Slashdot Mirror
Jamming Cellphones with Text Messages
Steve writes "Some Penn State professors and students have published a way to jam cellular voice service with simple text messages. From the article: 'Because text messages are transmitted on the same signal that is used to set up voice calls, just 165 messages a second is enough to disrupt all cellphones in Manhattan.' Cellular providers, of course, fired back, one stating that it 'constantly and aggressively monitors potential threats to the integrity and security of its network.'"
165 messages a second would cost you about ten thousand dollars a minute, at the prices the cell companies charge.
Note to mods: I'm probably being sarcastic.
macslash's gone cold I'm wondering why I got out of bed at all
The morning rain clouds up my window and I can't see at all
And even if I could it'll all be gray but your picture on my wall
It reminds me, that it's not so bad -- it's not so bad
Dear Ben, I wrote but you still ain't callin
I left my email, my ICQ, and my yahoo chat at the bottom
I sent two emails back in autumn, you must not-a got 'em
There probably was a problem with your mail.app or somethin
Sometimes I scribble email addees too sloppy when I jot 'em
but anyways; fsck it, what's been up? Man how's your boxes?
My boxes is mac too, I'm bout to be a compiler
once I learn gcc,
I'ma go on and compile for hours
I read about your Palm Pilot too I'm sorry
I had a friend lose his Palm over at the airport in Maradonna
I know you probably hear this everyday, but I'm your biggest fan
I even read all your bullshit Mac news and Microsoft's man
I got a room full of your posters and your pictures man
I like the way you sold your ass out too, that shit was fat
Anyways, I hope you get this man, hit me back,
just to chat, truly yours, your biggest fan
This is Aaron
Dear Ben, you still ain't called or wrote, I hope you have a chance
I ain't mad - I just think it's FSCKED UP you don't answer fans
If you didn't wanna talk to me outside your Mac World
you didn't have to, but you coulda signed an autograph for Matthew
That's my Senior sys admin he's only 26 years old
We waited on a 9600 baud for you,
four hours and you just said, "No."
That's pretty shitty man - you're like his fsckin idol
He wants to be just like you man, he likes you more than I do
I ain't that mad though, I just don't like bein lied to
Remember when we met in Boston - you said if I'd write you
you would write back - see I'm just like you in a way
I never had a clue about shit either
I gcc'd shit with my wife then beat her
I can relate to what you're saying in your page
so when I feel like rmusering I read macslash to begin the rage
cause I don't really got shit else so that shit helps when I'm depressed
I even got a tattoo of macslash across the chest
Sometimes I even packet myself to see how much it floods
It's like adrenaline, the DDoS is such a sudden rush of blood
See everything you say is real, and I respect you cause you tell it
My girlfriend's jealous cause I talk about you 24/7
But she don't know you like I know you Ben, no one does
She don't know what it was like for people like us growin up
You gotta call me man, I'll be the biggest fan you'll ever lose
Sincerely yours, Aaron -- P.S.
We should be together too
Dear Mister-I'm-Too-Good-To-Waste-A-Packet-On-My-Fans,
this'll be the last packet I ever send your ass
It's been six months and still no word - I don't deserve it?
I know you got my last two emails
I wrote the @ signs on 'em perfect
So this is my payload I'm sending you, I hope you hear it
I'm on my modem now, I'm doing 9600 baud so fear it
Hey Ben, I drank a fifth of vodka, you dare me to code?
You know the song by Deep Purple or Slayer
its irrelevant by playing on my linux player
while I write some php scripts and play some Dragonslayer
That's kinda how shit is, you coulda rescued me from drowning
Now it's too late - I'm on a 1000 downloads now, I'm drowsy
and all I wanted was a lousy letter or a call
I hope you know I ripped +ALL+ of your pictures off the wall
I love you Ben, we coulda been together, think about it
You ruined it now, I hope you can't sleep and you dream about it
And when you dream I hope you can't sleep and you SCREAM about it
I hope your conscience EATS AT YOU and you can't BREATHE without me
See Ben {*screaming*} Shut up bitch! I'm tryin to code
Hey Ben, that's my senior admin screamin from the comode
but I didn't cut the power off, I just rebooted, see I ain't like you
cause if rm -rf'd we'd suffer more, and then the boxes die too
Well, gotta go,
Would that be raspberry jam?
Some of what I say is fact, some is conjecture, the rest I'm just blowing out my ass...you guess.
At 25 cents per text message that will add up pretty quickly!
Magic Link, hopefully without a session id.
o ne.html?ex=1286164800&en=d917b9cd43dfaa31&ei=5090& partner=rssuserland&emc=rss
http://www.nytimes.com/2005/10/05/technology/05ph
_JS
You could send 165 text messages a second OR you could keep calling the phone you want to disrupt!
165 times a second? Beauty.
