Schneier on Security
A blog covering security and security technology.
« Phishing |
| Automatic License Plate Scanners »
October 7, 2005
SMS Denial-of-Service Attack
This is a clever piece of research. Turns out you can jam cell phones with SMS messages. Text messages are transmitted on the same channel that is used to set up voice calls, so if you flood the network with one, then the other can't happen. The researchers believe that sending 165 text messages a second is enough to disrupt all the cell phones in Manhattan.
From the paper:
ABSTRACT: Cellular networks are a critical component of the economic and social infrastructures in which we live. In addition to voice services, these networks deliver alphanumeric text messages to the vast majority of wireless subscribers. To encourage the expansion of this new service, telecommunications companies offer connections between their networks and the Internet. The ramifications of such connections, however, have not been fully recognized. In this paper, we evaluate the security impact of the SMS interface on the availability of the cellular phone network. Specifically, we demonstrate the ability to deny voice service to cities the size of Washington D.C. and Manhattan with little more than a cable modem. Moreover, attacks targeting the entire United States are feasible with resources available to medium-sized zombie networks. This analysis begins with an exploration of the structure of cellular networks. We then characterize network behavior and explore a number of reconnaissance techniques aimed at effectively targeting attacks on these systems. We conclude by discussing countermeasures that mitigate or eliminate the threats introduced by these attacks.
There's a New York Times article and a thread on Slashdot.
Posted on October 7, 2005 at 7:43 AM
• 40 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Here's what would happen if the mobile phone network went down in London:
1) People would arrive 5 mins late at the pub without letting anybody know that they were going to be late. Nobody would care.
2) Schoolgirls would be unable to text each other that "JAMES FINKS UR FIT!".
3) Stockbrokers on the train would allow their fellow passengers a little peace and quiet for once.
4) People secretly looking for a new job would have to make hushed phonecalls to recruiters from their desk rather than sneaking out to the street.
In short, life would go on just fine, thank you very much.
SMS spam could be real problem. I wrote post on my blog recently on this issue at: http://www.conwex.info/blog/?p=19
It says among other things that:
"According to joint study conducted by Intrado, Switzerland’s University of St. Gallen and the International Telecommunication Union, more than 80 percent of Europe’s mobile-phone users received at least one unwanted spam message cloaked as a short messaging service (SMS) transmission during 2004. Moreover, the results indicate that 83 percent of all mobile users responding to the survey expect mobile spam to become a critical issue for them within the next one to two years.��?
Best comment on this blog. Ever.
I know how to get people to take this seriously! Terrorists could use this to attack first responders' highly integrated communication systems in a hurricane!
Sending the messages is the easy part. The hard part is what the message would say. What kind of interesting terrorist propoganda would you put in the message?
Funny, I had to disable SMS about four years ago after my carrier confessed to me that they had no security on the system (spam, DDoS, etc) and no immediate plans for any. Each time I upgrade my phone, someone always re-enables SMS. I find this out when spam starts to flow (generating revenue for them, I suppose, but just annoying me) and I call to find out that they still have not immediate security plans.
Yes, SMS is carried on the same radio channel as call set-up, but behind the scenes the signaling path is somewhat different. My guess is that the network delivery path would overload long before the radio channels were saturated. The worst you would do is prevent message waiting indicators from being displayed or removed, and disrupt certain other handset updates.
Oh, and people wouldn't be able to download new ringtones.
ALL YOUR SMS ARE BELONG TO US!!!
Here's a little more data on the existing problems with SMS security:
"The number of unwanted text messages and phone calls via mobile phone surpasses that of desktop spam mail by a big margin, according to the Korea Information Security Agency (KISA)."
And I remember reading something about 80% of European SMS users have received spam.
Any critical cell device should have the SMS service disabled, just like any other system without controls, and that seems to be the easy fix to avoid the obvious spam/DoS issues.
To bad that the researchers for this paper were unable to suppliment their results with sufficient back-end details.
I like their third proposal. Their first proposal seems like they're trusting insiders; I'm unclear as to why they feel that orgination from that specific network is more or less likely to be an attacker than origination outside of a network. I think their second proposal is implausible; it merely scales up the needed magnitude of attack.
"Any critical cell device should have the SMS service disabled, just like any other system without controls, and that seems to be the easy fix to avoid the obvious spam/DoS issues"
I don't think that disabling this feature would affect the DoS issue. The problem is that the network (not the particular cell device) is saturated in their scenario.
@ Fred Page
Yes, you're right as the paper is presented as an infrastructure issue. But from personal experience I am guessing that cell systems that are already have SMS disabled would be far less impacted from an SMS-based saturation of the infrastructure.
