1 / 36

SMS Attacks and Defenses

SMS Attacks and Defenses. SMS. A major source of revenue for cellphone companies 0.10 per text message vs. fixed rate UK experiences 69 million messages per day Open functionality Cell phones Web interfaces Email Instant messaging. SMS/Cellular Network Overview. Submitting a message

samuru
Download Presentation

SMS Attacks and Defenses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SMS Attacks and Defenses

  2. SMS • A major source of revenue for cellphone companies • 0.10 per text message vs. fixed rate • UK experiences 69 million messages per day • Open functionality • Cell phones • Web interfaces • Email • Instant messaging

  3. SMS/Cellular Network Overview • Submitting a message • Via another mobile device • Through External Short Messaging Entities (ESMEs) • Email, web portals, voice mail, paging systems, software applications • Short Messaging Service Center (SMSC) • Examine incoming packets • Covert into SMS message format if needed • Placed into SMSC queue for forwarding

  4. SMS/Cellular Network Overview (Cont.) • Routing a message • SMSC query Home Location Register (HLR) database • If found, the response contains Mobile Switch Center (MSC) serving the destination. Otherwise, stores the msg for later delivery

  5. SMS/Cellular Network Overview (Cont.) • Wireless Delivery • Control Channels (CCH) • Common CCH • Paging channel (PCH) • Random Access Channel (RACH) • Standalone Dedicated CCH (SDCCH): authentication, encryption, deliver TMSI, SMS message • Traffic Channels (TCH)

  6. Vulnerability Analysis:Bottlenecks in Cellular Networks • Delivery discipline • Not publicly available • Use grey-box analysis to infer delivery disciplines • SMSC capacity • Sending 400 incoming messages one per 60 seconds to a power-off target device • AT&T: all 400 messages were delivered • Verizon: only the last 100 messages were delivered (FIFO) • Sprint: only the first 30 messages were delivered (LIFO) • Mobile device SMS capacity • Nokia 3560: 30 messages • LG 4400: 50 messages • Treo 650: 500 (because its battery depletes) • Due to this limit, a successful DoS attack should distribute over a number of subscribers

  7. Vulnerability Analysis:Bottlenecks in Cellular Networks (Cont.) • Root causes of DoS attack • Inherent cost imbalance between injecting SMS message and delivering messages to mobiles • Imbalance between injection and service rate • Injection rate • SMS providers offer plans with 30-35 msgs/sec/SMPP connection • Much higher when sent over web portal • Service rate: • Measured send time 0.71 seconds • Measured inter-arrival time • 7-8 secs for Verizon and AT&T • A few seconds and up to a few minutes for Sprint • Imbalance in message sizes • 700 bytes are required to send a 160 byte SMS message • If including ACKs and required web page download, the upload size can be up to 1600 bytes • Web portals allow you to multicast msgs

  8. DoS Attacks • Attacking metropolitan area service • Attacking regional service • Targeted attacks

  9. Creating Hit List • Motivations • Send to every possible phone is not effective • Many msgs. sent to dark address space is a strong indicator that attack is in progress • Goal: identify a list of phone numbers and their service providers

  10. Creating Hit List • Web search of NPA/NXX • Responses contain the name of the service provider administering NPA/NXX domain, location, and the subdivision • E.g., 814-876-XXXX is owned by AT&T wireless in the greater State College • Does not reveal which phone numbers within NPA/NXX are activated • Web scraping • Using search engines and scripting tools to crawl web for phone numbers • They collected 865 unique numbers through this way • Web interface interaction • Send SMS via Web interface and watch for positive/negative ACKs • Positive acks indicates a hit • Negative ACKs: try another service provider web sites

  11. Attacking Metropolitan Area Service • Observation • Traffic channel (TCH): SMS and voice traffic do not compete against each other • Control channel (CCH): voice and SMS share • Attacks: • Send lots of SMS to saturate control channel (e.g., paging channel, random access channel or SDCCH)

  12. Attacking Regional Service • Speeding up SMS delivery • Offload SMS traffic from SS7 onto IP • New SMS: all aspects of processing speeds up, except SDCCH bottleneck • An attack requires 3.8 Gbps and a nation-wide hit-list to DoS nation-wide cellular networks • Only 370 Mbps if it can include ten different recipients on a single SMS

  13. How to DoS a specific mobile phone?

  14. Targeted Attacks • Postal mail • In 2002, anonymous individuals inundated spammer Alan Ralsky with thousands of mail-order catalogs on a daily basis  DoS • Same attack can be applied to SMS • Attacker wishes to stop a victim from receiving useful messages • A stock trader may want to delay/drop updates received by competitors • Flood the specified user with superfluous messages • Buffer overflows and msg loss • Delay msg delivery than its shelf-life • Deplete battery • The user cannot notice message due to overwhelming meaningless msgs • Most mobile phones hold up to 50 messages, and the remaining msgs are buffered at provider’s network up to a certain limit • When the buffer is full, any messages with content assumed to be known (outbox and read mssage in inbox) were automatically deleted (e.g., Nokia 3560) • Use of “Clear Inbox” function increases possiblity of a user accidentally deleting a legitimate text message arriving among the attack messages

