Exploiting Open Functionality in SMS-Capable Cellular …pdm12/cse544/slides/cse544-sms-enck.pdf ·...

CSE 544 Advanced Systems Security - Spring 2007 - Prof. McDaniel Page

Exploiting Open Functionality in SMS-Capable Cellular

Networks

Lecture 2 - CSE 544 - Advanced Systems SecurityPresenter: William EnckJanuary 18, 2007URL: http://www.cse.psu.edu/~mcdaniel/cse544

1

William Enck, Patrick Traynor, Patrick McDaniel, and Thomas La Porta


Unintended Consequences• The law of unintended consequences holds that

almost all human actions have at least one unintended consequence.

2


Large Scale Attacks• Past damaging attacks follow a pattern ...

‣ Bad (or good) guys find the vulnerability ...

‣ Somebody does some work ...

‣ Then exploit it ...

• Hence, an exploit evolves in the following way:

1. Recognition

2. Reconnaissance

3. Exploit

4. Recovery/Fix

3


Recognition: SMS Messaging

• What is SMS?

‣ Allows mobile phones and other devices to send small asynchronous messages containing text.

‣ Ubiquitous internationally (Europe, Asia)

‣ Often used in environments where voice calls are not appropriate or possible.

‣ On September 11th, SMS helped many people communicate even though call channels were full

‣ Can be delivered via Internet

• Web-pages (provider websites)

• Email, IM, ...

4


Reconnaissance: Understanding the System

5

CellularNetwork

?

CellularNetwork

?


Telecommunications Vocabulary

•Signaling System 7 (SS7): The phone network

•POTS: Plain-old telephone service

•Cellular network: Radio network and infrastructure used to support mobile communications (phones)

•Base Station (BS): Cellular towers for wireless delivery

•Channel: A frequency (carrier) over which cell phone communications are transmitted

•Sector: A cell region covered by fixed channels

6


Overview of SMS Delivery

7

Network

HLR

SMSC

Internet

MSC

ESME

VLR

BS

MSC

VLR

BS

BS

BS

BS

BS

PSTN

External ShortMessaging Entity

Mobile SwitchingCenter

Short MessageService Center


The “air interface”

• Traffic Channels (TCH)‣ Used to deliver voice traffic to cell phones

• Control Channels (CCH)‣ Used for signaling between base stations and cell phones

‣ Used to deliver SMS messages

8

CCH

TCH


Wireless Delivery of SMS

• Once the destination is found, it requests an Standalone Dedicated Control Channel (SDCCH)

• The SDCCH is used to deliver the SMS message

• The SDCCH is also used to setup voice calls

9

Paging (PCH)

Response (RACH)

SDCCH Assignment (AGCH)

SMS Delivery (SDCCH)


GSM as TDM• GSM Analysis

‣ Each channel divided into 8 time-slots

• Each call transmits during its time-slot (TCH)

• Paging channel (PCH) and SDCCH are embedded in CCH

‣ BW: 762 bits/sec (96 bytes) per SDCCH

‣ Number of SDCCH is 2 * number of channels

‣ Number of channels averages 2-6 per sector (2/4/8/12/??)

10

SDCCH 0

0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 70 1 2 3 4 5 6 7Time Slot #

SDCCH 1Multiframe

Frame # 0 1 2 3 4 5 6 7 8 9 04 5

0 1 2 3 4 5 6 7

Channel


The Vulnerability• Once you fill up the SDCCH channels with SMS

messages, call setup is blocked

• So, the goal of the adversary is to fill the cell network with SMS traffic‣ Not as easy as you might think ...

11

SMS

Voice

SMS SMS SMS SMS SMS SMS SMS

X


Reconnaissance: Gray-box Testing

• Standards documentation only tells half the story

• Open Questions (Implementation Specific)

‣ How are messages stored?

‣ How do injection and delivery rates compare?

‣ What interface limitations currently exist?

