Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Silent SMS

Download as pdf or txt
Download as pdf or txt
You are on page 1of 6

A Silent SMS Denial of Service (DoS) Attack

N.J Croft and M.S Olivier


Information and Computer Security Architectures (ICSA) Research Group
Department of Computer Science
University of Pretoria
Pretoria
South Africa
Email: ringtingting@gmail.com

Abstract— Global System for Mobile communications (GSM) GSM has become an international cooperation and collabo-
is a popular mobile communications network. Short Message ration between people, companies and governments, creating
Service (SMS) is an easily adopted person-to-person communica- a truly global wireless communication network. At the time of
tions technology for mobile devices. The GSM architecture allows
for the insertion of mass application-generated SMS messages writing, GSM service had surpassed the 2 billion people mark
directly into the network infrastructure. This is achieved through and is currently available across more than 214 countries and
a SMS Mobile Switching Centre (SMSC) using a variety of territories worldwide [4].
request-response protocols, for example Short Message Peer-To- The initial Short Message Service (SMS) standard was first
Peer Protocol (SMPP). discussed in the early 1980s but the world’s first commercial
Through protocol manipulation, an application may generate
an SMS which neither displays on the mobile handset nor SMS service was not introduced until 1992. SMS was created
provides an acoustic signal. Known as a “Silent” SMS, this occurs as part of Phase I of the GSM standard. SMS is widely adopted
where the mobile handset must acknowledge receipt of the short with approximately 1 billion SMS messages sent every day
message but may discard its contents. A “Silent” SMS may help worldwide [5].
police services detect the existence of a mobile handset without The SMS message, as specified by the ETSI organization
the intended party knowing about the request. In contrast, a
mass continuous send of “Silent” SMS messages will constitute an in documents GSM 03.40 [6] and GSM 03.38 [7], can be
invisible Denial of Service (DoS) attack on a mobile handset. Such up to 160 characters long, where each character is 7 bits
a mobile handset DoS attack may be conducted for economic according to the 7-bit default alphabet. Eight-bit messages
advantage to elude another party from communicating. (max 140 characters) are usually not viewable by the phones
This paper describes, from a technical perspective, how a as text messages; instead they are used for data in e.g. smart
silent application-generated denial of service (DoS) SMS attack
is conducted. We then investigate possible ways of thwarting messaging (images and ringing tones) and Over The Air (OTA)
such an attack at a GSM network level. Furthermore we explore provisioning of Wireless Application Protocol (WAP) settings
related SMS attacks on the GSM network. (to be discussed in more detail later). 16-bit messages (max
70 characters) are used for Unicode (UCS2) text messages,
viewable by most phones. A 16-bit text message will on some
I. I NTRODUCTION phones appear as a Flash SMS (aka blinking SMS or alert
The Global System for Mobile communications (GSM) is SMS).
a popular digital circuit switched network [1]. GSM is a The Short Message Peer-To-Peer Protocol (SMPP) [8], [9]
common telecommunications standard originally issued by the is a telecommunications industry protocol for exchanging SMS
European Telecommunications Standards Institute (ETSI) [2]. messages between SMS peer entities such as short message
GSM is an open standard which is currently developed by the service centres (SMSCs). It is often used to allow third parties
3rd Generation Partnership Project (3GPP) [3]. GSM provides to submit messages at an application level, often in bulk.
recommendations, not requirements. The GSM specifications Silent messages, often referred to as “Silent SMS” or
define the functions and interface requirements in detail but “Stealth SMS” is indicated neither on the display nor by an
do not address the hardware. The reason for this is to limit acoustic signal. GSM 03.40 [6] describes a short message of
the designers as little as possible but still to make it possible type 0 which indicates that the ME must acknowledge receipt
for the operators to buy equipment from different suppliers. of the short message but may discard its contents. Such an
The name GSM first comes from a group called Group SMS is useful, in particular, for the police services to detect
Special Mobile (GSM), which was formed in 1982 by the the existence of a mobile handset without the intended party
European Conference of Post and Telecommunications Ad- knowing about the request. However, a “Silent” SMS may be
ministrations (CEPT) to develop a pan-European cellular sys- used for more sinister reasons.
tem that would replace the many existing incompatible cellular Traditionally a denial-of-service (DoS) attack is an attempt
systems already in place in Europe. However, when GSM to make a computer resource unavailable to its intended users.