If brevity is the soul of wit, then how does one explain Twitter?
So you don't have to give up your first born:
NY Times Registration
-dave
http://millionnumbers.com/ - own the number of your dreams
more like!
Engineering is the art of compromise.
Preface
Spammers have screwed up so much of what was once usable. Yet most users of the Internet are entirely unaware of it. They see spam only as part of being online. They think it's like other advertising, and some even think it's their ISP doing it.
William R. James
March 10, 2003
Thank the Spammers
Oddly enough, I remember a time when closing a relay was considered extremely rude. In the early days of the Internet, everyone who connected to it took some responsibility in helping to ensure that all the Internet's traffic was routed to its destination. Some places had better connections than others and some connections were unavailable at times for various reasons. So part of connecting your machine to the network was sharing the load and donating little bits of bandwidth here and there so the Internet ran smoothly for everyone. Relays were important because sometimes a user's home server was unavailable.
Then came the spammers. Because they abused the relays, like they abuse everything else, the relays had to be turned off. They found that they could abuse the relays and cost others hundreds or even thousands of dollars, but it prevented them from losing the $10 dialup account or free NetZero account. It's like a thief who steals a $1000 wedding ring with priceless sentimental value just to sell it for a $20 cocaine fix. Old software which ran perfectly well had to be replaced just to close the hole which was so important to leave open before. Yeah, thank the spammers for that.
But that's not the only thing the spammers have ruined. Free ISPs were growing. These services weren't perfect, they came with ads which were intentionally in the way, but that paid for the service, so it was OK. Over all, NetZero's service was actually pretty good even if it did have that open window in the way. But spammers learned that they could abuse those too, and their mind-set is "abuse it quickly before it goes away" knowing that the abuse is what will make it go away. But each spammer wants to be the one to milk it dry before the next spammer does, and all of them combined make it useless. Thanks, spammers, thanks a lot.
Try querying any database which has email addresses anywhere in it. They have to either make it pay only, or make you type in something associated with an image before you can retrieve data. Why? Because spammers found out there were valid email addresses in them and started hammering the servers with automated software, grabbing the entire database, using up all the bandwidth 1000 times over, just to harvest a handful of addresses from it to abuse as well. So to defend themselves and keep their servers from crashing, database owners had to make it impossible to query automatically. Thank the spammers.
And let's not forget Usenet. Munging addresses was once considered blatant abuse. Now very few people post with a valid address. If you want to discuss something off-line or off-topic with a poster, you either can't do it via email or you have to manually "decode" and type in their address. Thank spammers for that too.
The spammers claim to be running legitimate businesses, but legitimate businesses who ask for email addresses when you download their product get 99.9% garbage addresses now. Sign up for anything online and you have to use an email address which you don't expect to keep. The trust is rightfully gone. Again, that's something else for which you can thank spammers.
If you happen to run an authentic, legitimate business, you can't even post your own email address on your web site anymore. If you do, any addresses you publish for use by customers are instead harvested and added to thousands of spammers' lists. They become no longer usable in a very short time. So even though it may mean fewer orders, and the customer has to type more and may lose trust in your business because you can't give them an email address, you have to use contact forms and hide your address. Thanks, spammers.
And what about those contact forms? They are also targe
WTF, the story's been out 30 seconds and TripMasterMonkey hasn't posted yet?
I'M NOT ANGRY!
A more detailed description of the threat is at smsanalysis.org/. The actual paper at smsanalysis.org/smsanalysis.pdf.
Do macs still ship with that?
I guess it's kinda like a cell phone getting slashdotted too!
and have the University fire the professors for sparing the rod!
Scott McNealy to Michael: "Suck my Sun!" Michael Dell to Scott : "Lick my Dell!"
Don't you think that there are already more than 165 text messages being sent out every second in Manhattan?
This story has been out for a minute and you've written a longer reply than the article!
Most people don't know that you can send text messages for free through Google's text messaging service.
... hello? ...hello?
http://toolbar.google.com/send/sms/index.php
Now all you need is a perl script and
-------------
judge a man by his wallet
------ The best brain training is now totally free : )
The reason for this prioritisation is that delaying isochronous (eg. voice) data makes it unusable, but backing up text is OK. If you try jamming with text all you'll end up with is a load of backed up text.
Engineering is the art of compromise.
Maybe it is time to bring back CDPD (Cellular Digital Packet Data). It transmits data only when the cellular voice channels are silent.
Ah. So that's why it costs an insane amount of money to send a text message (well, that and a text message may mean "no phone call to bill for".)
Also- can anyone explain why data is still so damn expensive? I have a data capable phone w/bluetooth, I travel a fair bit...but I don't ever use the data service, because it's so incredibly expensive. 2-8MB runs you almost as much as the voice service does!