Here's a funny version of this topic:
"In what can be described as the techie equivalent of asking everyone in China to jump up and down at the same time to see whether it starts an earthquake, two teenage lads from Nottingham want to be bombarded with as many SMS messages as possible to "stress-test the UK's mobile phone network"."
Niel's response misses a subtlety - allow me to fill in a bit more detail. Let's say there are two mobile phone services in UK, S1 and S2. S1 is subjected to several DOS attacks over a period of 1 month. S2 is not.
Here's what would happen if the S1 mobile phone network were brought down in London a few times amonth (with S2 denying any involvement, of course).
1) People using S1 would arrive 5 mins late at the pub without letting anybody know that they were going to be late. Nobody would care (except people using S1).
2) Schoolgirls using S1 would be unable to text each other that "JAMES FINKS UR FIT!". Parents of schoolgirls using S1 would hear about this.
3) Stockbrokers using S1 wouldn't be able to pester their clients.
4) People using S1 secretly looking for a new job would have to make hushed phonecalls to recruiters from their desk rather than sneaking out to the street.
In short, life would go on just fine, thank you very much, as soon as everyone switched from S1 to S2.
Another aspect of this occurred to me. The paper only addresses GSM, though it points out that other services will act in a similar way. UMTS won't have this vulnerability at all, since all traffic will be carried essentially as IP packets.
That's a good thing, right?
5) My house would have burned down because I couldn't call the fire brigade after I ran out of the smoke filled house.
That's a fact, not a hypothetical. About 8 years ago my house caught fire at around 2am. That's too late for neighbours to notice and also too late to easily rouse them to call the fire brigade. While running out of the house I had the presence of mind to grab my cellphone. Three minutes later the london fire brigade was there and the fire was still confined to one room. Another five minutes and it would have probably gutted the place (fires spread MUCH faster than most people realise).
In fact it took about three minutes to rouse my upstairs neighbour and get him out of the house after I'd got the fire brigade on the way. I spent five days in hospital thanks to smoke inhalation. Due to the same, I wasn't up to running up and down the road shouting and hammering on doors for help. One cellphone call saved the house and possibly some lives.
I think currently an outage would have a smaller effect than the loss of other utilities. However there is a trend in the SMS/cell space to start using the insecure, but super convenient transport method for more than just messages. Companies are looking at SMS for banking, for payments, and for commerce in general. This means that in a few years, there will be a non-trivial monetary impact to the DOS'ing of a this infrastructure.
This seems to be the classic trend. Build a technology that is insecure because the original intent doesn't require security. Then because of the convenience of the system, companies tack on all source of use cases that were never meant to be on the system. But never thinking to upgrade the security of the system.
Definitely true. Security is still sometimes seen as a barrier to entry/spread, rather than a facilitator. If SMS had never taken off, the designers might have said "whew, good thing we didn't waste time trying to figure out system availability, message integrity, confidentiality, etc."
Yet this low cost of entry is also known as "vulnerability" in a risk calculation, which comes right before "threat", amplified by clever folks who release tools such as SMSsend:
The ubiquity of SMS-capable devices would have been great if there had been some incremental security added along the way. But now we seem to be on the verge of meltdown at the same time that banks think they've found a reliable way to send authentication info:
Well, this is why Amateur Radio is vital, isn't it?
Beautiful paper, but in the practice this doesn't happen.
TV SHows in latin america and spain, that I personally know, receives near 150.000 sms per hour (~40 sms/sec).
With a modem gprs/gsm we can send 30 sms/second. In fact, i my former job we sent periodically over 50 sms/sec without DOS effect over GSM networks.
Are you telling that with 4 modems we can disrupt the all the cell phones in Manhattan?
No, is not possible. Even without modems, using SMPP directly, the protocol is so slow that we can't reach a throghput big enough to make this possible.
In practice, Cell Phones Companies doesn't allow more than 40-50 sms/sec.
Personally, I wrote a ESME application server server with a throughput of 600 sms/sec, using SMPP, but no company ever acepted more than 50 sms/sec, because of contention.
There is a lot of contention in SMSC and all ESMEs must be aware of this, and manage their own queues because of this.
In the paper the investigator forgot some important bussines step before the SMSC query the HLR. The SMSC must consult de Subscribers Database and check billing systems, for example. This is the main reason of contention of sms messages. I don't know how cell phones billing is in USA, but in many countries there is a limit based on the plan subscripted.
Yes, in GSM, you can in theory jam the SDCCH channel by flooding it with SMS's. There are easier ways of doing it, for example a few mobiles doing long USSD transactions (e.g. prepaid purchasing). The SDCCH (Stand-alone Dedicated Control CHannel) channel is responsible for call setup, among other services. Such attack would only affect the "cell" in question. The network, I'm afraid, will be quite fine, independent of equipment vendor.
