Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exploiting Open Functionality in SMS-Capable Cellular Networks 20123550 Chang-Jae Lee Some of the slides and figures were borrowed from the author’s slides.

Published byPatricia Records Modified over 9 years ago

Similar presentations

Presentation on theme: "Exploiting Open Functionality in SMS-Capable Cellular Networks 20123550 Chang-Jae Lee Some of the slides and figures were borrowed from the author’s slides."— Presentation transcript:

1 Exploiting Open Functionality in SMS-Capable Cellular Networks 20123550 Chang-Jae Lee Some of the slides and figures were borrowed from the author’s slides

2 Intro  SMS(Short Message Service):  a short text message transmission(asynchronous)  Can be delivered via internet  Extremely popular  69 million in a day (UK)

3 More Terminologies  Cellular Network  Radio Network or infrastructure  Base Station  Cellular towers  Channel  A frequency cellphone comm. are Tx-ed  Sector  A cell region covered by fixed channels

4 SMS in Cellular Network

5 SMS in Cellolar Network(cont’d)

6

7

8

9

10

11 The “Air Interface”  Traffic Channel(TCh)  For voice traffic  Control Channel(CCh)  For signaling btw BS and phones  …and for SMS messages  CCh was not designed for SMS

12 The “Air Interface”(cont’d)  (Figures) Stand-alone Dedicated CCh

13 The “Air Interface”(cont’d)  Time Division MUXing of GSM  8 time slot/Ch  PCh, SDCCh: embedded in CCh  (2 * # of channels) of SDCCh

14 The “Air Interface”(cont’d)  Once SDC Channel is full with SMS, call setup is blocked  An adversary’s goal: fill the cell network with SMS traffic

15 Vulnerability Analysis  Profiling attributes  …by GSM Gray-box testing  About implementation specific specs  Example: How many SMS/hr per SDCCh?  How are SMS messages stored?

16 Vulnerability Analysis(cont’d)  Phone capacity  Slowly inject messages to target phone  Result  30~50 messages can be stored(old phones)  ~500 messages exhaust battery(high-end ones)

17 Vulnerability Analysis(cont’d)  Injection vs Delivery rate  Result: large imbalance between two  Many sites provides bulk SMS sending  ~1000s msgs/sec can be sent

18 Vulnerability Analysis(cont’d)  Interface regulation  Check limitations on Providers’ web interfaces  IP-based(AT&T, Verizon), session cookies(Sprint)  Spam filtering drops cannot be found  30~35 msgs/sec can be sent usually

19 Gray-box Test Summary  Some msgs injected would be lost  Msgs can be injected 100s times faster than can be delivered  Interfaces have some anti-triggers against mass injection  Conclusion: an attacked should be distributed & multi-targeted

20 Hit-List  Need a Hit-List for multi-targeted  How to get a Hit-List 1) Web scraping 2) Worms Get recent call list, etc 3) Search Internet for NPA/NXX DB

21 Hit-List(cont’d)  Web scraping  Google like 999-999-0000…9999

22 Hit-List(cont’d)  NPA/NXX DB search  Prefix can be identified via target area

23 Hit-List(cont’d)  SMS sending sites also gives info.  Provider web interfaces checks if the destination number is valid

24 Area Capacity  Capacity can be calculated:  Manhattan case is here: C = (sectors/area)*(SDCCHs/sector)*(throughput/SDCCH)

25 Area Capacity(cont’d)  1 msg = 1500 bytes(max length)  165 msgs/sec = 1933.6 kb/sec  Cable modem: ~768 kb/sec  Can be 193.36 kb/sec with multi-send interface

26 Attack Scenario  Hit-List with 2500 numbers  Average ~50 msgs for device buffer  8 dedicated channels  1 message in 10.4 sec (per phone)  About 8.7 min to fill buffers

27 Attack Scenario(cont’d)  Saturate queues  Messages exceeding saturation levels are lost  SMSC queue: ~500 msgs  Device: 30 ~ 50 msgs

28 Attack Aftermath  Messages are gone!  Also messages are delayed  Some devices lose even more data (when full, delete old read messages)  Battery depletion expected

29 Solution for the Attack  Separate queues for control & SMS  Limit rates  Next Generation Network

30 Conclusion  Cellular network is a critical resource in social or economic structures  External devices’ misuse can be fatal

Download ppt "Exploiting Open Functionality in SMS-Capable Cellular Networks 20123550 Chang-Jae Lee Some of the slides and figures were borrowed from the author’s slides."