Seems like they could make a lot of people happy if they made data more affordable. I guess we'll have to wait for one of the providers to start competing on that front, instead of buying each other up? :-)
Please help metamoderate.
Last year I had a friend that wrote an app that would text message a verse from the 12 days of Christmas every day, but something went horribly wrong and I was getting messaged a verse from that damn song every few milliseconds for a couple hours straight. Not fun.
Hey Steve! (you ass)
the research paper with technical details
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
"It seems to me unlikely that a small number of unsophisticated users would be able to mount this attack effectively."
Who cares! Those aren't the people we're worried about. It would just take ONE sophisticated user to mount this attack.
End transmission.
The websites I'm forced to register for must be puzzled at the amount of interest they have from the Federated States of Micronesia.
Do you have a source?
With this simple website you could send out countless text messages to the same phone. BEst of all its free to send, not to recieve.
If we all did it (no, we should not all do this) it would , if I understand the article correctly, crash the system that phone is on.
But I am sure the Slashdot crowd could get more than 165 per second out
There must be at least a million cellphones in Manhattan. I'd say its safe to say that each cellphone would send an average of one text message a day.
So there are already somewhere in the rough ballpark of 1 million text messsages being sent a day. Possibly many more, probably no less.
that equates to 41,000 per hour, or 72 per second, on average.
Now of course the texts aren't spread evenly over those 24 hours. The majority of those messages will be sent during 12 hours of the day, which would mean during those 12 hours the average texts/second would be pretty close to the number of texts they say would overload the network.
I AM a 5300# black woman who was born in 1906 you insensitive clod!
SMS is quite popular in Europe. Many people in some European countries use SMS more than they would a voice call. With some many people using SMS, how come we don't see a lot of denial of service from a lot of use of SMS?
Part of the blame rests on people who complain about spam but then buy things advertised through spam. Without this reinforcement spammers would be greatly diminished.
A spammer is not a hacker. Mail bombers have existed for ages but nobody does it anymore because it's pretty traceable (even through open relays)
Teleflip.com also allows you to send text messages. It's free, no registration, it's all via email.
If the cell phone number you want to reach is 999-555-4444, you just send an email to 9995554444@teleflip.com, it's automatically forwarded through the phone network.
So this is looking easier by the post.
I don't buy it for one very big reason - the cells are functionally independant and Manhattan has a *lot* of cells. That means you could shut down a single cell with text messages if you targetted a single phone but a simple throttle on the number of messages to a single phone number would prevent that.
Now if you could figure out how to send messages to a bunch of different phones all in the same cell then you may be able to take that one cell out of business for a while, but DoS all of Manhattan? I think not.
Fear: When you see B8 00 4C CD 21 and know what it means
Manhattan usually has 5+ million people in it all day long. 165 msgs:sec is only 10K msgs:minute. I'm surprised Manhattan doesn't already get that kind of traffic. Especially after a big event, like a World Series win, or a stock market crash. I'd say "terrorist attack", but the last one destroyed the 7 World Trade building, which took out Verizon a lot more definitively than a DoS attack. But that hardly seems necessary to generate texts from 0.5% of Manhattan within a minute.
--
make install -not war
Except that its not free to the one receiving the message. I get charged 10 cents for each receieved message. So if I message my mom, she pays 20 cents.
The reason is in the EU areas, bandwidth isn't so TIGHTLY restricted. That's why they've got internet connections better than what most of the USA has. Most people I know of in the EU areas pay roughly equivalent to what we do for a 10 mbit down / 2 mbit up connection, if not higher. (These are people on IRC, I wouldn't know about those I know thru IM services)
We've got, what?? Comcast with 7 mbit (shared) down and 1.5 mbit (dedicated) up, as the "potentially best" service? (Roadrunner offers 10 mbit down, but only 512 kbit up, Speakeasy is 6 mbit down dedicated, 768 kbit up dedicated?)
These people have a much larger pipeline to use. *NOW* the big difference is the pipeline leaving their country to go to other countries. Any bets on where most of that data gets sent? You betcha, USA.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
.... with Verizon's *in* network, $5 a month flat rate to other Verizon members.
Verizon kicks ass.
-everphilski-
Hey all you guys in Manhattan! Are your cell phones working? If so, then I'll up the number of SMS/second.
-Palal
I know from connections to several european 'short message service centers' that they won't accept more then 10 or 100 messages a second even for wholesale connections (content providers, chat providers, tv games etc.). The overal capacity can never overflow the network since there is a limiter on the SMSC.
jouwnieuws!
Cellular providers, of course, fired back, one stating that it 'constantly and aggressively monitors potential threats to the integrity and security of its network
Yeah, we've upped it, now you have to send 172 texts per second!
Ignorance is not a crime; neither should it be a way of life
Congress control $ = inmates run the asylum
Next up, the Motorola JAMR!
