exploiting open functionality in sms capable cellular
play

Exploiting Open Functionality in SMS-Capable Cellular Networks - PowerPoint PPT Presentation

May 22, 2023 •257 likes •575 views

Exploiting Open Functionality in SMS-Capable Cellular Networks William Enck, Patrick Traynor, Patrick McDaniel, and Thomas La Porta Lecture 2 - CSE 544 - Advanced Systems Security Presenter: William Enck January 18, 2007 URL:

  1. Exploiting Open Functionality in SMS-Capable Cellular Networks William Enck, Patrick Traynor, Patrick McDaniel, and Thomas La Porta Lecture 2 - CSE 544 - Advanced Systems Security Presenter: William Enck January 18, 2007 URL: http://www.cse.psu.edu/~mcdaniel/cse544 CSE 544 Advanced Systems Security - Spring 2007 - Prof. McDaniel Page 1

  2. Unintended Consequences • The law of unintended consequences holds that almost all human actions have at least one unintended consequence. CSE 544 Advanced Systems Security - Spring 2007 - Prof. McDaniel Page 2

  3. Large Scale Attacks • Past damaging attacks follow a pattern ... ‣ Bad (or good) guys find the vulnerability ... ‣ Somebody does some work ... ‣ Then exploit it ... • Hence, an exploit evolves in the following way: 1. Recognition 2. Reconnaissance 3. Exploit 4. Recovery/Fix CSE 544 Advanced Systems Security - Spring 2007 - Prof. McDaniel Page 3

  4. Recognition: SMS Messaging • What is SMS? ‣ Allows mobile phones and other devices to send small asynchronous messages containing text. ‣ Ubiquitous internationally (Europe, Asia) ‣ Often used in environments where voice calls are not appropriate or possible. ‣ On September 11th, SMS helped many people communicate even though call channels were full ‣ Can be delivered via Internet • Web-pages (provider websites) • Email, IM, ... CSE 544 Advanced Systems Security - Spring 2007 - Prof. McDaniel Page 4

  5. Reconnaissance: Understanding the System Cellular Cellular Network Network ? ? CSE 544 Advanced Systems Security - Spring 2007 - Prof. McDaniel Page 5

  6. Telecommunications Vocabulary • Signaling System 7 (SS7): The phone network • POTS: Plain-old telephone service • Cellular network: Radio network and infrastructure used to support mobile communications (phones) • Base Station (BS): Cellular towers for wireless delivery • Channel: A frequency (carrier) over which cell phone communications are transmitted • Sector: A cell region covered by fixed channels CSE 544 Advanced Systems Security - Spring 2007 - Prof. McDaniel Page 6

  7. Overview of SMS Delivery BS BS BS MSC Mobile Switching PSTN Center HLR VLR Network VLR BS SMSC MSC Short Message Service Center Internet BS BS ESME External Short Messaging Entity CSE 544 Advanced Systems Security - Spring 2007 - Prof. McDaniel Page 7

  8. The “air interface” • Traffic Channels (TCH) ‣ Used to deliver voice traffic to cell phones • Control Channels (CCH) ‣ Used for signaling between base stations and cell phones ‣ Used to deliver SMS messages CCH TCH CSE 544 Advanced Systems Security - Spring 2007 - Prof. McDaniel Page 8

  9. Wireless Delivery of SMS Paging (PCH) Response (RACH) SDCCH Assignment (AGCH) SMS Delivery (SDCCH) • Once the destination is found, it requests an Standalone Dedicated Control Channel (SDCCH) • The SDCCH is used to deliver the SMS message • The SDCCH is also used to setup voice calls CSE 544 Advanced Systems Security - Spring 2007 - Prof. McDaniel Page 9

  10. GSM as TDM • GSM Analysis ‣ Each channel divided into 8 time-slots • Each call transmits during its time-slot (TCH) • Paging channel (PCH) and SDCCH are embedded in CCH ‣ BW: 762 bits/sec (96 bytes) per SDCCH ‣ Number of SDCCH is 2 * number of channels ‣ Number of channels averages 2-6 per sector (2/4/8/12/??) 4 5 Frame # 0 1 2 3 4 5 6 7 8 9 0 Multiframe SDCCH 0 SDCCH 1 Channel Time Slot # 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 CSE 544 Advanced Systems Security - Spring 2007 - Prof. McDaniel Page 10