Similar presentations

U.S. Army Research Laboratory

U.S. Army Research Laboratory
EE:450 – Computer Networks

EE:450 – Computer Networks
CprE 458/558: Real-Time Systems

CprE 458/558: Real-Time Systems
By Taylor and Ed. Uses standard voice telephone lines Uses a modem to place a telephone call to another modem at a remote site Two major disadvantages.

By Taylor and Ed. Uses standard voice telephone lines Uses a modem to place a telephone call to another modem at a remote site Two major disadvantages.
3.1 3-6 PERFORMANCE One important issue in networking is the performance of the networkhow good is it? We discuss quality of service, an overall measurement.

PERFORMANCE One important issue in networking is the performance of the networkhow good is it? We discuss quality of service, an overall measurement.
M OBILE C OMMUNICATION S OLUTIONS FOR B USINESS. SMS Cellular Services (Pty) Ltd (SCS) was established in 1999 and is one of the leading WASPs in South.

M OBILE C OMMUNICATION S OLUTIONS FOR B USINESS. SMS Cellular Services (Pty) Ltd (SCS) was established in 1999 and is one of the leading WASPs in South.
Networks & Components Discuss the components required for successful communications Explain the purpose of communications software Identify various sending.

Networks & Components Discuss the components required for successful communications Explain the purpose of communications software Identify various sending.
Ch. 10 Circuit Switching and Packet Switching

Ch. 10 Circuit Switching and Packet Switching
Tutorial 6 Mobile Communication Networks Mohamed Esam.

Tutorial 6 Mobile Communication Networks Mohamed Esam.
Scheduling in Wireless Systems. 2 CDMA2000: Overall Architecture Mobile Station.

Scheduling in Wireless Systems. 2 CDMA2000: Overall Architecture Mobile Station.
This document have the main steps to calculate the GSM traffic.

This document have the main steps to calculate the GSM traffic.
CELLULAR COMMUNICATIONS GSM/GPRS/EDGE. Groupe Speciale Mobile/Global System for Mobile.

CELLULAR COMMUNICATIONS GSM/GPRS/EDGE. Groupe Speciale Mobile/Global System for Mobile.
British Computer Society Presents Mobile Telecommunication By Nadine Mouali Technical Presentation Monday 17 June, 2002.

British Computer Society Presents Mobile Telecommunication By Nadine Mouali Technical Presentation Monday 17 June, 2002.
Traffic Shaping Why traffic shaping? Isochronous shaping

Traffic Shaping Why traffic shaping? Isochronous shaping
1.  Congestion Control Congestion Control  Factors that Cause Congestion Factors that Cause Congestion  Congestion Control vs Flow Control Congestion.

1.  Congestion Control Congestion Control  Factors that Cause Congestion Factors that Cause Congestion  Congestion Control vs Flow Control Congestion.
On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core Patrick Michael Lin, Machigar Ongtang, Vikhyath.

On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core Patrick Michael Lin, Machigar Ongtang, Vikhyath.
David Waitt Kate Disney 2008 April Digitizing An Analog World.

David Waitt Kate Disney 2008 April Digitizing An Analog World.
On Attack Causality in Internet- Connected Cellular Networks Presented by EunYoung Jeong.

On Attack Causality in Internet- Connected Cellular Networks Presented by EunYoung Jeong.
Mobility Management in Mobile Wireless Systems Lecture 9.

Mobility Management in Mobile Wireless Systems Lecture 9.
James 1:5 If any of you lacks wisdom, he should ask God, who gives generously to all without finding fault, and it will be given to him.

James 1:5 If any of you lacks wisdom, he should ask God, who gives generously to all without finding fault, and it will be given to him.

Similar presentations

Ads by Google