When a simple check with google calc directly disproves the post. Mods on crack.
Everybody on the count of three! Start text messaging microsoft.com as fast as you can! From there we'll move on to Yahoo.com, and maybe even cnn.com for fun!
Generation Trance: What generation are you?
You can email a text message to someone's phone, and for some carriers it is an automatic $0.10 or more a message received and the reciever can't not recieve it. Here are all the SMS addys:
Sprint: 10-digit-number@messaging.sprintpcs.com
Verizon: 10-digit-nmber@vtext.com
AT&T: 10-digit-number@mobile.att.net
T Mobile: 10-digit-number@tmomail.net
Nextel: 10-digit-number@messaging.nextel.com
Cingular: 10-digit-number@mobile.mycingular.net
Alltel: 10-digit-number@message.alltel.com
i can see how they could put in safe-guards like monitoring multiple messages from an IP in a certain time frame. but, smart programmers can work around this fairly easily.
Sprint: 10-digit-number@messaging.sprintpcs.com
Verizon: 10-digit-nmber@vtext.com
AT&T: 10-digit-number@mobile.att.net
T Mobile: 10-digit-number@tmomail.net
Nextel: 10-digit-number@messaging.nextel.com
Cingular: 10-digit-number@mobile.mycingular.net
Alltel: 10-digit-number@message.alltel.com
email away!
I think you're really misunderstanding the issue. A DoS by flooding the cell with SMS messages has the chance of working because on-the-wire, (or "on the air", if you will) it uses the exact same portion of the GSM mobile phone protocol as setting up new calls (and other network control messages). As you can see, this has nothing to do with the land-line connectivity the tower uses beyond the airwaves.
It's still possible that the "last-mile" providers in the USA simply don't feel the need to upgrade their DSLAMs or even make full use of the stuff that _IS_ installed at the exchange until absolutely necessary so they still have a low-cost path of remaining competitive as the market demands and expectations change.
Perhaps, as you say, the telecomms backbone doesn't have sufficient capacity to provide everyone with services of higher speeds but simply comparing the end-user DSL service speeds in each country doesn't give you this information, it's not the full picture. For example, it's possible the EU providers upgraded their "last mile" infrastructure first and are upgrading their backbones concurrently, or later.
You might be interested to know that in rural Australia, they usually "skip" a generation or two of technology; I remember when I was a kid that by the time touch-tone phone service became available in 1988 in my tiny home-town, it was replacing a human-operated exchange and that plenty of larger municipalities were still stuck with pulse-only exchanges. Perhaps what you're seeing in some parts of the EU is a refreshing of old infrastructure with the highest tech available, because they don't get to do it very often (upgrades, that is).
Of course, the USA is the centre of the universe...
What is the point of the study or what not that these professors were doing? ... and why publish the results out loud?
... someone set me straight if I am reading these things wrongly...
If it were true, and they release findings like that, wouldn't that be like just painting a big target sign on cellular infrastructure?
MoM++ - A Classic Expanded - [Master of Magic 1.5]
http://mompp.sourceforge.net/
I'm posting this on my cell phone as my friend attempts to ja&^. .HJ@#
[Carrier Lost]
Why would anyone bother? Just cross-post a flame to about six different newsgroups with the intended targets address as the return address. Follow up by signing them up for plenty of free porn and you can let the nut jobs and spammers handle it for you. Not that I'd do such a thing, but I think mail bombing ceased to be a great affliction since 80% of email traffic became spam.
An excellent book. One of the first books in the required reading list for my Sociology course.
Back in 2000 I was writing native Blackberry applications. At the time the RIM network was Artus, and you could send 100's of short Artus packets directly to the MIN of the device. BAM! The tower went down till you stopped. The smaller the message the higher the priority - the easier it was to bring down the tower.
"We monitor our network for security issues - BULLSHIT", they monitor the billing systems and channels for abuse - sure - but not the QOS.
you could jam it with a signal jammer too.
and a whole lot of other ways. but their method isn't good for anything if the priorities are set up correct for the cell.
world was created 5 seconds before this post as it is.
Someone try this, I'm in Manhattan now, and I'll write back if it works.
Let's look at it this way:
Sources of Bandwidth/Attacks
The original article assumes you wanted to take out more than one sector in the cellular coverage. If you wanted to be more specific and pinpoint only a handful of sectors, you would need less than the numbers the article specifies.
Most text messaging service providers have email gateways. This is one of the reasons why I disabled my text messaging capability. No way to filter the message and at $0.10 / message, it is too abusable.
A weak computer running a fast multi-threaded emailer(Postfix) can dump a fair amount of email at a email-to-sms gateway. It is amazing how many messages/sec you can achieve if you tweak your configuration. 3-4 well placed and configured systems could take out a sector or 2. Distribute that over 10-20 thousand zombies, and you have much greater capacity and better redundancy. The provier will either need to already have anti-DDOS equipment in place or shut down the gateway. Bounce those over open relays and it makes dynamic rerouting even more difficult.