12

CellularNetwork


Phone Capacity• Methodology

‣ Determine phone capacity by slowly injecting messages while target phone is powered on

‣ Each phone in our sample set displayed the number of new messages

• Result:‣ Low end phones observed 30-50 message buffers‣ High end phone drained power before max found (500+)

• Some phones were incapable of receiving new messages without user intervention

13


Delivery Discipline• Methodology‣ Determine network queueing policy by slowly injecting hundreds

of (enumerated) messages while target phone is powered off

‣ Set of received messages indicates both the buffer size and dropping policy for each user at the SMSC

• Result:‣ Buffer sizes varied by provider (range of 30 to a few hundred)

‣ Message dropping policy (SMSC) also varied (drop-tail and head)

• We caused messages to be lost14

InternetCell

NetworkSMSC

151

2

3

4


Injection vs. Delivery Rate• Methodology‣ Find a bottleneck by comparing injection and delivery rates

• 7-8 second interarrival times observed on phones

• Experimentally finding maximum injection rate is dangerous‣ Google found many websites selling bulk SMS sending‣ Estimate hundreds to thousands of messages can be sent per second

• Large imbalance between injection and delivery15

Internet

Faster

Slower


Interface Regulation• Methodology‣ Determine limitations on provider web interfaces using

automated scripts to inject messages at a moderate rate‣ Record HTML response to each message sent

• Result:‣ Rudimentary restrictions (IP-based, Session cookie)‣ Unable to determine if messages dropped due to SPAM filtering‣ Bulk senders advertise 30-25 messages per second

• Multiple bulk senders can be used

• All observed interface regulations are trivially circumvented16


Gray-box Testing Summary

• Not all messages injected will be delivered

• Messages can be injected orders of magnitude faster than they can be delivered

‣ Delivery time is multiple seconds

• Interfaces have trivial regulations

• Result: An attack must be distributed and must target many users

17


Reconnaissance: Finding cell phones ...

• North American Numbering Plan (NANP)

‣ NPA/NXX prefixes are administered by a provider

‣ Phone number mobility may change this a little

‣ Mappings between providers and exchanges publicly documented an available on the web

• Implication: An adversary can identify the prefixes used in a target area (e.g., metropolitan area)

18

NPA-NXX-XXXX

Numbering Plan Area(Area code)

Numbering Plan Exchange


Example NPA-NXX

19


Web Scraping

• Googling for phone numbers

‣ 865 numbers in SC

‣ 7,300 in NYC

‣ 6,184 in DC

‣ ... in less than 5 seconds

20


Using the SMS interface• While google may provide a good “hit-list” it is

advantageous to create a larger and fresher list

‣ Providers entry points into the SMS are available, e.g., email, web, instant messaging

‣ Almost all provider web interfaces indicate whether the phone number is good or not (not just ability to deliver)

‣ Hence, web interface is an oracle for available phones

21


Attack Modeling: Area Capacity

• Determining the capacity of an area is simple with the above observations

C = (sectors/area)*(SDCCHs/sector)*(throughput/SDCCH)

• Note that this is the capacity of the system. An attack would be aided by normal traffic

• Model Data

‣ Channel Bandwidth: 3GPP TS 05.01 v8.9.0 (GSM Standard)

‣ City profiles and SMS channel characteristics: National Communications System (NCS) TIB 03-2

‣ City and population profiles: US Census 2000

22


The Exploit (Metro)

• Capacity = sectors * SDCCH/sector * msgs/hour

• 165 msgs/sec * 1500 bytes = 1933.6 kb/sec

• Comparison: cable modem ~= 768 kb/sec

• 193.36 on a multi-send interface

23

Sectors in Manhattan

SDCCHs persector

Messages per SDCCH per hour

CCH* SDCCH/8 TCH TCH TCH TCH TCH TCH

TCH TCH TCH TCH TCH TCH TCH TCH



TRX 1

TRX 2

TRX 3

TRX 4

0 1 2 3 4 5 6 7

Figure 4: An example air interface with four carriers (each

showing a single frame). The first time slot of the first carrier

is the Common CCH. The second time slot of the first chan-

nel is reserved for SDCCH connections. Over the course of a

multiframe, capacity for eight users is allotted. The remaining

time slots across all carriers are designated for voice data. This

setup is common in many urban areas.

is divided into eight timeslots and, when viewed as a whole, form

a frame. During a given timeslot, the assigned user receives full

control of the channel. From the telephony perspective, a user as-

signed to a given TCH is able to transmit voice data once per frame.