service started in 1991, the abbreviation ”GSM” was renamed One such method is to flood a network, thereby preventing
to Global System for Mobile Communications from Group legitimate network traffic. Typically the targets are high-profile
Special Mobile. web servers, and the attack attempts to make the hosted web
pages unavailable on the Internet. Such an attack is extendable A. GSM Architecture
to any mobile environment. A mobile device is rendered The GSM system has two major components: the fixed
ineffective should a mobile device be flooded with this type installed infrastructure (network) and the Mobile Station
of SMS messages. Furthermore, should a “Silent” SMS DoS (MS) [16]. Mobile users make use of the serving GSM
attack takes place on the handset, the intended victim would be network’s services by communicating over a radio interface.
oblivious to the attack. The only visible symptom would be an Figure 1 illustrates the GSM architecture.
abnormal decline in battery charge capacity and the inability
to receive calls etc. This ineffectiveness of the handset is due
to SMS messages making use of the signalling layer, also used
in performing other network events.
Not only will a “Silent” SMS consume battery power but
it will clog the signalling channel. This may be the reasoning
behind the motivation in performing a “Silent” DoS attack.
Primarily it may be done for economic advantage to elude
another party to communicate, or may be used to ensure that a
given party is not notified of some events. As another example,
consider an Intrusion Detection System (IDS) that informs a
network administrator via mobile phone if an attack occurs. Fig. 1. GSM Architecture (adapted from [10])
By launching a DoS attack on the mobile phone, the network
intrusion may occur for much longer without the knowledge The Mobile Station (MS) is the mobile phone or GSM com-
of the network administrator. pliant device. The MS provides access to the GSM network.
In this paper we explore the technical detail in executing The MS consists of Mobile Equipment (ME) and a Subscriber
a mobile application-generated Denial of Service (Dos) SMS Identity Module (SIM) [17]. The Base Transceiver Station
Attack. We investigate possible ways of thwarting such an (BTS) is a radio tower or pico (single) cell with which the
attack at a network level. Furthermore we explore related Mobile Station communicates. The Base Station Controller
attacks using SMPP and SMS on a GSM network. (BSC) acts as a common node between multiple BTSs and
This paper is structured as follows: Section II covers a the network’s backbone. The Mobile Switching Centre (MSC)
brief overview of GSM. Section III covers in detail the performs the switching functions of the network. The MSC has
composition of an SMS message. This includes both 7-bit an interface to one or more BSCs and to external networks.
and 8-bit messaging. Section IV investigates the various Signalling between functional entities in the network system
application generated SMS protocols with a specific focus on uses the Signalling System Number 7 [18]. Several databases
the industry leader, SMPP. Section V illustrates the technical are available for control and network management. The fol-
aspects of sending a “Silent” 7-bit and 8-bit SMS using SMPP. lowing are usually considered to be part of the MSC: i) Home
Section VI explores the possibilities of thwarting “Silent” Location Register (HLR) - contains permanent (user’s profile)
SMS DoS attacks. Section VII shows possible spin off attacks and temporary (location information) data for all registered
aimed in particular at the SMSC itself. Finally Section VIII users with a network operator, ii) Visitor Location Register
concludes this paper. (VLR) - is responsible for a group of location areas and
Our decision to position our work in the GSM context is stores the data of those users who are currently in its area
based on the popularity of GSM and its wide spread adoption of responsibility, iii) Authentication Centre (AuC) - provides
in comparison to other mobile communication networks such for authentication of an MS on the network and encryption of
as Universal Mobile Telecommunications System (UMTS). In communication transmissions, iv) Equipment Identity Register
addition, work reported on in this paper forms part of a larger (EIR) - registers equipment data.
privacy and security project [10]–[14] set in the GSM and The Short Message Service (SMS) is a store and forward
next generation wireless communication context. service, in other words, short messages are not sent directly
from sender to recipient, but always via an SMS Centre
II. BACKGROUND (SMSC) instead. Each mobile telephone network that supports
The Global System for Mobile Communications (GSM) SMS has one or more messaging centers to handle and manage
[15] [1] is a common standard issued by the European the SMS messages. The service center is responsible for the
Telecommunications Standards Institute (ETSI). The most collection, storage, and delivery of short messages, and is
basic service supported by GSM is telephony; however GSM outside the scope of GSM [1]. Thus the provider of the
also allows data to be transported (both synchronous and SMS service does not necessarily have to be the serving
asynchronous) as a bearer service [10]. The GSM standard is GSM operator. However, a default SMSC number is usually
considered to be a “second generation” or 2G cellular system provided by the network operator and this number is stored at
and was designed to be secure, have strong subscriber au- the Mobile Station (MS).