Scenario:
There is a convention going on. Someone was going to launch an attack on the convention site. They don't need to wipe out access to the entire city. They only need to wipe out acccess to the cellualr cells/sectors covering the convention area itself.
So, they gain access to a list of peoples' phone numbers, who will be attending and SMS-bombard those numbers.
Guess what? Since all of those numbers are at the convention site and being serviced by a fixed number of cellular cells, you have now effectively targetted those cells and overloaded them.
With the cell access busy, to the people trying to make calls or receive calls at the convention, an attack on the convention would only be reportable by landline and/or by bystanders outside of the convention center.
Say the attack is a silent one: chemical, toxin, biological. The emergency response would be delayed enough that most of the target individuals would be dead before help could arrive. Most people these days depend heavily on their cell phones. The first thought isn't to try to make a call on a landline for many.
Another abuse would be to use the system to financially deplete another organization's funds by ramping up their telco fees through excessive messaging via a zombie network. While most organizations might have flat fee subscriptions, some do not. Especially for their one-off need-it-now celphone plans.
I've actually called my provider and asked them about filtering and blocking, but they have told me that it was either completely on or completely off. I chose completely off.
Winged Power Photography
Several years ago I was involved in solving a similiar problem in the GSM/MAP/SS7 backbone network of a major European cellular provider/broker. In that case, there was an problem because the SMS messaging is carried in the MAP "signalling" layer, which resulted in the waste of the vast majority of the bandwidth that was meant to be used to handle subscriber management, roaming, authentication, etc. The network (which provided roaming between 100+ sizable European, Asian, and North African carriers) was being saturated with internet-generated SMS text messaging. Essentially, we were only able to block the traffic, having little control over its generation and/or entry into the network.
Clearly the people that designed the air interface made the same poor architectural decision.
Surprisingly even just looking for a peak over 165 doesn't change the conclusions too much.
We can use the Poisson distribution to model random arrivals (like text message requests). For example, if the average number of messages sent per second is 138, but they arrive randomly over time, then there is approximately a 1% chance of getting over 165 messages in any particular second we choose to examine.
Or, if the average TM's per second is only 119, then the probability of going over 165 in any single second is 1/37,000. Since there are 28,800 seconds in the 8-hour working day, if the average is below 119 (which it surely is), it would be unlikely even to see a single disruption in an 8-hour period. I admit I was surprised the numbers came out this way, but they did. It ain't gonna happen.
And that is why I do not regret the purchase of ISBN : 0520219783
a.k.a. Damned Lies and Statistics: Untangling Numbers from the Media, Politicians, and Activists
One would think the guys and gals that set these systems up have thought of such things and keep their eyes open for it (think message throttling). A text-message outage wouldn't have nearly the impact of a voice outage.
I'm writing a paper on how you put enough cars thru a major traffic intersection and it will create a problem and cause downtime in that area. I'm going to to call it a 'traffic jam'.
Tell us something we didn't know.. every technology has it's limit, flood it beyond capacity and you will see it fail.
nice.
-b
For those of you who have never looked at a real phone network, allow me some bandwidth:
Nobody has ever allowed for a one to one switching network like you may have seen with a switched hub. It's too expensive. They use trunk lines instead. The number of trunk lines depends on the statistics of the local area calling. There are benchmarks to use for various types of service. These systems are designed for four and five nines of up time. But it's not overload proof. You have all gotten fast busy signals before. That's because there were no trunks available.
What these folks have figured out is how much bandwidth a typical cell site can have. They have figured out how many text messages it would take to fill up that available bandwidth. Big Deal. Cell sites do saturate. This is not a design "flaw" --it's a design point. Just as almost nobody builds buildings to withstand 200 MPH winds, almost nobody builds that much bandwidth in to a cell site. You could, but it would almost never get used.
Instead we build them to handle almost all conditions. Yes, they can saturate. That's a political design issue. Someone who knows the design points can certainly overload one. But during normal use, they will work just fine. Since there are no lasting effects from such overload, most engineers figure that people will just clear out before things get too dicey.
Naturally, some twits who want to jam cell phone conversations will find plenty of ways to do this. The network is built for civil use --not military use. That's why police and fire authorities use seperate communications networks (or if they don't they're just asking for trouble). That's why ham radio operators are often able to render assistance when everyone else is busy trying to call home. Common Carrier networks will overload at some point, just as roads can saturate and slow to a crawl. We'll never have enough bandwidth or enough roads. But we can ensure that there will be enough to get by.
The Times could do for a brief lesson in engineering design criteria...
