Exploiting open functionality in SMS-capable cellular networks.

Journal of Computer Security 01/2008; 16:713-742. DOI: 10.3233/JCS-2007-0308
Source: DBLP

ABSTRACT Cellular networks are a critical component of the economic and social infrastructures in which we live. In addition to voice services, these networks deliver alphanumeric text messages to the vast majority of wireless subscribers. To encourage the expansion of this new service, telecommunications companies of- fer connections between their networks and the Internet. The ramifications of such connections, however, have not been fully recognized. In this paper, we evaluate the security impact of the SMS interface on the availability of the cellular phone network. Specifically, we describe the ability to deny voice service to cities the size of Washington DC and Manhattan with little more than a cable modem. Moreover, attacks targeting the entire United States are feasible with resources available to medium-sized zombie networks. This analysis begins with an exploration of the structure of cellular networks. We then characterize net- work behavior and explore a number of reconnaissance techniques aimed at effectively targeting attacks on these systems. We conclude by discussing countermeasures that mitigate or eliminate the threats intro- duced by these attacks.

  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: In this paper, we study some messaging design decisions which resulted in a set of vulnerabilities in the Android operating system, and we demonstrate how a malware application can be built to abuse these vulnerabilities. The application presents itself as a regular SMS messaging application and uses its basic permissions to send/receive short messages. Since many operators worldwide provide services that allow users to transfer credits/units through SMS, the application abuses this service to transfer credits from users illegally. The "permission" subsystem, the "broadcast receiver" subsystem, and the message-sending mechanism contribute to forming a haven for SMS malware by granting them absolute control over sending, receiving, and hiding SMS messages. Accordingly, the malicious application hides any acknowledgments from the telecom operator that might appear after a credit transfer transaction. This enables malware to drain the balance of the attacked user and has the potential to cause damage to a large number of users as well as telecom operators. The application was demonstrated on a local operator and it successfully passed standard screening procedures that claim to catch malware. A set of possible solutions are also presented in order to mitigate the risks of such attacks.
    Advanced Information Networking and Applications Workshops (WAINA), 2013 27th International Conference on; 01/2013
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Differential GPS, or DGPS, is a medium frequency (MF) radio system that is used worldwide for the broadcast of differential corrections to users to improve the accuracy and integrity of the GPS. This communications system works by digitally modulating radio signals broadcast from a network of marine radio beacons operating in the medium frequency 283.5-325 kHz radio band. The modulation scheme called Minimum Shift Keying (MSK) is used to transmit the correction data at typical data rates of between 50 and 200 bits per second (bps). The U.S. Coast Guard has pioneered the use of MSK for transmission of differential GPS corrections, and has provided over ten years of worthy service with the system. The U.S. DGPS installation is nation-wide, with over 85 transmitters providing double coverage to most of the CONUS. Today, the Coast Guard is re-examining the role of DGPS/radio beacons with the goal of optimizing service for the next ten years. Here we suggest that the DGPS system has significant capability for use beyond that of its current mandate; specifically, there exists the potential for concurrently transmitting a second information-bearing signal on the beacon signal. We believe that this simultaneous transmission of the current navigation correction information (the primary channel) and additional messaging (perhaps DHS emergency messaging or other relevant information) could be accomplished at very minimal cost, and with minimal impact on current users, using a technique we have called phase trellis overlay. This idea has been proposed in earlier work by these authors; several variations of the approach have been designed, analyzed, and tested with results presented at Institute of Navigation conferences. These previous presentations have focused on the technical details of the method; for example, design of the new communications signals, bandwidth of the resulting signal relative to the DGPS system requirements, implementation concerns at the transmitter, and - - its impact on legacy user performance were analyzed. Here we summarize these earlier results within the context of a potential DHS emergency messaging system. We re-examine the technical details of this approach as a simply parameterized FM (frequency modulation) overlay which yields mathematically tractable performance results. Sample results of this analysis highlight the tradeoffs between coverage expected for legacy users and coverage expected for the new DHS messaging system.
    Technologies for Homeland Security (HST), 2010 IEEE International Conference on; 01/2010
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: We review the characteristics of signalling storms that have been caused by certain common apps and recently observed in cellular networks, leading to system outages. We then develop a mathematical model of a mobile user's signalling behaviour which focuses on the potential of causing such storms, and represent it by a large Markov chain. The analysis of this model allows us to determine the key parameters of mobile user device behaviour that can lead to signalling storms. We then identify the parameter values that will lead to worst case load for the network itself in the presence of such storms. This leads to explicit results regarding the manner in which individual mobile behaviour can cause overload conditions on the network and its signalling servers, and provides insight into how this may be avoided.


Available from

Similar Publications