Slashdot Mirror
Jamming Cellphones with Text Messages
Steve writes "Some Penn State professors and students have published a way to jam cellular voice service with simple text messages. From the article: 'Because text messages are transmitted on the same signal that is used to set up voice calls, just 165 messages a second is enough to disrupt all cellphones in Manhattan.' Cellular providers, of course, fired back, one stating that it 'constantly and aggressively monitors potential threats to the integrity and security of its network.'"
165 messages a second would cost you about ten thousand dollars a minute, at the prices the cell companies charge.
Note to mods: I'm probably being sarcastic.
Magic Link, hopefully without a session id.
o ne.html?ex=1286164800&en=d917b9cd43dfaa31&ei=5090& partner=rssuserland&emc=rss
http://www.nytimes.com/2005/10/05/technology/05ph
_JS
more like!
Engineering is the art of compromise.
A more detailed description of the threat is at smsanalysis.org/. The actual paper at smsanalysis.org/smsanalysis.pdf.
I guess it's kinda like a cell phone getting slashdotted too!
Don't you think that there are already more than 165 text messages being sent out every second in Manhattan?
Easy enough, about 3 or 4 japanese school girls should be able to send a sustained rate of 180 messages a second.
I'M NOT ANGRY!
Most people don't know that you can send text messages for free through Google's text messaging service.
... hello? ...hello?
http://toolbar.google.com/send/sms/index.php
Now all you need is a perl script and
-------------
judge a man by his wallet
------ The best brain training is now totally free : )
The reason for this prioritisation is that delaying isochronous (eg. voice) data makes it unusable, but backing up text is OK. If you try jamming with text all you'll end up with is a load of backed up text.
Engineering is the art of compromise.
You could send 165 text messages a second OR you could keep calling the phone you want to disrupt!
Except this isn't about disrupting one phone - this is about disrupting the entire regional network. Just the sort thing a criminal or terrorist might want to do during or in the wake of some mal-behavior. So it costs a bunch to send those messages? So what? Bad guys can have some real (or fraudulant) financial resources when that's part of their plan.
Don't disappoint your bird dog. Go to the range.
Ah. So that's why it costs an insane amount of money to send a text message (well, that and a text message may mean "no phone call to bill for".)
Also- can anyone explain why data is still so damn expensive? I have a data capable phone w/bluetooth, I travel a fair bit...but I don't ever use the data service, because it's so incredibly expensive. 2-8MB runs you almost as much as the voice service does!
Seems like they could make a lot of people happy if they made data more affordable. I guess we'll have to wait for one of the providers to start competing on that front, instead of buying each other up? :-)
Please help metamoderate.
Can you say Copy and Paste Troll?
Facts do not cease to exist because they are ignored.
Last year I had a friend that wrote an app that would text message a verse from the 12 days of Christmas every day, but something went horribly wrong and I was getting messaged a verse from that damn song every few milliseconds for a couple hours straight. Not fun.
Hey Steve! (you ass)
Do you have a source?
There must be at least a million cellphones in Manhattan. I'd say its safe to say that each cellphone would send an average of one text message a day.
So there are already somewhere in the rough ballpark of 1 million text messsages being sent a day. Possibly many more, probably no less.
that equates to 41,000 per hour, or 72 per second, on average.
Now of course the texts aren't spread evenly over those 24 hours. The majority of those messages will be sent during 12 hours of the day, which would mean during those 12 hours the average texts/second would be pretty close to the number of texts they say would overload the network.
Part of the blame rests on people who complain about spam but then buy things advertised through spam. Without this reinforcement spammers would be greatly diminished.
So it costs a bunch to send those messages? So what? Bad guys can have some real (or fraudulant) financial resources when that's part of their plan.
...
1) Sign cell phone contract with monthly billing.
2) Send massive amounts of text messages.
3) Blow self up.
4) Don't care if phone bill is high at end of month - having too much fun with the 72 virgins.
5)
6) Profit?
6) Profit?