  11. The Vulnerability • Once you fill up the SDCCH channels with SMS messages, call setup is blocked Voice X SMS SMS SMS SMS SMS SMS SMS SMS • So, the goal of the adversary is to fill the cell network with SMS traffic ‣ Not as easy as you might think ... CSE 544 Advanced Systems Security - Spring 2007 - Prof. McDaniel Page 11

  12. Reconnaissance: Gray-box Testing • Standards documentation only tells half the story • Open Questions (Implementation Specific) ‣ How are messages stored? ‣ How do injection and delivery rates compare? ‣ What interface limitations currently exist? Cellular Network CSE 544 Advanced Systems Security - Spring 2007 - Prof. McDaniel Page 12

  13. Phone Capacity • Methodology ‣ Determine phone capacity by slowly injecting messages while target phone is powered on ‣ Each phone in our sample set displayed the number of new messages • Result: ‣ Low end phones observed 30-50 message buffers ‣ High end phone drained power before max found (500+) • Some phones were incapable of receiving new messages without user intervention CSE 544 Advanced Systems Security - Spring 2007 - Prof. McDaniel Page 13

  14. Delivery Discipline • Methodology ‣ Determine network queueing policy by slowly injecting hundreds of (enumerated) messages while target phone is powered off ‣ Set of received messages indicates both the buffer size and dropping policy for each user at the SMSC • Result: ‣ Buffer sizes varied by provider (range of 30 to a few hundred) ‣ Message dropping policy (SMSC) also varied (drop-tail and head) 4 3 2 1 1 5 Cell Internet SMSC Network • We caused messages to be lost CSE 544 Advanced Systems Security - Spring 2007 - Prof. McDaniel Page 14

  15. Injection vs. Delivery Rate • Methodology ‣ Find a bottleneck by comparing injection and delivery rates • 7-8 second interarrival times observed on phones • Experimentally finding maximum injection rate is dangerous ‣ Google found many websites selling bulk SMS sending ‣ Estimate hundreds to thousands of messages can be sent per second Faster Internet Slower • Large imbalance between injection and delivery CSE 544 Advanced Systems Security - Spring 2007 - Prof. McDaniel Page 15

  16. Interface Regulation • Methodology ‣ Determine limitations on provider web interfaces using automated scripts to inject messages at a moderate rate ‣ Record HTML response to each message sent • Result: ‣ Rudimentary restrictions (IP-based, Session cookie) ‣ Unable to determine if messages dropped due to SPAM filtering ‣ Bulk senders advertise 30-25 messages per second • Multiple bulk senders can be used • All observed interface regulations are trivially circumvented CSE 544 Advanced Systems Security - Spring 2007 - Prof. McDaniel Page 16

  17. Gray-box Testing Summary • Not all messages injected will be delivered • Messages can be injected orders of magnitude faster than they can be delivered ‣ Delivery time is multiple seconds • Interfaces have trivial regulations • Result : An attack must be distributed and must target many users CSE 544 Advanced Systems Security - Spring 2007 - Prof. McDaniel Page 17

  18. Reconnaissance: Finding cell phones ... • North American Numbering Plan (NANP) NPA-NXX-XXXX Numbering Plan Exchange Numbering Plan Area (Area code) ‣ NPA/NXX prefixes are administered by a provider ‣ Phone number mobility may change this a little ‣ Mappings between providers and exchanges publicly documented an available on the web • Implication : An adversary can identify the prefixes used in a target area (e.g., metropolitan area) CSE 544 Advanced Systems Security - Spring 2007 - Prof. McDaniel Page 18

  19. Example NPA-NXX CSE 544 Advanced Systems Security - Spring 2007 - Prof. McDaniel Page 19

  20. Web Scraping • Googling for phone numbers ‣ 865 numbers in SC ‣ 7,300 in NYC ‣ 6,184 in DC ‣ ... in less than 5 seconds CSE 544 Advanced Systems Security - Spring 2007 - Prof. McDaniel Page 20