thentication and Over The Air (OTA) transmission encryption
[10]. In order to understand the origin and SMS application III. S HORT M ESSAGE S ERVICE (SMS)
in GSM, the respective underlying architecture needs to be Short Message Service (SMS), is a universal text messaging
understood. system, allowing the transmission of messages up to 160
alphanumeric characters to be sent to or from a GSM Mobile Originating (MO), for those that are sent from the mobile
Station (MS). SMS is characterized by an out-of-band packet handset, operations are supported. As message delivery is best
delivery and low-bandwidth message transfer, which results in effort, there is no guarantee that a message will actually be
a highly efficient means for transmitting short bursts of data. delivered to its recipient and delay or complete loss of a
Message delivery forms part of the GSM infrastructure where message is not uncommon, particularly when sending between
every SMS has to pass via a Short Message Service Centre networks. Users may choose to request delivery reports, which
(SMSC). can provide positive confirmation that the message has reached
The benefit of an SMS to a user centers around conve- the intended recipient, but notifications for failed deliveries are
nience, flexibility and the seamless integration of a complete unreliable at best.
messaging solution. SMS works on a store-and-forward basis Transmission of the short messages between SMSC and
and when received, is usually stored on the SIM card or on the phone can be done through different protocols such as SS7
MS’s internal store. An SMS is transferred in a connectionless within the standard GSM framework or TCP/IP within the
packet mode over the signalling channel of the serving GSM same standard. Messages, whose payload length is limited
network. Once a message is sent, it is received by a SMSC by the constraints of the signalling protocol to precisely 140
(refer to Figure 1), which must then get it to the appropriate bytes (140 bytes = 140 * 8 bits = 1120 bits). In practice, this
recipient mobile device via the MSC. translates to either 160 7-bit characters, 140 8-bit characters, or
An SMS comprises of the following elements, of which 70 16-bit characters. Characters in languages such as Arabic,
only the User Data (the message) and originating address Chinese, Korean, Japanese or Slavic languages (e.g. Russian)
(mobile number) is displayed on the recipient’s mobile device: must be encoded using the 16-bit UCS-2 character encoding.
i) Header - identifies the type of message, ii) Service Center When a mobile terminated message is class 0 and the MS
TimeStamp, iii) Originating Address - mobile number of the has the capability of displaying short messages, the MS shall
sender, iv) Protocol Identifier, v) Data Coding Scheme, vi) display the message immediately and send an acknowledge-
User Data Length - the length of the message, vii) User Data ment to the SMSC when the message has successfully reached
- the message (140 bytes: 160 7-bit characters, 140 8-bit the MS [7]. This effectively means that if the mobile is
characters or 70 16-bit characters ). incapable of displaying a message it may simply be ignored
SMS messages travel between several network nodes before and discarded by the handset. The SMSC will still, however,
being delivered. The sender of a Mobile Terminating (MT) receive a successful delivery receipt acknowledgement. This
message is charged for the sending of the SMS. Usually the forms the basis of a possible Denial of Service (DoS) attack
charge for receiving an SMS is zero. whereby the mobile handset is flooded with messages it simply
We now describe the process flow when an SMS message wont display and discard. In order to flood a MS (handset)
is sent from one sender MS (handset) to a recipient MS [14]. with “Silent” SMS messages, a mechanism is required to auto-
1) The SMS message is submitted from the sender MS to generate mass messages which can be sent to the Mobile
the SMSC Station continuously. We now investigate bulk SMS messaging
2) After the message is processed at the SMSC, it sends a protocols which allow for the mass sending of SMS messages
request to the HLR and receives routing information for providing the platform for a silent DoS mobile handset attack.
the recipient MS
3) The SMSC sends the SMS to the MSC
IV. A PPLICATION -G ENERATED SMS P ROTOCOLS
4) The MSC retrieves the recipient’s information from
the VLR. This may include an authentication operation There are numerous protocols for the generation of appli-
between the MSC and VLR cation originating SMS messages. Industry protocols include
5) The MSC forwards the message to the recipient MS UCP/EMI, CIMD [19] and SMPP [8] amongst others. These
6) If delivered successfully, the SMS is stored on the protocols provide third parties the capability of submitting
recipient MS’s SIM card under USER-DATA SMS messages, often in bulk and at reduced costs.