Don't you mean "Prophet?"
Don't disappoint your bird dog. Go to the range.
I'm sure there are at least 165 text messages being sent every second already.
Yes I do know there are store and forwarding to consider/routing etc, however I find this unlikely.
Yeah, but lets face it. There are so much better things to do with 3 or 4 japanese school girls than text messages.
The laws of probability forbid it!
If you think 2 to 4 simultaneous telephone calls will take down a cellular network, the thing would have stopped working a long time ago.
But... I think it's not the vox bandwidth - it's that part of the system that manages the call overhead (per the summary, the part of the system that "sets up" the calls). I believe that housekeeping does indeed take place in a smaller, and separate piece of the spectrum and the network's plumbing. Of course, IANATE (I am not a telecommunications engineer). Text messaging piggy-backs on the data that keeps the system and the phones aware of each other - long before a call (and the related bandwidth) is actually assigned to an user that dials/answers. This would be when someone who works for Verizon or Spring would anonymously chime. We can hear you now, good.
Don't disappoint your bird dog. Go to the range.
I don't buy it for one very big reason - the cells are functionally independant and Manhattan has a *lot* of cells. That means you could shut down a single cell with text messages if you targetted a single phone but a simple throttle on the number of messages to a single phone number would prevent that.
Now if you could figure out how to send messages to a bunch of different phones all in the same cell then you may be able to take that one cell out of business for a while, but DoS all of Manhattan? I think not.
Fear: When you see B8 00 4C CD 21 and know what it means
Maybe in your neck of the woods. In Canada, the last time I was involved in public safety CDPD-networked software deployment and development, we had segregated channels. So this issue never came up. We segregate voice and data channels up here and that seems to work pretty well. Maybe it has some technical drawbacks in terms of utilization rates, but it kinda removes some potential for abuse.
-- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
Manhattan usually has 5+ million people in it all day long. 165 msgs:sec is only 10K msgs:minute. I'm surprised Manhattan doesn't already get that kind of traffic. Especially after a big event, like a World Series win, or a stock market crash. I'd say "terrorist attack", but the last one destroyed the 7 World Trade building, which took out Verizon a lot more definitively than a DoS attack. But that hardly seems necessary to generate texts from 0.5% of Manhattan within a minute.
--
make install -not war
The reason is in the EU areas, bandwidth isn't so TIGHTLY restricted. That's why they've got internet connections better than what most of the USA has. Most people I know of in the EU areas pay roughly equivalent to what we do for a 10 mbit down / 2 mbit up connection, if not higher. (These are people on IRC, I wouldn't know about those I know thru IM services)
We've got, what?? Comcast with 7 mbit (shared) down and 1.5 mbit (dedicated) up, as the "potentially best" service? (Roadrunner offers 10 mbit down, but only 512 kbit up, Speakeasy is 6 mbit down dedicated, 768 kbit up dedicated?)
These people have a much larger pipeline to use. *NOW* the big difference is the pipeline leaving their country to go to other countries. Any bets on where most of that data gets sent? You betcha, USA.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
In some cases, cellular services charge for receiveing and transmitting text messages, simply because it's using up their bandwidth available for routing calls/connecting calls. Cingular is an example, and that's coming from the Cingular customer sitting next to me telling me about this. Never seen the bill, but I've heard of the price. $0.10 a message, incoming or outgoing.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
.... with Verizon's *in* network, $5 a month flat rate to other Verizon members.
Verizon kicks ass.
-everphilski-
Hey all you guys in Manhattan! Are your cell phones working? If so, then I'll up the number of SMS/second.
-Palal
I know from connections to several european 'short message service centers' that they won't accept more then 10 or 100 messages a second even for wholesale connections (content providers, chat providers, tv games etc.). The overal capacity can never overflow the network since there is a limiter on the SMSC.
jouwnieuws!
Next up, the Motorola JAMR!