  21. Using the SMS interface • While google may provide a good “hit-list” it is advantageous to create a larger and fresher list ‣ Providers entry points into the SMS are available, e.g., email, web, instant messaging ‣ Almost all provider web interfaces indicate whether the phone number is good or not (not just ability to deliver) ‣ Hence, web interface is an oracle for available phones CSE 544 Advanced Systems Security - Spring 2007 - Prof. McDaniel Page 21

  22. Attack Modeling: Area Capacity • Determining the capacity of an area is simple with the above observations C = (sectors/area)*(SDCCHs/sector)*(throughput/SDCCH) • Note that this is the capacity of the system. An attack would be aided by normal traffic • Model Data ‣ Channel Bandwidth: 3GPP TS 05.01 v8.9.0 (GSM Standard) ‣ City profiles and SMS channel characteristics: National Communications System (NCS) TIB 03-2 ‣ City and population profiles: US Census 2000 CSE 544 Advanced Systems Security - Spring 2007 - Prof. McDaniel Page 22

  23. The Exploit (Metro) • Capacity = sectors * SDCCH/sector * msgs/hour Sectors in SDCCHs per Messages per Manhattan sector SDCCH per hour „ 12 SDCCH « „ 900 msg/hr « (55 sectors ) C ≃ 1 sector 1 SDCCH 594 , 000 msg/hr ≃ 165 msg/sec ≃ • 165 msgs/sec * 1500 bytes = 1933.6 kb/sec • Comparison: cable modem ~= 768 kb/sec • 193.36 on a multi-send interface CSE 544 Advanced Systems Security - Spring 2007 - Prof. McDaniel Page 23

  24. Regional Service • How much bandwidth is needed to prevent access to all cell phones in the United States? • About 3.8 Gbps or 2 OC-48s (5.0 Gbps) CSE 544 Advanced Systems Security - Spring 2007 - Prof. McDaniel Page 24

Recommend

Exploiting Opportunistic Scheduling in Cellular Data Networks Radmilo Racic, Denys Ma Hao Chen,

Exploiting Opportunistic Scheduling in Cellular Data Networks Radmilo Racic, Denys Ma Hao Chen,

Exploiting Opportunistic Scheduling in Cellular Data Networks Radmilo Racic, Denys Ma Hao Chen, Xin Liu University of California, Davis 1 3G Cellular Networks Provide high speed downlink data access Examples HSDPA (High Speed

641 views • 23 slides
Exploiting Heterogeneous Open Data for Pharmacovigilance Vassilis Koutkias 1 , Agns

Exploiting Heterogeneous Open Data for Pharmacovigilance Vassilis Koutkias 1 , Agns

Exploiting Heterogeneous Open Data for Pharmacovigilance Vassilis Koutkias 1 , Agns Lillo-Le Lout 2 and Marie-Chris<ne Jaulent 1 1 INSERM, U1142, LIMICS, F-75006, Paris,

208 views • 17 slides
Stream Chaining: Exploiting Multiple Levels of Correlation in Data Prefetching Pedro Daz and

Stream Chaining: Exploiting Multiple Levels of Correlation in Data Prefetching Pedro Daz and

Stream Chaining: Exploiting Multiple Levels of Correlation in Data Prefetching Pedro Daz and Marcelo Cintra University of Edinburgh http://www.homepages.inf.ed.ac.uk/mc/Projects/CELLULAR Outline Motivation Correlation and Localization

642 views • 43 slides
GOMACTech-2019 BlackParrot An Open-Source, Industrial-Strength, RISC-V, Linux Capable, Multicore

GOMACTech-2019 BlackParrot An Open-Source, Industrial-Strength, RISC-V, Linux Capable, Multicore

GOMACTech-2019 BlackParrot An Open-Source, Industrial-Strength, RISC-V, Linux Capable, Multicore Processor 28 MAR 2019 Mark Wyse University of Washington DISTRIBUTION STATEMENT A. Approved for public release: distribution is unlimited. We

367 views • 15 slides
Outline Malloc and fragmentation 1 2 Exploiting program behavior 3 Allocator designs 4 User-level