7) The MSC returns to the SMSC the outcome of the SMS Computer Interface to Message Distribution (CIMD) is a
delivery status proprietary SMSC protocol developed by Nokia for their Artus
8) If requested by the sending MS, the SMSC reports SMSC. The External Machine Interface (EMI), an extension
delivery status of the SMS back to the sender to Universal Computer Protocol (UCP), was developed by
As described above, messages are sent to a Short Message LogicaCMG [20], the current SMSC market leader. The Short
Service Centre (SMSC) which provides a store-and-forward Message Peer-To-Peer protocol (SMPP) is the most common
mechanism. It is a “best effort” attempt on the networks side of industry protocols for exchanging SMS messages between
to send messages to the intended recipients. If a recipient SMS peer entities such as SMSC. SMPP was originally
is not reachable, the SMSC queues the message for later designed by Aldiscon, a small Irish company that was later
retry. The re-try process rules differ per SMSC. There may bought by Logica, now LogicaCMG [20]. In 1999, SMPP
be a fixed re-try upper bound transmission count or time- was formally handed over to the SMPP Developers Forum,
elapsed constraint, after which the message is discarded. Some which was later renamed as The SMS Forum [21].
SMSCs merely provide a “forward and forget” option where The most commonly used versions of SMPP are v3.3 and
transmission is tried only once. Both Mobile Terminated v3.4 [8] where the latter adds transceiver support functionality
(MT), for messages sent to a mobile handset, and Mobile (single connections that can send and receive messages).
Data exchange may be synchronous, where each peer must
E n c o d i n g PDU Body . .
wait for a response for each PDU (protocol data units, or ’ s e r v i c e t y p e ’ , ( 0 ) . . . 30 00
’ s o u r c e a d d r t o n ’ , ( 1 ) . . . 01 ∗∗
packets) being sent, and asynchronous, where receiving and ’ s o u r c e a d d r n p i ’ , ( 1 ) . . . 01 ∗∗
’ s o u r c e a d d r ’ , ( 2 7 8 2 9 2 3 9 8 1 2 ) . . . 32 37 38 32 39 32 33 39 38 31 32 00
transmitting execute independently with the use of buffers and ’ d e s t a d d r t o n ’ , ( 1 ) . . . 01 ∗∗
’ d e s t a d d r n p i ’ , ( 1 ) . . . 01 ∗∗
timers. The latest version of SMPP is v5.0 [9]. The protocol is ’ d e s t a d d r ’ , ( 2 7 8 2 9 2 3 9 8 1 2 ) . . . 32 37 38 32 39 32 33 39 38 31 32 00
’ e s m c l a s s ’ , ( 0 ) . . . 00
based on pairs of request/response PDUs exchanged over OSI ’ p r o t o c o l i d ’ , ( 0 ) . . . 00
’ p r i o r i t y f l a g ’ , ( 0 ) . . . 00
layer 4 (TCP session) connections. PDUs are binary encoded ’ s c h e d u l e d e l i v e r y t i m e ’ , ( 0 ) . . . 30 00
’ v a l i d i t y p e r i o d ’ , ( 0 ) . . . 30 00
for efficiency. ’ r e g i s t e r e d d e l i v e r y ’ , ( 1 ) . . . 01
’ r e p l a c e i f p r e s e n t f l a g ’ , ( 0 ) . . . 00
Using the SMPP protocol, an SMS application system called ’ d a t a c o d i n g ’ , ( 0 ) . . . 00
’ s m d e f a u l t m s g i d ’ , ( 0 ) . . . 00
the “External Short Message Entity” (ESME) may initiate an ’ s m l e n g t h ’ , ( 0 ) . . . 00
’ s h o r t m e s s a g e ’ , ( s a t n a c . o r g . z a ) . . . 73 61 74 6E 61 63 2E 6F 72 67 2E 7A 61
application layer connection with an SMSC over a TCP/IP or
F u l l PDU ( 7 1 o c t e t s + + ) . . 00 00 00 47 00 00 00 04 00 00 00 00 00 00
X.25 network connection and may then send short messages 00 01 30 00 01 01 32 37 38 32 39 32 33 39 38 31 32 00 01 01 32 37 38
32 39 32 33 39 38 31 32 00 00 00 00 30 00 30 00 01 00 00 00 00 73 61
and receive short messages to and from the SMSC respectively 74 6E 61 63 2E 6F 72 67 2E 7A 61