You can email a text message to someone's phone, and for some carriers it is an automatic $0.10 or more a message received and the reciever can't not recieve it. Here are all the SMS addys:
Sprint: 10-digit-number@messaging.sprintpcs.com
Verizon: 10-digit-nmber@vtext.com
AT&T: 10-digit-number@mobile.att.net
T Mobile: 10-digit-number@tmomail.net
Nextel: 10-digit-number@messaging.nextel.com
Cingular: 10-digit-number@mobile.mycingular.net
Alltel: 10-digit-number@message.alltel.com
i can see how they could put in safe-guards like monitoring multiple messages from an IP in a certain time frame. but, smart programmers can work around this fairly easily.
Yeah, and piloting an airliner into a building leaves you dead. So we don't worry about that, do we?
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
I think you're really misunderstanding the issue. A DoS by flooding the cell with SMS messages has the chance of working because on-the-wire, (or "on the air", if you will) it uses the exact same portion of the GSM mobile phone protocol as setting up new calls (and other network control messages). As you can see, this has nothing to do with the land-line connectivity the tower uses beyond the airwaves.
It's still possible that the "last-mile" providers in the USA simply don't feel the need to upgrade their DSLAMs or even make full use of the stuff that _IS_ installed at the exchange until absolutely necessary so they still have a low-cost path of remaining competitive as the market demands and expectations change.
Perhaps, as you say, the telecomms backbone doesn't have sufficient capacity to provide everyone with services of higher speeds but simply comparing the end-user DSL service speeds in each country doesn't give you this information, it's not the full picture. For example, it's possible the EU providers upgraded their "last mile" infrastructure first and are upgrading their backbones concurrently, or later.
You might be interested to know that in rural Australia, they usually "skip" a generation or two of technology; I remember when I was a kid that by the time touch-tone phone service became available in 1988 in my tiny home-town, it was replacing a human-operated exchange and that plenty of larger municipalities were still stuck with pulse-only exchanges. Perhaps what you're seeing in some parts of the EU is a refreshing of old infrastructure with the highest tech available, because they don't get to do it very often (upgrades, that is).
Of course, the USA is the centre of the universe...
RADAR TECH. Sir. The radar, sir. It appears to be.... ....jammed.
Jam starts dripping down the screen.
RADAR TECH.
HELMET Jammed? (takes a taste of the jam) Raspberry. There's only one man who would dare give me the raspberry. (pulls down mask) Lone Starr!
CAMERA hits HELMET. HELMET falls backwards.
Back in 2000 I was writing native Blackberry applications. At the time the RIM network was Artus, and you could send 100's of short Artus packets directly to the MIN of the device. BAM! The tower went down till you stopped. The smaller the message the higher the priority - the easier it was to bring down the tower.
"We monitor our network for security issues - BULLSHIT", they monitor the billing systems and channels for abuse - sure - but not the QOS.
Let's look at it this way:
Sources of Bandwidth/Attacks
The original article assumes you wanted to take out more than one sector in the cellular coverage. If you wanted to be more specific and pinpoint only a handful of sectors, you would need less than the numbers the article specifies.
Most text messaging service providers have email gateways. This is one of the reasons why I disabled my text messaging capability. No way to filter the message and at $0.10 / message, it is too abusable.
A weak computer running a fast multi-threaded emailer(Postfix) can dump a fair amount of email at a email-to-sms gateway. It is amazing how many messages/sec you can achieve if you tweak your configuration. 3-4 well placed and configured systems could take out a sector or 2. Distribute that over 10-20 thousand zombies, and you have much greater capacity and better redundancy. The provier will either need to already have anti-DDOS equipment in place or shut down the gateway. Bounce those over open relays and it makes dynamic rerouting even more difficult.
Scenario:
There is a convention going on. Someone was going to launch an attack on the convention site. They don't need to wipe out access to the entire city. They only need to wipe out acccess to the cellualr cells/sectors covering the convention area itself.
So, they gain access to a list of peoples' phone numbers, who will be attending and SMS-bombard those numbers.