Outline Malloc and fragmentation 1 2 Exploiting program behavior 3 Allocator designs 4 User-level

Outline Malloc and fragmentation 1 2 Exploiting program behavior 3 Allocator designs 4 User-level MMU tricks 5 Garbage collection 1 / 40 Dynamic memory allocation Almost every useful program uses it - Gives wonderful functionality benefits

1.19k views • 43 slides
Highly Capable Performance Study Update Highly Capable Recommendation Action Recommendation 1:

Highly Capable Performance Study Update Highly Capable Recommendation Action Recommendation 1:

Highly Capable Performance Study Update Highly Capable Recommendation Action Recommendation 1: Develop program elements such as a Highly capable advisory team will facilitate process to articulate mission statement and program goals with

466 views • 10 slides
Measuring the Spatial Heterogeneity of Outdoor Users in Wireless Cellular Networks Based on Open

Measuring the Spatial Heterogeneity of Outdoor Users in Wireless Cellular Networks Based on Open

Spatial Heterogeneity of Outdoor Users in Wireless Cellular Networks Based on Open Urban Maps Measuring the Spatial Heterogeneity of Outdoor Users in Wireless Cellular Networks Based on Open Urban Maps Meisam Mirahsan Rainer Schoenen

515 views • 24 slides
The structure of cellular networks The structure of cellular networks To be able to construct and

The structure of cellular networks The structure of cellular networks To be able to construct and

The structure of cellular networks The structure of cellular networks To be able to construct and analyze a cellular network, we need to clearly define what we identify as a node and what we represent with an edge. The nodes and edges have to

680 views • 41 slides
Open problems in the design of cryptographic applications based on Cellular Automata Luca Mariot

Open problems in the design of cryptographic applications based on Cellular Automata Luca Mariot

University of Milano-Bicocca Department of Informatics, Systems and Communications Open problems in the design of cryptographic applications based on Cellular Automata Luca Mariot luca.mariot@disco.unimib.it Delft June 19, 2018 Context

329 views • 21 slides
Trademark and Unfair Competition Law Slides 9: Functionality LAWS 7341-001 Prof. Kristelia

Trademark and Unfair Competition Law Slides 9: Functionality LAWS 7341-001 Prof. Kristelia

Trademark and Unfair Competition Law Slides 9: Functionality LAWS 7341-001 Prof. Kristelia Garca Class Outline Functionality Utilitarian (aka mechanical) functionality Aesthetic functionality Morton-Norwich

749 views • 18 slides
Biology - the study of all living things Properties of Living Organisms 1. Cellular structure

Biology - the study of all living things Properties of Living Organisms 1. Cellular structure

2/18/2013 Biology - the study of all living things Properties of Living Organisms 1. Cellular structure and function Themes in Biology cell: basic unit of structure and function of organisms, capable of all life functions - covered by

661 views • 4 slides
for Cellular Networks dra<-arkko-core-cellular-00 J.

for Cellular Networks dra<-arkko-core-cellular-00 J.

Building Power-Efficient CoAP Devices for Cellular Networks dra<-arkko-core-cellular-00 J. Arkko, A. Eriksson, A. Kernen IETF 84, Vancouver, BC,

428 views • 11 slides
Mobility and cellular networks Mobility and cellular networks Cellular radio and PCS networks

Mobility and cellular networks Mobility and cellular networks Cellular radio and PCS networks

Wireless WANs Mobility and cellular networks Mobility and cellular networks Cellular radio and PCS networks Wireless data networks Satellite links and networks Mobility, etc.- 2 Basic concepts and directions in telecommunications

289 views • 7 slides
PUSH TO TALK OVER CELLULAR Product Overview What is Push-To-Talk ? PTT is a special feature on

PUSH TO TALK OVER CELLULAR Product Overview What is Push-To-Talk ? PTT is a special feature on

PUSH TO TALK OVER CELLULAR Product Overview What is Push-To-Talk ? PTT is a special feature on your mobile phone, tablet or PC that combines the functionality of a walkie-talkie or 2-way radio with normal mobile phone or PC. communication to