In UMTS, a similar attack will lead to the "cell-breathing" phenomenon. Effectively this will reduce the serving area of the cell. Mobiles with good RF reception close to the centre of the cell will not be affected at all.
The "research" is classic piece of pseudo-science.
An interesting bulletin from 2003 regarding SMS security by the "National Communications System"
"SMS security and vulnerabilities were also investigated. While there may be some potential for security-related abuses, no new and alarming issues were revealed, and the impression is that wireless operators are aware of the risks and rewards of offering these services. Some vulnerabilities exist on the air interface side; for example, a coordinated Radio Frequency (RF) jamming attack could render wireless networks inoperable in certain areas. However, this is not a new vulnerability, and most RF systems are susceptible to it."
I've worked in the wireless telcom sector I can say that this is probably impossible on a lot (if not most) networks. Most intelligent network (IN) systems in the wireless telecom utilize SMS spam detection. If you exceed some threshold of SMPP messages, the network blocks transmission of messages. This is at least implemented in the Bell Canada network.
I can personally tell you that it works, because I've accidentally sent tens of thousands of messages through the network and the spam filter successfully blocked the messages.
Eduardo and Victor have basically summed it all up.
The carriers do have mechanisms to throttle unwanted messages. Now, whether they employ them intelligently or not is quite a different matter. Further, few organizations have open SMPP gateways, they want money for that. This forces the potential spammer (or cyber extortionist) to deal with an email gateway (SMTP->SMPP) which also adds another level of spam control.
That said, a well researched distributed botnet based flood could "theoretically" generate enough SMS's to temporarily interrupt service. As long as the volume per bot were small (to avoid simple throttling) and they were widely dispersed (so they couldn't be blocked by netblock) and the content of the messages were varied (so that a pattern match wouldn't stop it) and the target phone MIN's were tightly grouped (more likely to be on a handful of MSC's) you might be able to temporarily generate enough traffic to congest the SS7 network (most likely at the edge links for the MSC).
All kinds of alarms are going to be going off though, which will get attention quickly and in the worst case scenario, the carrier would likely opt to just turn off the email gateways. SMS origination and direct SMPP would work just fine.
If terrorists were seeking to take out communications for a given area, it'd be simpler to take an axe to the entrance facility at the switch. Unless it's copper ;-)
Nice summary, which took me me back to my earlier (non-expert) point that SMS is not secure and therefore a bane to any cell user that needs data integrity, etc.
"carriers do have mechanisms to throttle unwanted messages. Now, whether they employ them intelligently or not is quite a different matter"
I assume they maintain a significantly different risk model than that of the cell user. When I run through the simple exercise of calculating Risk = (Asset)/countermeasure1 x (Vuln)/countermeasure2 x (Threat)countermeasure3, I think it reasonable to expect carriers to continue to beef up resiliance at the infrastructure level, but virtually nothing at the device level.
"volume per bot were small (to avoid simple throttling) and they were widely dispersed (so they couldn't be blocked by netblock) and the content of the messages were varied (so that a pattern match wouldn't stop it) and the target phone MIN's were tightly grouped"
Exactly, since that type of threat might not only approximate regular traffic (insufficient delta to detect), but also because the targets have no way to reduce their vulnerabilities.
Anyone who lives in a country with heavy SMS usage wouldn't be as gullible as the US media has been in believing the claims of this paper. While it is understandable that the media wants to amplify sensationalist claims, someone like Bruce whose words carry immense weight should check carefully before publicising work like this.
Security researchers in the US seem to need sensationalist papers. The latest fad seems to be to reserve a new domain name every time there is new sensationalist paper to publicise, and then call NYT. Perhaps this is needed for getting NSF and homeland security funding. But the tendency does not serve science well. We have seen similar sensationlist papers about Bluetooth security, RFID security etc. The fact that these papers are peer reviewed does not imply that they are sound. Most security researchers who populate program committees do not know the application areas (e.g., GSM, Bluetooth) very well and cannot judge the real impact of the claims.
Next time someone has a sensationalist paper about security in some vertical domain (and reserve a domain name to advertise the paper!), I hope Bruce and other respected experts will double check before giving the papers a forum.
By the way, on the face of it, GSM security is a textbook example of how not to do security: security-by-obscurity, weak algorithms, etc. etc. Yet, GSM security is one of the examples of "good enough " security: In spite of all the nice papers showing how to break GSM security, it is still used widely and no one has been able to exploit the breaks to cause any noticeable impact. Some security researchers are in fact starting to realize this (see http://www.list.gmu.edu/journals/ic/... for example).
"GSM security is one of the examples of 'good enough' security"
I think you mean "good enough for now" or "good enough for users", etc.
Even the article you cite says that there are no absolutes and security is about "trade-offs". It concludes with a suggestion for "the automobile as a more appropriate role model for the security industry".