Nearly fifty percent of all graduates come from the bottom half of the class!
I was listening to NPR earlier (and also checked random news sources when I got home) and found that quite a few news sources analogized "hacking on the internet" like this form of hacking. However, this sort of attack sounds more similar to a DoS attack rather than finding exploits to break in.
I have personally witnessed the monitoring that is performed by cellular network providers. I was actually pretty impressed with Verizon for it. Our company uses the Verizon network for cellular networking of computers (Internet connectivity through a PCMCIA-based cellular modem). We received a phone call out of the clear blue one day from a Verizon network technician who asked if we were having a problem with one of our machines. Though we hadn't seen any connectivity loss according to the machine's logs, they reported more than 10,000 attempted connection failures from our machine in a 24 hour period. They said this was usually indicative of an antenna problem on one of their towers, apologized profusely and said they had a crew out at the tower probing for the failure already. All this and we weren't even aware there was a problem.
My mod points expired a couple of days ago.
Could someone please mod this up?
Thanks.
There are more than one control channels usually, and they are wide(r) channels compared with the other channels. Control channels (the actual RF) is transmitted at a higher dB then the other channels for aiding in receiving the channel clearly on a mobile terminal.
My dad works as an engineer for Telus. He's not a senior engineer, but he gets to go into those really cool cellular offices you see sitting next to the antenna tower. (I've never been in one but he's taken a few snaps-very neat environment) He DOES know what's going on for the most part. Some of the guys that go in there are maintenance guys who replace boards, some do firmware upgrades, some do safety etc.
My dad primarily does stuff with the backhauls most of the time, but at other times he is instructed to do other tasks. There is an actual box (more of a module) that handles the text messaging. It seems the wireless telcos pay for hardware devices when software could probably do the trick! One of the (Windows!) software based readouts on a monitoring station actually provides semi-real time stats of the SMS traffic, it goes thru some kind of an ATM router that I have no idea what it does exactly.
He was saying he notices trends (at each cell site) for text messaging. For instance during the summer, the text messages actually get a heck of a lot more active in the evening then they are in the day. (the sending of text messages from a mobile unit to a mobile unit).
So yes, I don't FULLY understand the article, because I didn't study it with as maybe a fine comb as you may have, my apologies. However I do have insight in the subject-I am not an expert, and because my father is in the business this does not make me an expert although he is. But what I'm getting at is it's not a bandwidth thing (very low speed connections can handle a considerable amount of traffic), it's more of a poor setup. The control channels actually signal the phones that something is going to happen, and the phone/network determine what kind of a connection should be setup/how much bandwidth/circuit switched or packet switched, etc,etc,etc. With the whole setup, my bandwidth figure is low. These towers can pass several Mbits/sec thru the air. The control channels are wider than the other channels and can pass those 32K/sec with ease. Well it just so happens with the system I've been told about is, yes control channel traffic is kept to a minimum (as much as possible), however when there are several events lined up, the system IS intelligent enough not to setup and tear down sessions on demand repetitively. It does accept a queue of traffic and that traffic moves very gracefully across the line. Yes, not all SMS traffic is passed thru the control channel in all systems. These are not 'pie in the sky' setups, these are systems you and I use everyday.
I think for that article to be completely valid a number of things would have to be setup (or maybe I should say 'setup incorrectly' at the wireless telco providers end of things) for that attack to actually take place and work.
Why don't you write a script to pump 165 text messages a second into the network and see what happens? By the way, use another mobile phone to monitor while your running the script to see what happens (yes I'm sure your script isn't controlling a bot net or anything, because you're not a mean guy or gal). I can tell you what will ACTUALLY happen ---- NOTHING.
If a provider would actually not pay attention to this vulnerability (if you call it that) they would have been off-line a while ago. This article is basically saying that if your wireless telco is stupid, there network shouldn't be working right now.
Come on, article aside, th
Let me state this openly.... PLEASE HIT LOS ANGELES WITH THIS! It would be amazing to watch everyone focus on the road, and not their conversation about who slept with who last night.
On a further note, I am curiuse as to wether they block sms relays? like teleflip, spicesms, etc.
For example, i send an email to my phone number @teleflip.com
example lets say my phone is (818)284-5555 (not real) id send a email to 8182845555@teleflip.com and the relay would send the email as a sms to my phone regardless of what carrier i use.
So, theoretically, could you find a list of 1000 sms relays, and smtp bomb the heck out of em, and would it get through? and would you be able to hit that mystical 165/s mark?
The article didn't seem to mention where the messages had to originate. I would assume if the message isn't originating on the network (through an sms relay) it wouldn't hit it as hard.
Do NOT goto this URL http://www.forthesims.com
I wonder if CDMA networks would be less likely to be affected by this sort of attack since all data is sent on the same channel anyway. There is a quote in the article from Verizon (who uses a CDMA network) but it didn't really go into specifics.