In order to provide the illusion of continuous voice sampling, the

frame length is limited to 4.615 ms. An illustration of this system

is shown in Figure 4.

Because the bandwidth within a given frame is limited, data (es-

pecially relating to the CCH) must often span a number of frames,

as depicted in Figure 5. This aggregation is known as a multiframe

and is typically comprised of 51 frames6. For example, over the

course of a single multiframe, the base station is able to dedicate

up to 34 of the 51 Common CCH slots to paging operations.

Each channel has distinct characteristics. While the PCH is used

to signal each incoming call and text message, its commitment to

each session is limited to the transmission of a TMSI. TCHs, on

the other hand, remain occupied for the duration of a call, which on

average is a number of minutes [44]. The SDDCH, which has ap-

proximately the same bandwidth as the PCH across a multiframe,

is occupied for a number of seconds per session establishment. Ac-

cordingly, in many scenarios, this channel can become a bottleneck.

In order to determine the characteristics of the wireless bottle-

neck, it is necessary to understand the available bandwidth. As

shown in Figure 5, each SDCCH spans four logically consecutive

timeslots in a multiframe. With 184 bits per control channel unit

and a multiframe cycle time of 235.36 ms, the effective bandwidth

is 782 bps [4]. Given that authentication, TMSI renewal, the en-

abling of encryption, and the 160 byte text message must be trans-

ferred, a single SDCCH is commonly held by an individual session

for between four and five seconds [44]. The gray-box testing in

Section 3.1 reinforces the plausibility of this value by observing no

messages delivered in under six seconds.

This service time translates into the ability to handle up to 900

SMS sessions per hour on each SDCCH. In real systems, the total

number of SDCCHs available in a sector is typically equal to twice

the number of carriers7, or one per three to four voice channels.

For example, in an urban location such as the one demonstrated

in Figure 4 where a total of four carriers are used, a total of eight

SDCCHs are allocated. A less populated suburban or rural sector

may only have two carriers per area and therefore have four allo-

6Multiframes can actually contain 26, 51 or 52 frames. A justifica-tion for each case is available in the standards [4].7Actual allocation of SDCCH channels may vary across implemen-tations; however, these are the generally accepted values through-out the community.

SDCCH 0

0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 70 1 2 3 4 5 6 7Time Slot #

SDCCH 1Multiframe

Frame # 0 1 2 3 4 5 6 7 8 9 04 5

0 1 2 3 4 5 6 7

Radio Carrier

Figure 5: Timeslot 1 from each frame in a multiframe creates

the logical SDCCH channel. In a single multiframe, up to eight

users can receive SDCCH access.

cated SDCCHs. Densely populated metropolitan sectors may have

as many as six carriers and therefore support up to 12 SDCCHs per

area.

We now calculate the maximum capacity of the system for an

area. As indicated in a study conducted by the National Communi-

cations System (NCS) [44], the city of Washington D.C. has 40 cel-

lular towers and a total of 120 sectors. This number reflects sectors

of approximately 0.5 to 0.75 mi2 through the 68.2 mi2 city. Assum-

ing that each of the sectors has eight SDCCHs, the total number of

messages per second needed to saturate the SDCCH capacity C is:

C ! (120 sectors)

„8 SDCCH1 sector

« „900 msgs/hr1 SDCCH

«

! 864, 000 msgs/hr

! 240 msgs/sec

Manhattan is smaller in area at 31.1 mi2. Assuming the same

sector distribution as Washington D.C., there are 55 sectors. Due

to the greater population density, we assume 12 SDCCHs are used

per sector.

C ! (55 sectors)

„12 SDCCH

1 sector

« „900 msg/hr1 SDCCH

«

! 594, 000 msg/hr

! 165 msg/sec

Given that SMSCs in use by service providers in 2000 were capa-

ble of processing 2500 msgs/sec [59], such volumes are achievable

even in the hypothetical case of a sector having twice this number

of SDCCHs.

