

Are larger attacks possible? Certainly. While the paper gives all of the necessary specifics, it would be theoretically possible to knock out cellular service for the continent with a data rate of approximately 370 Mbps. Such bandwidth could be harnessed from a moderately sized "zombie" network. Much larger Distributed Denial of Service (DDoS) attacks have already been seen, making this attack plausible.

So why have we not seen widescale attacks on the cellular network? The answer is that simply sending SMS messages to every possible number is not effective. A successful adversary would have to collect data on the phones available in a given area. While the full details of such "hit-list" creation is given in extensive detail in the paper, suffice it to say that all of the necessary data can be collected through a variety of means via the Internet.

My provider does not use GSM, so this attack is not a problem, right? While our analysis is specifically of GSM, this is an issue facing all service providers. Networks running protocols such as CDMA2000 also face similar problems as control channels also deliver SMS messages (please see TIA-EIA-637-A for specific details).

The fundamental issue at hand is that a connection exists between the Internet and cellular networks that allows adversaries to flood the phone network. In so doing, an attacker can use the Internet to attack cellular voice networks and prevent phone calls from connecting.

Even if SMS is run over its own dedicated channel so as not to interfere with voice traffic, an attacker can still prevent or delay legitimate SMS messages from being delivered by injecting enough messages to fill these channels to capacity.

Are there other potential threats? In the paper, a number of additional threats are discussed. It is possible for an attacker to fill a targeted phone with enough bogus SMS messages so that future, legitimate messages are either blocked, lost or significantly delayed. Additionally, like email, mobile phones are subject to threats including spam, viruses and phishing.

Solving/Mitigating the Problem

Many of the mechanisms currently in place are not adequate to protect these networks. The proven practicality of address spoofing or distributed attacks via zombie networks makes the use of authentication based upon source IP addresses an ineffective solution. As demonstrated in the paper, limiting the maximum number of message received by an individual over a time period is also ineffective. Solutions must therefore take all of these matters into consideration. The mechanisms below offer both long term and temporary options for securing cellular networks.

Separation of Voice and Data

It would be difficult for the numerous connections between the Internet and cellular networks to be closed by service providers. In light of this, the most effective means of eliminating the above attacks is by separating all voice and data communications. In so doing, the insertion of data into cellular networks will no longer degrade the fidelity of voice services.

The separation of voice and data is not enough to completely ensure unaffected wireless communications. In situations similar to September 11th where traffic channels are naturally saturated, Internet-originated SMS messages can still be used to fill data channels such that legitimate text messaging and therefore all communication becomes impossible.

SMS traffic should therefore be subject to origin classification. Text messages originating outside of the network should be assigned low priority on data channels. Messages originating within the phone network should receive high priority.

Resource Provisioning

Many service providers have experience dealing with temporary elevations in network traffic such as flash crowds. COSMOTE, the Greek telecommunications company responsible for providing service to the 2004 Olympic games, deployed additional resources in the area surrounding the Olympic Complex. This extra equipment allowed this system to successfully deliver over 100 million text messages during the 17 day duration of the games. Similarly, sporting events and large public gatherings in the United States regularly take advantage of so-called Cellular-on-Wheels (COW) services in order to account for location-dependent traffic spikes.

The effects of Internet-originated SMS attacks could be reduced by increasing capacity to critical areas in a similar fashion. Unfortunately, the cost of additional equipment makes this solution too expensive for widespread distribution. Even if a provider rationalized the expense, the elevated provisioning merely makes DoS attacks more difficult but not impossible. Additionally, the increased number of handoffs resulting from reduced sector size would induce significant strain on the network core.

Rate Limitation

Due to the time and money required to realize either of the above solutions, it is necessary to provide short term means of securing cellular networks. These techniques harness well-known rate limitation mechanisms.

On the air interface, the number of channels allowed to deliver text messages could be restricted. Given the addition of normal traffic filling control channels, this attack would still be effective in denying service to all but a few individuals. Additionally, this approach slows the rate with which legitimate text messages can be delivered, potentially elevating congestion in the core of the phone network. This approach is therefore not an adequate solution on its own.

All web interfaces should limit the number of recipients to which a single SMS submission is sent. The ability to send ten messages per submission at a number of service-provider websites is particularly dangerous as flooding the system requires one-tenth of the messages and bandwidth necessary to interfere with other networks.

Reducing the ability to automate submissions is another approach that should be considered as a temporary solution for these interfaces. Having the sender's computer calculate tractable but difficult puzzles before a submission is completed limits the frequency with which any machine can inject messages into a system. The use of CAPTCHAs, or images containing embedded text that is difficult for computers to parse, is also plausible. Because CAPTCHAs are not unbreakable and puzzles only impede the submission speed for individuals, both of these countermeasures can be circumvented if an attacker employs a large enough zombie network.

The last and certainly least popular suggestion is to close the interface between the web and cellular networks. While this solution is the most complete, it is extremely unlikely to receive serious consideration due to the potential financial consequences it would cause to both service providers and third-party companies providing goods and services through this interface. Given the size of these networks and the number of connected external entities, implementing this option may actually be impossible.

Significance

Cellular networks are a critical part of the economic and social infrastructures in which we live. These systems have traditionally experienced below 300 seconds of communication outages per year (i.e., ``five nines'' availability). However, the proliferation of external services on these networks introduces significant potential for misuse. We have shown that an adversary injecting text messages from the Internet can cause almost twice the yearly expected network down-time in a metropolitan area using hit-lists containing as few as 2500 targets. With additional resources, cyberwarfare attacks capable of denying voice and SMS service to an entire continent are also feasible. By attacking the less protected edge components of the network, we elicit the same effects as would be seen from a successful assault on the well protected network core.

Mobile voice and text messaging have become indispensable tools in the lives of billions of people across the globe. The problems presented in our paper must therefore be addressed in order to preserve the usability of these critical services.