SIGFAULT
I had assumed that the text message system was insanely overpriced, because with any sane design that sending or receiving a text message should use less airtime and bandwidth than a fraction of a second of scratchy hold music.
If only 165 messages a second is enough to overwhelm a cell that can run dozens of high-quality voice channels, let alone use more then a couple of packets on the equivalent of a BRI's "D" channel... what kind of overhead do the damn things HAVE?
When I have an incoming text message, I get the sender and a choice to READ or CANCEL, and if I cancel, I don't pay.
The best Comcast will give you is 8mbps download, 768kbps upload.
A T1 line is around 200 monthly, a DC-3 is about 2000. OC-3 runs at $7000+.
The reason they have "overhead" is that they use the (limited) control (signaling) channel. I understand SMS was added to the GSM standard late-ish in the design process.
If you're feeling masochistic, have a look at the spec here.
Who uses Sprints network, I have seen effects of cell sites being overloaded. In areas where hurricane evacuees flocked, we've gotten tons of calls about people unable to make voice calls. I don't know if SMS spam could do the same thing, but cell networks are quite possible to strain. Don't know if this helps the discussion, but it's what my experience has taught me.
This is another of those great stories where people release research on the bleeding obvious.
Has anyone tried to use their handset in a heavilly populated urban area at around midnight on New Year's Eve? Suprisingly enough, due to all the people sending "Happy New Year" SMSs the network falls to it's knees - the spike in traffic traffic is such, we were carrying of the order of thousands of SMSs/second, that it is simply uneconomical to build a network that will support it (you would have half your capacity unused for the rest of the year).
Maybe I should apply for a professorship at Penn State as not only did I already know that, I was also responsible for putting a solution together to deal with these very issues at my empolyer (large mobile telco) last Xmas/New Year. You can actually manage the level of service you offer to get around this and give priority to 999 (911) calls and calls made by handsets owned by the emergency services (and network engineers).
... just remember that low-digit telephone numbers (xxx)xxx-0000, (xxx)xxx-0001, (xxx)xxx-0002, etc. usually belong to the techs for that area. ;)
my ISP monitors my internet too but i go way over my monthly limit (some odd 40GB a month) and they dont catch that...
(yes i know i suck at spelling fell free to correct my grammar and/or spellin i dont care, im still not going to change
I saw this coming, and I see more coming yet. Cell phones will have all of the bad aspects of computers (crashing, viruses, spam, hacks, expense) and none of the benefits. I've never gotten one - I have too many other tech gizmos to bother with - and I'm beginning to be glad I didn't.
I definitely know that GSM and related standards send SMS over the control channel. Multi-media messages use a 'voice' channel as the control channel is easily overloaded.
See my journal, I write things there
If you know the zip and exchange you wish to take down, you can just walk every 4-digit combination (and it doesn't matter if the number's good or not; it'll be routed regardless).
Oh, wait. You can always perform trial and error.
Never attribute to Hanlon that which can be adequately attributed to Heinlein.
There is communication channel known as SDCCH (Stand Alone Dedicated Control Channel) which is used to set up the calls and to send the text messages. If you set up an evil mobile phone in such way that it will just order the SDCCH resources in the endless loop (normal phone needs to be authorized prior to sending the message) then due to channel congestion will be impossible to make a new calls in this cell.
maybe bladox smspal could be used
You're mistaking what you are BILLED with what you PAY. You may rack up $990/minute in charges, but that doesn't mean you have to pay them...
paintball
Everybody on the count of three! Start text messaging microsoft.com as fast as you can! From there we'll move on to Yahoo.com, and maybe even cnn.com for fun!
I tell you what - if you can explain how one sends an SMS to microsoft.com, yahoo.com or anyotherfuckingsite.com then I'll laugh at your joke.
Did you think we were talking about MSN Messenger or something? Because that doesn't make any fucking sense either.
Also, could the person that modded this up please report for sterilization? Thanks in advance.
Over here in Australia, on New Years eve, the entire network is brought to it's knees. I assume there are not only bandwidth issues with the local spectrum provided, but also between cells or with the central aggregation point.
Using your cell phone pretty much within 30 minutes either side of Midnight is practically impossible, unless you have very good patience - and that's only to send a text message, a phone call is like asking jesus to appear for you. It seems to get worse every year, as usage gets higher and higher. And messages often take hours to be delivered, I received half a dozen messages, scattered between about 2 30 am and 4 30 am on the 1st of January this year, all sent at 12:00:xx.
I forgot to mention, I live in a small town (probably 2 000 or so people), served by atleast half a dozen cells (well, half a dozen are available with good signal quality, with the one dedicated to us being visible all through town and often from remote locations as our town is slightly risen)
I've always wondered why when watching the countdown on TV (Regular free-to-air) the video feed usually distorts fairly noticeably as soon as the new year is it - like interference.. What could that be?
