Networks vulnerable to text message assaults

A sustained internet-based SMS attack could bring mobile communications to a crashing halt, writes Karlin Lillington

A group of researchers say they have uncovered a way to shut down a mobile network by bombarding it with text messages.

According to Pennsylvania State University computer science professor Patrick McDaniel, co-author of a paper on the subject, as few as 165 SMS messages sent suddenly to a set of mobile phone numbers could crash New York's mobile network.

A more sustained attack, using "zombie" computers - PCs on the internet that hackers have infiltrated and can issue instructions to - could potentially jam the entire US mobile phone network.

While the research looked at how such an attack could be staged on US mobile networks, McDaniel says the study focused on vulnerabilities in GSM networks generally, such as those used across Europe.

"Our central result is that we can confirm that the ability of bad guys to inject messages into the network is a pretty clear and present danger," says McDaniel.

The attacks are possible because mobile phones use the same small slice of radio frequency, called a control channel, to set up and connect phone calls and send text messages. If the channel were flooded with SMS messages, it would block calls and jam the network.

"The mobile phone network is a lot like a six-lane highway, but the problem is, it has a one-lane on-ramp," says graduate student and co-author Patrick Traynor. Both phone calls and SMS messages have to use that single lane.

Many Irish people will have experienced the consequence of this type of system overload before, for example during text message voting in Eurovision song contest, when messages and calls will fail to go through as thousands vote.

McDaniel says SMS usage in the US is far lower than in Europe and that there are no recorded instances of similar situations happening in the US.

However, the attacks outlined in the paper, available at www.smsanalysis.org, are not based on individuals sending lots of text messages from phone to phone, but on using the internet to stage a mass text-message assault on a mobile network.

This is possible because mobile networks link into the internet, which means an SMS can be sent from the internet to a mobile phone. Many mobile operators have websites where they allow internet users to send texts.

Thus, mobile networks are susceptible to an SMS-based form of denial of service (DoS) attack, a common type of internet assault that is used to shut down a website by bombarding it with thousands of requests for the site.

The researchers conclude in their paper that a single computer using a cable modem would be adequate for staging an SMS attack on a mobile network for a large city.

While launching an attack would require a sophisticated computer user, the researchers say acquiring the needed information to launch an attack - basically, a set of mobile numbers for a geographic area - was relatively easy.

"All the information you need to target an attack is readily available on the internet itself," says graduate student and co-author William Enck. Using Google, information supplied on operator websites, and some other search techniques, the researchers were able to obtain thousands of numbers for specific areas of Manhattan and Washington, DC.

Such lists of numbers then form a "hit list" which can be set up to receive hundreds of text messages by computer, for tens of minutes at a time, jamming the network.

"Because the attack comes from the internet, it is almost totally anonymous as well," says McDaniel.

The paper suggests various ways in which such attacks could be prevented. Disconnecting the mobile network from the internet is the simplest, but is not practical given the web-based services such as games, news and music that people now want from their mobiles.

Trying to filter calls and messages is not likely to be effective either, McDaniel says. One possible solution is to limit the information available on the net so that hackers cannot obtain huge lists of phone numbers in the first place.

Irish operators say they have security in place to handle an attack of this sort. "We have a broad ranging security and continuity strategy to address these risks to services," says Bruce Hopkins, information security manager, Vodafone. Their systems will limit the number of SMS messages that can enter the system from their own website, he says.

Similarly, O2 limits text messages in this way.

However, US operators do the same thing, says McDaniel. The researchers were not able to assess the security systems, but the team found no indication such protections were capable of stopping all attacks of this kind.

But McDaniel says: "The decision to deliver SMS messages over the same channel as calls is at the heart of this matter." The only comprehensive solution is a tough one indeed - to change the architecture the entire global network.