By JOHN SCHWARTZ
October 5, 2005
Malicious hackers could take down cellular networks in large cities by
inundating their popular text-messaging services with the equivalent
of spam, said computer security researchers, who will announce the
findings of their research today.
Such an attack is possible, the researchers say, because cellphone
companies provide the text-messaging service to their networks in a
way that could allow an attacker who jams the message system to
disable the voice network as well.
And because the message services are accessible through the Internet,
cellular networks are open to the denial-of-service attacks that occur
regularly online, in which computers send so many messages or commands
to a target that the rogue data blocks other machines from connecting.
By pushing 165 messages a second into the network, said Patrick D.
McDaniel, a professor of computer science and engineering at
Pennsylvania State University and the lead researcher on the paper,
"you can congest all of Manhattan."
Professor McDaniel and the other faculty author, Thomas F. La Porta,
have extensive experience in computer security, including work in the
telecommunications industry. The findings are expected to be released
today at Penn State, and as a formal research paper at a computer
security conference next month.
Cellular companies acknowledge that such attacks are possible, but say
that they have developed systems to prevent effective ones.
"If you're not prepared, that could happen," said Brian Scott, senior
manager for wireless messaging operations at Sprint. "If you are
prepared and you have means in place to identify, detect and mitigate
that, it's not as much of a concern."
Other specialists said such systems would face many of the same
obstacles as those that try to block denial-of-service attacks, one of
the thorniest problems in countering hackers.
"The solutions don't tend to be very elegant" in the Internet world,
said Gary McGraw, chief technical officer of Cigital, a security
consultant to the computing and telecommunications industries. "And I
believe it will be the same thing on cellphones."
In their research, the authors concluded that all major cellular
networks were vulnerable, and that a single computer with a cable
modem could do the job. The researchers do not appear to believe that
anyone has deliberately disrupted cellphone networks in this way,
although it appears to have occurred by accident in other nations.
The text-messaging system, called S.M.S. for short messaging service,
is an increasingly important part of the cellular network. Aside from
its popularity with users, especially teenagers, it has gained
prominence as a way to communicate when voice networks fail, as in
emergencies like the terrorist attacks on Sept. 11, 2001.
The system works even when cellular calls do not because text messages
are small packets of data that are easy to send, and because the
companies transmit them on the high-priority channel whose main
purpose is to set up cellphone calls.
But therein lies part of the vulnerability, Professor McDaniel said.
The control channel cannot handle large amounts of data, he said, so
by flooding the channel with messages, it is possible to prevent voice
calls from going through.
"This is a traffic-jam problem," he said. "You're sending too many
cars down a two-lane road."
Specialists not connected with the study said that weak link, combined
with computers' ability to automatically repeat Internet processes at
blinding speed, added up to a serious threat.
"Any time a vulnerability in the physical world exists that can be
exploited via computer programs running on the Internet, we have a
recipe for disaster," said Aviel D. Rubin, technical director of the
Information Security Institute at Johns Hopkins. "It is as though
those who wish to harm us have a magic switch that can turn off the
The Penn State researchers said that once they began exploring the
vulnerabilities of the network, they proved their concepts on a small
scale by using their own cellphones.
"We were very, very careful," Professor McDaniel said. "We never sent
more traffic than was necessary."
Their research proved that blocking networks was possible, a
conclusion they later verified in private conversations with telephone
company engineers and government regulators, he said.
One challenge for would-be attackers, according to the paper, is
pulling together a list of working cellphones in a specific
geographical area. But that, too, is made simpler via the Internet;
the authors describe a process using Google and some search tricks
that allowed them to collect 7,308 cellular numbers in New York City
and 6,184 from Washington "with minimal time and effort." Though the
vulnerability is serious, Professor McDaniel said, it is still the
kind of thing that could only be carried out by skilled attackers, at
least for now.
"It seems to me unlikely that a small number of unsophisticated users
would be able to mount this attack effectively," he said.
The paper, to be posted online at www.smsanalysis.org, also offers
suggestions for heading off the problem. The most direct solution,
simply disconnecting the short messaging services from the Internet
gateways, is not practical, Professor McDaniel said. But technologies
to limit the messages being inserted into the network could provide
some protection. Among the other recommendations is separating the
voice and data in the next generation of cellphone technology so data
jams cannot affect voice calls.
Cellular companies said they were moving forward on this and other
A spokesman for Cingular, Mark Siegel, said his company "constantly
and aggressively monitors potential threats to the integrity and
security of its network," but added, "As a rule, we don't comment on
the defensive measures we have put in place or may put in place."
Dave Oberholzer, a marketing manager for information at Verizon
WirelessVerizon Communications, said the company was well protected
against this kind of attack because of software the company had put in
place to insulate users from cellphone message spam. "We have fairly
robust spam filters on those gateways," he said. "All of that is
pretty much automated at this point."
Mr. McGraw, the chief technical officer of Cigital, said the goal of
research like the Penn State paper was not to help hackers scale new
heights, but to alert companies to problems before someone exploited
Getting the word out "has to be done very responsibly and very
carefully," he said. "You don't want people to panic, but you do want
them to sit up take notice and do something about it."
InfoSec News v2.0 - Coming Soon!