This place is falling apart - moderation in the hands of retards! Mod this down so that it's got no chance of being seen (if any other meta-moderators actually look at context) if you like - at least you'll be using up your points on something valid (this is off-topic) instead of awarding them to people who don't RTFA, then become moderators and perpetuate the decline...
SMS is store and forward, not guaranteed to be sent in real time. The sent SMS can be queued in the SMS centre, and I wouldn't be suprised if this had a bandwidth throttle on it to prevent a flood of SMSs being forwarded to the MSCs and BTSs and hogging the bandwidth of the network.
Most likely you could flood the SMSC and cause a delay in SMS delivery, but probably not disrupt the voice service.
they also prioritised calls for key personnel (medical, police, military etc) so that their registered GSM phones had priority. this, combined with 999 prioritisation was what happened during the london bombings.
interestingly, the 999/112 emergency call prioritisation happens automatically. if you're in a cell which is overloaded with traffic and you can't make a call, this can and has been abused by users who make an emergency call (which boots off a number of live calls at the nearest base station to take it), hanging up before connection, and then redial the number they want, which will connect via the free slots created.
this is highly antisocial and obviously stupid though.
I'm not up to date, but 6 years ago when I read the then current GMS spec. SMS data was sub-band data, that is, absolutely limited bandwidth that is always there. It couldn't possibly interfere with phone calls, since it simply get's piggy-backed on existing phone call data.
What the cellphone companies never mention (and hackets don't
seem to have picked up on) is that if you want to jam a
cellphone network just switch on a high power wideband
UHF transmitter on the same frquency band (easily built by someone
with reasonable RF electronics ability) It shouldn't even
need to be modulated but you could always play metallica on it
just to be sure the phones can't pick up any data.
At +3 lavel i saw only one post containg the word SIGNALLING . Wow , that is so awful , no telco engineers read slashdot. Shame on you .
Most cell phones have only capacity for storing a limited number of messages. Once they are full the phone tells the network "memory full" and the network (SMSC) will stop sending the SMS for a while. So this attack may work for a short while but then the phone's memory will quickly become full and no messages will be sent and the rest of the networks SMS and voice calls will work again. The subscribers targeted will not be able to recieve any more messages but apart from that there will be no other problems.
Anyone who was in London for the recent Terrorist attacks and tried to make a mobile phone call on a GSM network will have experienced this. In the immediate aftermaths of the attacks the cell networks become overloaded with large numbers of people all trying to call relatives - the result being that it's difficult to reliably send SMS messages, or make voice calls. There is an interesting hack that you can use - take advantage of the emergency call spec. If you dial 112 on a handset this connects you to the emergency services - the GSM spec prioritises this, so signalls the base station which will drop other calls to allow the emergency call to get through. To take advantage of this you do the following: 1. Dial 112 & hang up immediately (before any connection, but after the GSM signal) The base station now drops some calls to free up bandwidth 2. Dial the number you want, you will get a GSM connection In a typicall terrorist situation you'll then often find that the landline switches are overloaded, so unlucky - but it's worth an attempt. No liability is accepted to anyone actually doing this. You didn't hear it from me. :-)
OK, I'm a little late in reading this story...
From my (albeit quick) reading of the paper, it seems like they are saying that 165 messages a second could overwhelm the control channels of a Manhattan sized cell network, blocking call setup.
However, they are basing this on 1500 bytes per text message packet. That seems way too large for most SMS messages. Wouldn't the easy solution be just to block messages over a couple of hundred characters?
--Barry
Beautiful paper, but in the practice this couldn't happen. TV SHows in latin america and spain, that I personally know, receives near 150.000 sms per hour (~40 sms/sec). With a modem gprs/gsm we can send 30 sms/second. In fact, i my former job we sent periodically over 50 sms/sec without DOS effect over GSM networks. Are you telling that with 4 modems we can disrupt the all the cell phones in Manhattan? No, is not possible. Even without modems, using SMPP directly, the protocol is so slow that we can't reach a throghput big enough to make this possible. In practice, Cell Phones Companies doesn't allow more than 40-50 sms/sec. Personally, I wrote a ESME application server server with a throughput of 600 sms/sec, using SMPP, but no company ever acepted more than 50 sms/sec, because of contention. There is a lot of contention in SMSC and all ESMEs must be aware of this, and manage their own queues because of this. In the paper the investigator forgot some important bussines step before the SMSC query the HLR. The SMSC must consult de Subscribers Database and check billing systems, for example. This is the main reason of contention of sms messages. I don't know how cell phones billing is in USA, but in many countries there is a limit based on the plan subscripted.
http://www.smsanalysis.org/smsanalysis.pdf