249 views • 23 slides
Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data Gerome Miklau University of Massachusetts, Amherst DIMACS Workshop on Recent Work on Di ff erential Privacy across Computer Science October 2012

1.39k views • 136 slides
Biology 5-1 Cellular Biology Cell Structure General types of cellular structure:

Biology 5-1 Cellular Biology Cell Structure General types of cellular structure:

Biology 5-1 Cellular Biology Cell Structure General types of cellular structure: Prokaryote (e.g., bacteria and blue-green algae) Eukaryote (e.g., plants and animals) Professional Publications, Inc. FERC Biology 5-2 Cellular

742 views • 27 slides
Edmonds School District Highly Capable Program Assessment and Selection Process November 14,

Edmonds School District Highly Capable Program Assessment and Selection Process November 14,

Edmonds School District Highly Capable Program Assessment and Selection Process November 14, 2017 Mark Madison, Director of K-12 Highly Capable Programs Edmonds School District Agenda The Highly Capable Student The Highly Capable

514 views • 27 slides
1 Distribution of work: new functionality Distribution of work: fixes 7 8 Who reports

1 Distribution of work: new functionality Distribution of work: fixes 7 8 Who reports

The case for open source software Open Source Software Why Open Source Software / Free The process, the outcome Software (OSS/FS)? Look at the Numbers! David A. Wheeler The heat, the light Revised as of September 30 2004

464 views • 9 slides
Edmonds School District Highly Capable Program Assessment and Selection Process ~ Kim Hunter,

Edmonds School District Highly Capable Program Assessment and Selection Process ~ Kim Hunter,

Edmonds School District Highly Capable Program Assessment and Selection Process ~ Kim Hunter, Director of K-12 Highly Capable Programs Agenda The Highly Capable Student The Highly Capable Program Continuum The Assessment and

559 views • 28 slides
Lecture 3 Cellular Systems I-Hsiang Wang ihwang@ntu.edu.tw 3/13, 2014 Cellular

Lecture 3 Cellular Systems I-Hsiang Wang ihwang@ntu.edu.tw 3/13, 2014 Cellular

Lecture 3 Cellular Systems I-Hsiang Wang ihwang@ntu.edu.tw 3/13, 2014 Cellular Systems: Additional Challenges So far: focus on point-to-point communication In a cellular system (network), additional issues arise:

463 views • 44 slides
Lecture 3 Cellular Systems I-Hsiang Wang ihwang@ntu.edu.tw 3/13, 2014 Cellular

Lecture 3 Cellular Systems I-Hsiang Wang ihwang@ntu.edu.tw 3/13, 2014 Cellular

Lecture 3 Cellular Systems I-Hsiang Wang ihwang@ntu.edu.tw 3/13, 2014 Cellular Systems: Additional Challenges So far: focus on point-to-point communication In a cellular system (network), additional issues arise:

528 views • 37 slides
Management of ASON- -capable capable Management of ASON Network and its Control Plane Network

Management of ASON- -capable capable Management of ASON Network and its Control Plane Network

I nternational Telecom m unication Union ITU-T Management of ASON- -capable capable Management of ASON Network and its Control Plane Network and its Control Plane H. Kam LAM Lucent Technologies I TU-T W orkshop NGN and its Transport

449 views • 28 slides
Cellular Booster Testing Assessing WCS Service Capabilities 9.23.f1 1 Cellular Signal Booster

Cellular Booster Testing Assessing WCS Service Capabilities 9.23.f1 1 Cellular Signal Booster

Cellular Booster Testing Assessing WCS Service Capabilities 9.23.f1 1 Cellular Signal Booster Testing SiriusXM conducted laboratory tests of vehicular cellular signal boosters SXM evaluated the devices transmission capabilities over a very

329 views • 7 slides
3. Overall vision of smart grid The so called smart grid should be Intelligent - capable of

3. Overall vision of smart grid The so called smart grid should be Intelligent - capable of

3. Overall vision of smart grid The so called smart grid should be Intelligent - capable of sensing, rerouting power, and minimizing a potential outage - work autonomously and respond faster than humans Efficient - capable of meeting

278 views • 11 slides

More recommend