Using a source transmission size of 1500 bytes as described in

Section 3.1 to submit an SMS from the Internet, Table 3 shows the

bandwidth required at the source to saturate the control channels,

thereby incapacitating legitimate voice and text messaging services

for Washington D.C. and Manhattan. The adversary’s bandwidth

requirements can be reduced by an order of magnitude when at-

tacking providers including Verizon and Cingular Wireless due to

the ability to have a single message repeated to up to ten recipients.

Due to the data gathered in Section 3.1, sending this magnitude

of messages to a small number of recipients would degrade the ef-

fectiveness of such an attack. As shown in the previous section, tar-

geted phones would quickly see their buffers reach capacity. Unde-

liverable messages would then be buffered in the network until the

space alloted per user was also exhausted. These accounts would

likely be flagged and potentially temporarily shut down for receiv-

ing a high number of messages in a short period of time, thereby


Regional Service

• How much bandwidth is needed to prevent access to all cell phones in the United States?

• About 3.8 Gbps or 2 OC-48s (5.0 Gbps)

24


Recovery/Fix: The solutions (today)

• Solution 1: separate Internet from cell network

‣ pros: essentially eliminates attacks (from Internet)

‣ cons: infeasible, loss of important functionality

• Solution 2: resource over-provisioning

‣ pros: allows a mitigation strategy without re-architecting

‣ cons: costly, just raises the bar on the attackers

25


The solutions (tomorrow)• Solution 3: Queuing

‣ Separate queues for control vs. SMS

‣ Control messaging should preempt with priority

‣ Cons: complexity?

• Solution 4: Rate limitation

‣ Control the aggregate input into a network/sector

‣ Cons: complex to do correctly

• Solution 5: Next generation networks

‣ 3G networks will logically separate data and voice

‣ Thus, Internet -based DOS attacks will affect data only

‣ Cons: available when?26


The Reality•Attacks occur accidentally

‣“Celebration Messages Overload SMS Network” (Oman)

‣“Mobile Networks Facing Overload” (Russia)

‣“Will Success Spoil SMS?”(Europe and Asia)

• In-place tools may prevent trivial exploits‣ message filtering, Over-provisioning

• Sophisticated adversaries could likely exploit this vulnerability without additional counter-measures‣ Many possible entry points into the network

• Zombie networks

‣ Little network internal control of SMS messaging• Note: Edge solutions are unlikely to be successful

27


Reality check: SMS Over SS7• The National Communications System issued a

report about the use of SMS messages in times of disaster.

• In this report, everyone with a cellular phone in a major city tried to send text messages at a rate of 1/60 seconds.

• In a conservative estimate, Manhattan would need 100 times more capacity to meet such a load.

28


Recommendations• Short term: reduce number of SMS gateways and

regulate input flow into cell phone network

• Remove any feedback on the availability of cell phones or success of message delivery

• Implement an emergency shutdown procedure

‣ Disconnect from Internet during crisis

‣ Only allow emergency services during crisis

• Seek solutions from equipment manufacturers

‣ Separate control traffic from SMS messaging

‣ Advanced cell networks29


A cautionary tale ...

• Attaching the Internet to any critical infrastructure is inherently dangerous

‣ ... because of the unintended consequences

• Will/have been felt in other areas

‣ electrical grids

‣ emergency services

‣ banking and finance

‣ and many more ...

30


Teaching a Lecture

• What was the arc of the Lecture?

• Teaching how to go about vulnerability analysis

‣ Recognition

‣ Reconnaissance (a lot of work, be responsible)

‣ Exploit (beat the bag guys to the punch)

‣ Recovery

• Larger picture

31

Date post:	30-Jan-2018
Category:	Documents
Upload:	tranbao
View:	224 times
Download:	0 times

Exploiting Open Functionality in SMS-Capable Cellular …pdm12/cse544/slides/cse544-sms-enck.pdf ·...

Documents