Interesting that this should come up just as Ford has asked that car safety standards be lowered:
"Ford told colleagues in an industry work group that the process of jointly reducing the risks trucks pose to cars in crashes is too costly."
That might come across wrong. Perhaps I should say Ford was reported to be unable to help meet new auto safety standards. Or in other words, they don't like the trade-offs that are being "asked" of them.
So it seems to me that your reference says GSM security is actually a typical case where technology has been adopted with a risk model that most find acceptable today but that should not be interpreted to mean that the risk model it uses is any kind of absolute.
"My house would have burned down because I couldn't call the fire brigade after I ran out of the smoke filled house."
Hence why I always have a landline. $20 per month is insurance that this is always there, and always goes to a local emergency operator. Unless the phone or line is already melted, picking it up and dialling 911 (or I think 999 in your case) and then leaving it as one exits the building connects it to an emergency operator who, receiving no response, dispatches someone to investigate it. It can be a supplement to a cell call, or it may be the only signal that gets through.
I don't truly trust wireless of any sort, and I probably never will. Too many things to go wrong with it -- dead batteries, interception, signal spoofing, no devices in range... That's not to say I don't use it, but I am extremely cautious about what I run over it.
> 'I think you mean "good enough for now" or "good enough for users", etc.'
I meant "good enough" in the sense the level of security was sufficient for that environment even though the security was far from perfect, and the system has stood the test of time having been in widespread deployment for the last dozen or so years.
> 'So it seems to me that your reference says GSM security is actually a typical case where technology has been adopted with a risk model that most find acceptable today but that should not be interpreted to mean that the risk model it uses is any kind of absolute.'
No disagreement from me. Even the GSM folks have realized that and have adopted stronger security for 3G (and are not relying on keeping the 3G algorithms secret).
The paper looks good (==very interesting for the industry outsider), but a quick scan shows that it assumes that the SMSC bottleneck can be bypassed. I think that is seriously wrong. Most SMSCs are run at maximum delivery rate without harm to the network.
Thus, I belive that the headline is wrong. Has any substantial analysis been done of this paper?
I don't understand why people on USA feel so insecure on mobile telephony.
Like Disappointed wrote, "when you live in a country with heavy sms usage wouldn't be as gullible as the US media"
Ask to the rest of the world. Millions of SMS messages are sent everyday.
Is impossible to receive a virus via sms, is impossible to do a sms bomb, because at many levels there is contention limits, at last your device has a limited capacity to store messages. And the messages are sent i they own track.
If you are affraid of terrorist uses of SMS, then examine the M11 attack on Madrid Spain, sadly in this case the gsm network worked far too well.
Like a lot of communications technologies, they'll only build in the safeguards once it becomes a problem. If this does become a problem, expect SMS firewalls that block or rate-limit messages. Expect some messages to disappear into thin air (as if they don't already) which is a pretty reliable confirmation that some kind of spam filtering is at work. And expect most people who need reliable messaging to use something like a Blackberry which doesn't use the same channels for communication and has all the maturity of e-mail messaging to (better) protect it from such exploitation. Oh wait the USA may shortly be without Blackberry service, sorry guys:
Makes you wonder what at the emergency organizations will do, many started using Blackberries post 911 because they were the only reliable communications mechanism during the disaster.
Good point about the Blackberry. It already natively supports AES, 3DES, and S/MIME and they just announced today that they will natively support PGP "e-mail encryption, decryption, digital-signature and verification services".
On a related question:
"Is possible to receive a virus via sms?"
Yes you can using PPG, the cabir virus can be sent as a URL push via SMS.
Its possible to cause a severe QOS degregation but not total DoS if the cabir virus is modified to send SMS rather an MMS.
Theoritically it could be modified to simultaneously trigger a SMS spam on predefined date in a hope that a large number of mobile phones is already infected. This would cause high percentage of drop calls especially on areas with poor cellsite coverage.
OTA setting can also be sent such that connection settings can be altered to divert all MMS to the attacker's server.
Maybe with a little more creativity, alot more can be done...
"Internet is way older than the mobile technology..
Yet we still couldn't secure the Internet and were just starting to fully understand the consequences of mobility."
SMS Spamming has increased a lot in the past year or so. I personally have received SMS spam. Almost 10-15 messages a day. SMS viruses can corrupt you cell phone. I had to reload the software (symbian) on my cell phone because of a SMS virus. Any company coming out with a mobile anitvirus software. Mcafee or Norton?
The Pennsylvania State Uresearch paper is technically flawed in two major areas:
1. It grossly underestimates the capacity of a GSM radio channel (the rate at which a DCCH can deliver SMS messages).
2. It does not recognize the defenses (such as rate limits) commonly employed at various points in carrier networks.
Love to answer some of the other questions, but obscurity can enhance security (though we hate to depend on it).
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.