Researchers: SMS Attacks Could Cripple Cell Phones

Hackers armed with a moderately sized network of zombie computerstheoretically could knock out cellular service throughout the U.S.,according to security researchers at Pennsylvania State University. Ina report published Wednesday, the researchers explained how such anattack could exploit weaknesses in Short Message Service (SMS), whichis used to send and receive text messages between mobile phones.

By engaging in a little creative hacking, attackers could build updatabases of mobile numbers from specific regions and then flood thosenumbers with unwanted text messages. Attackers could use publiclyavailable Web sites or messaging clients on zombie computers to sendthe text messages, which could eventually jam up the cellular towersthat carriers use to send and receive SMS messages from mobile phones.

Because mobile phones use the same small portion of radio frequency,called the “control channel,” to both set up calls and send SMSmessages, a flood of SMS messages could so overwhelm a cellular towerthat it would effectively prevent any new telephone calls from goingthrough.

This technique, called a denial-of-service (DoS) attack, has been usedsuccessfully to take down Web sites, but to date, it has not been usedon cellular networks, the researchers say.

To be most successful, the attack would need to target telephoneswithin a certain geographic region, but the Penn State researchers saidthat this can be done by using public databases and creative Googlesearches.

In fact, it would take little more than a cable modem to deny serviceto large metropolitan areas in the U.S. For example, a city the size ofWashington, D.C., could be taken out by a DoS attack with a bandwidthof about 2.8M bps, they said.

“The amount of bandwidth that’s allocated to the control channel isexceedingly small,” said Patrick McDaniel, a professor of computerscience and engineering at the university and one of the authors of thereport. “The reason why we can mount this attack with so few messagesis the fact that there’s so little control channel bandwidth to becongested.”

In fact, some European networks have already been overwhelmed whenlegitimate SMS messaging has hit unexpectedly high levels, McDanielsaid. “It’s happened by accident,” he said.

Though McDaniel and his fellow researchers said they expect U.S.carriers to change practices in response to their research, the reportdid not come as a surprise to some.

“We’re aware of this potential, and it is a very limited potential,”said John Polivka, a spokesman for Sprint Nextel Corp. “We havemeasures in place now to protect the network and our customers,including what’s been described in this paper.”

Even a successful attack would, at best, shut down most networks foronly a short period of time, said Shiv Bakhshi, director of wirelessinfrastructure research with IDC.

“Every network operator has to be aware of this,” he said. “If for noother reason than they have seen such clogging with the legitimate useof SMS messaging.”

Still, the researchers have a few basic recommendations that couldsignificantly mitigate the risk of this type of attack, McDaniel said.Mobile operators could, for example, separate the text messaging andphone call initiation features within the control channel. They couldalso make it harder for attackers to do on-line reconnaissance byreducing the amount of information they provide on the Internet, hesaid.

The Penn Sate report is available here: https://smsanalysis.org

By Robert McMillan – IDG News Service (San Francisco Bureau)