Exploiting Open Functionality in SMS-Capable CellularNetworksWilliam Enck, Patrick Traynor, Patrick McDaniel, and Thomas La PortaSystems and Internet Infrastructure Security LaboratoryDepartment of Computer Science and EngineeringThe Pennsylvania State UniversityUniversity Park, PA 16802{enck, traynor, mcdaniel, tlp}@cse.psu.eduABSTRACTCellular networks are a critical component of the economic andsocial infrastructures in which we live. In addition to voice ser-vices, these networks deliver alphanumeric text messages to thevast majority of wireless subscribers. To encourage the expansionof this new service, telecommunications companies offer connec-tions between their networks and the Internet. The ramificationsof such connections, however, have not been fully recognized. Inthis paper, we evaluate the security impact of the SMS interfaceon the availability of the cellular phone network. Specifically, wedemonstrate the ability to deny voice service to cities the size ofWashington D.C. and Manhattan with little more than a cable mo-dem. Moreover, attacks targeting the entire United States are fea-sible with resources available to medium-sized zombie networks.This analysis begins with an exploration of the structure of cellu-lar networks. We then characterize network behavior and explorea number of reconnaissance techniques aimed at effectively target-ing attacks on these systems. We conclude by discussing counter-measures that mitigate or eliminate the threats introduced by theseattacks.Categories and Subject DescriptorsC.2.0 [Computers-Communication Networks]: General—Secu-rity and protectionGeneral TermsSecurityKeywordstelecommunications, sms, denial-of-service, open-functionality1. INTRODUCTIONThe majority of mobile phone subscribers are able to receiveboth voice and alphanumeric text via Short Messaging Service (SMS)transmissions. Text messaging allows users to interact with eachPermission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.CCS’05, November 7–11, 2005, Alexandria, Virginia, USA.Copyright 2005 ACM 1-59593-226-7/05/0011 ...$5.00.other in situations where voice calls are not appropriate or possi-ble. With countries such as the UK experiencing volumes of 69million messages per day [16], this service is rapidly becoming asingrained into modern culture as its voice counterpart [13, 11].Text messaging services are extremely popular with the telecom-munications industry. Whereas voice traffic typically yields a fixedamount of revenue per user, service providers earn up to US$0.10per text message sent or received by a mobile device [45, 60, 19].Seeing this tremendous potential for revenue, cellular providershave opened their networks to a number of additional services de-signed to increase SMS messaging volume. Through service provi-der website interfaces, email, and a wide variety of applicationsincluding instant messaging, users across the Internet can contactmobile subscribers without the use of a cell phone. Such open func-tionality, however, has serious negative consequences for these net-works.This paper evaluates the security impact of Internet-originatedtext messages on cellular voice and SMS services. The connectionsbetween the Internet and phone networks introduce open function-ality that detrimentally affects the fidelity of a cellular provider’sservice. Through the generation and use of large, highly accuratephone hit-lists, we demonstrate the ability to deny voice service tocities the size of Washington D.C. and Manhattan with little morethan a cable modem. Moreover, attacks targeting the entire UnitedStates are feasible with resources available to medium-sized zom-bie networks. Even with small hit-lists, we show that these cyber-warfare attacks are sustainable for tens of minutes. These attacksare especially threatening when compared to traditional signal jam-ming in that they can be invoked from anywhere in the world, oftenwithout physical involvement of the adversary.There are many dangers of connecting digital and physical do-mains. For example, a wide array of systems with varying degreesof connectivity to the Internet were indirectly affected by the Slam-mer worm. The traffic generated by this worm was enough to ren-der systems including Bank of America’s ATMs and emergency911 services in Bellevue, Washington unresponsive [40].There is nothing fundamentally different about the ways in whichthese victimized systems and cellular networks are connected to theInternet; all of the above systems were at one time both logicallyand physically isolated from external networks, but have now at-tached themselves to the largest open system on the planet. Ac-cordingly, we show that mobile phone networks are equally as vul-nerable to the influence of the Internet.In evaluating Internet-originated SMS attacks on cellular net-works, we make the following contributions:• System Characterization: Through analysis of publicly avail-able cellular standards and gray-box testing, we character-ize the resilience of cellular networks to elevated messagingloads.• Refining Target Search Space: We discuss a variety of tech-niques that, when used in combination, result in an accuratedatabase of targets (“hit-lists”) for directed attacks on cellu-lar networks. These lists are absolutely essential to mountingeffective attacks against these networks.• SMS/Cellular Network Vulnerability Analysis: We illu-minate the fragility of cellular phone networks in the pres-ence of even low-bandwidth attacks. We demonstrate andquantify the ability to incapacitate voice and SMS serviceto neighborhoods, major metropolitan areas and entire conti-nents.The remainder of this paper is organized as follows: Section 2gives a high-level overview of GSM network architecture and de-scribes text message delivery; Section 3 investigates cellular net-works from an attacker’s perspective and identifies the mechanismsnecessary to launch Denial of Service (DoS) attacks; Section 4models and quantifies DoS attacks in multiple environments; Sec-tion 5 discusses a number of attacks inherent to attaching generalpurpose computing platforms to the Internet;