  15. Other Attacks • Spam • Viruses

  16. Solutions?

  17. Solutions • Rate limiting • Per source volume restriction at SMS gateway • Ineffective • Spoofing IP address • Existence of zombie networks make rate limiting not useful • Separation of voice and data • SMS sent from mobile receive higher priority than those sent from Internet • Resource provisioning • Weighted fair queueing • Weighted random early detection • Strict/dynamic resource provisioning • Direct channel allocation • Education

  18. Audio

  19. Smartphone Attacks • Over 100 mobile threats during 2004-05 • Major target: Symbian • Skulls • Disable functionalities, like SMS and MMS messaging, web browsing, built-in camera • Cabir • Worm using bluetooth to copy itself onto devices up to 30 feet • Cardtrap • Disable system applications and copies windows worms to the phone memory card • Locknut • Drops a binary that crash a critical system component, which results in locking the phone • Doomboot • Cannot start after the phone is rebooted • Check out http://www.f-secure.com/wireless/threats/

  20. Challenges of Securing Smartphone • Open OS • Increasing # smartphones • In the near future, smartphones >> PCs • General user population • Phones are mobile  increases infection rate • How to infect phones?

  21. Challenges of Securing Smartphone • Open OS • Increasing # smartphones • In the near future, smartphones >> PCs • General user population • Phones are mobile  increases infection rate • Multiple ways to infect phones • Synchronization • Removable memory cards • Bluetooth and infrared connections • WiFi • Cellular networks

  22. What types of attacks?

  23. Possible smart-phone attacks • DoS to base stations • DDoS to call centers and switches • Remote wiretapping • Phone blocking • SMS spamming • Identity theft and spoofing • Physical attack • National Crisis

  24. How to defend?

  25. Defenses • Internet side protection • NIDS, Firewalls, Patching, Shielding, … • Enforced quarantining from base station • Make seamless handoff challenging • Difficult to change deployed 802.11 APs • Telecom side protection • Abnormal behavior detection • Reactions (Rate limiting, Call filtering, Blacklist) • Advantage to take: Behavior of telecom users is highly predictable and most of the reaction building blocks already exist • Smart-phone side protection • Feature reduction • E.g., turn off bluetooth when not active • OS hardening • E.g., always display callee number when making a phone call • Lighting up LCD display when dialing • Hardware hardening • SIM card to authenticate OS and applications • Cooperation among the three parties

  26. Cooperation among the three parties • The cellular carriers enforce smart-phones patching and shielding, and OS authentication • When smart-phone attacks are detected from the Internet • The Internet can inform telecom to prepare in advance • When telecom detects smart-phone attacks • Inform Internet to reject zombies on the black list • Need to judge if a device is a smart-phone • IP address to SIM ID or telephone number mapping

  27. Course Review

  28. Course Overview • Part I: Introduction to wireless networks • Physical layer • MAC • Introduction to MAC and IEEE 802.11 • Channel assignment and channel hopping • Power control • Rate control • Multi-radio • Routing • Mobile IP • DSR and AODV • TCP over wireless • Problems with TCP over wireless • Other proposals

  29. Course Overview (Cont.) • Part II: Different types of wireless networks • Wireless LANs • Wireless mesh networks • Sensor networks • Cellular networks • Delay tolerant networks • Vehicular networks • Cognitive networks • Emergent networks

  30. Course Overview (Cont.) • Part III: Wireless network management and security • Localization • Wireless network diagnosis • Wireless network security

  31. Fundamental Principle 1 Interference-aware • Interference is shown to have significant impact on wireless network performance • Lots of wireless research centers around reducing interference • Measuring interference • Modeling interference • Mitigating interference • Interference cancellation • Power control • Channel assignment • Scheduling • Routing • Embracing interference

  32. Fundamental Principle 2 Leverage diversity • Antenna diversity • MIMO, MUP, MRD, • Topology diversity • Power control, Channel assignment, SSCH • Path diversity • Routing metrics, opportunistic routing • Application diversity • Delay tolerant vs. delay in-tolerant

  33. application transport network link physical Fundamental Principle 3 Cross layer optimization App TCP Routing MAC Channel Antenna Power

  34. Fundamental Principle 4 • Integration with Internet • Wireless networks are not isolated  wireless networks impact future Internet design • Past Internet: adapt wireless nodes to existing Internet architecture • Cannot handle mobility, intermittent connectivity, in-network processing, … • Future Internet: adapt Internet architecture to make wireless nodes first class citizens • billions of cell phones compared to 500 millions PCs • 5 – 10 billion sensors

  35. Fundamental Principle 5 • Let real applications drive interesting research • Last-mile problem • Disaster recovery networks • Smartphones • Home networking • …

More Related