Guess what? Since all of those numbers are at the convention site and being serviced by a fixed number of cellular cells, you have now effectively targetted those cells and overloaded them.
With the cell access busy, to the people trying to make calls or receive calls at the convention, an attack on the convention would only be reportable by landline and/or by bystanders outside of the convention center.
Say the attack is a silent one: chemical, toxin, biological. The emergency response would be delayed enough that most of the target individuals would be dead before help could arrive. Most people these days depend heavily on their cell phones. The first thought isn't to try to make a call on a landline for many.
Another abuse would be to use the system to financially deplete another organization's funds by ramping up their telco fees through excessive messaging via a zombie network. While most organizations might have flat fee subscriptions, some do not. Especially for their one-off need-it-now celphone plans.
I've actually called my provider and asked them about filtering and blocking, but they have told me that it was either completely on or completely off. I chose completely off.
Winged Power Photography
Several years ago I was involved in solving a similiar problem in the GSM/MAP/SS7 backbone network of a major European cellular provider/broker. In that case, there was an problem because the SMS messaging is carried in the MAP "signalling" layer, which resulted in the waste of the vast majority of the bandwidth that was meant to be used to handle subscriber management, roaming, authentication, etc. The network (which provided roaming between 100+ sizable European, Asian, and North African carriers) was being saturated with internet-generated SMS text messaging. Essentially, we were only able to block the traffic, having little control over its generation and/or entry into the network.
Clearly the people that designed the air interface made the same poor architectural decision.
I'm writing a paper on how you put enough cars thru a major traffic intersection and it will create a problem and cause downtime in that area. I'm going to to call it a 'traffic jam'.
Tell us something we didn't know.. every technology has it's limit, flood it beyond capacity and you will see it fail.
nice.
-b
For those of you who have never looked at a real phone network, allow me some bandwidth:
Nobody has ever allowed for a one to one switching network like you may have seen with a switched hub. It's too expensive. They use trunk lines instead. The number of trunk lines depends on the statistics of the local area calling. There are benchmarks to use for various types of service. These systems are designed for four and five nines of up time. But it's not overload proof. You have all gotten fast busy signals before. That's because there were no trunks available.
What these folks have figured out is how much bandwidth a typical cell site can have. They have figured out how many text messages it would take to fill up that available bandwidth. Big Deal. Cell sites do saturate. This is not a design "flaw" --it's a design point. Just as almost nobody builds buildings to withstand 200 MPH winds, almost nobody builds that much bandwidth in to a cell site. You could, but it would almost never get used.
Instead we build them to handle almost all conditions. Yes, they can saturate. That's a political design issue. Someone who knows the design points can certainly overload one. But during normal use, they will work just fine. Since there are no lasting effects from such overload, most engineers figure that people will just clear out before things get too dicey.
Naturally, some twits who want to jam cell phone conversations will find plenty of ways to do this. The network is built for civil use --not military use. That's why police and fire authorities use seperate communications networks (or if they don't they're just asking for trouble). That's why ham radio operators are often able to render assistance when everyone else is busy trying to call home. Common Carrier networks will overload at some point, just as roads can saturate and slow to a crawl. We'll never have enough bandwidth or enough roads. But we can ensure that there will be enough to get by.
The Times could do for a brief lesson in engineering design criteria...
Nearly fifty percent of all graduates come from the bottom half of the class!
I have personally witnessed the monitoring that is performed by cellular network providers. I was actually pretty impressed with Verizon for it. Our company uses the Verizon network for cellular networking of computers (Internet connectivity through a PCMCIA-based cellular modem). We received a phone call out of the clear blue one day from a Verizon network technician who asked if we were having a problem with one of our machines. Though we hadn't seen any connectivity loss according to the machine's logs, they reported more than 10,000 attempted connection failures from our machine in a 24 hour period. They said this was usually indicative of an antenna problem on one of their towers, apologized profusely and said they had a crew out at the tower probing for the failure already. All this and we weren't even aware there was a problem.