[8]. Every SMPP operation must consist of a request PDU and ∗∗ ( 0 ) i n d i c a t e s l o c a l n u m e r i c n u m b e r i n g f o r m a t t i n g


( 1 ) i n d i c a t e s i n t e r n a t i o n a l n u m e r i c number f o r m a t t i n g
associated response PDU. The receiving entity must return the
++ O c t e t i s a g r o u p o f 8 b i t s , o f t e n r e f e r r e d t o a s a b y t e
associated SMPP response to an SMPP PDU request. As an
example, a Submit Sm PDU (refer to Table I) is used to send Short messages can also be used to send binary content
an SMS message which expects a Submit SM Resp from an such as ringtones, logos, or WAP Push messages as well as
SMSC or bulk messaging gateway. Over The Air (OTA) programming or configuration data. A
WAP Push message provides a direct link to an Internet web
Field Size
Name Octets Type Description reference (URL) via an SMS message. An OTA message is
command length 4 Integer Set to overall length of PDU usually used to send handset specific settings via an SMS
command id 4 Integer submit sm (0x00000004)
command status 4 Integer Not used
message. Such SMS messages are sometimes vendor-specific
sequence number 4 Integer
COctet
Unique sequence number
extensions of the GSM specification. A WAP push is a binary
service type max 6 String NULL for default SMSC settings SMS message consisting of a header, a URL and a message.
source addr ton 1 Integer Type of Number for source
source addr npi 1 Integer Numbering Plan Indicator for source WAP push messages are 8-bit encoded messages and are
source addr max 21 COctet String Originating address
dest addr ton 1 Integer Type of Number for destination therefore limited to 140 octets. It is important to note that
dest addr npi 1 Integer Numbering Plan Indicator for destination
dest addr max 21 COctet String Destination address not all phones on the world market support WAP pushes and
esm class 1 Integer Indicates Message Mode & Message Type
protocol id 1 Integer Protocol Identifier (refer to [6]) may be discarded by the handset upon receipt.
priority flag
schedule delivery time
1
1 or 17
Integer
COctet String
Priority level of the message
NULL for immediate message delivery
Listing 2 illustrates a 8-bit WAP push template represented
validity period
registered delivery
1 or 17
1
COctet String
Integer
NULL for SMSC default validity period
SMSC delivery receipt
in Hexadecimal (Hex).
replace if present flag 1 Integer Replace existing message
registered delivery 1 Integer SMSC delivery receipt
data coding 1 Integer Encoding scheme used (refer to [7])
Listing 2. WAP Push template
sm default msg id 1 Integer NULL for default SMSC msg id HEADER
registered delivery 1 Integer SMSC delivery receipt <STRING>
<SI>
sm length 1 Integer Length in octets of short message
<INDICATION>
short message Var. 0-254 Octet String Up to 254 octets of short message user data
<PROTOCOL INDICATOR/>
<STRING>
URL
TABLE I </STRING>
</INDICATION>
SMPP S UBMIT S M PDU <STRING>
MESSAGE
</STRING>
</INDICATION>
</SI>
The command length, command id, command status and Now r e p l a c e t h e WAP Push Tags a s f o l l o w s :
sequence number all form part of the PDU header while HEADER . . . 06 05 04 0B 84 23 F0 DC 06 01 AE 02 05 6A 00
<STRING> . . . 03
the remaining field names constitutes the message body. The </STRING> . . . 00
<SI> . . . 45
data coding field indicates the data coding scheme and is used <INDICATION> . . . C6
<PROTOCOL INDICATOR> . . . 0C f o r h t t p : / / , 0D f o r h t t p : / / www.
to usually indicate if the SMS message is 7-bit, 8-bit or 16- </INDICATION> . . . 01
</SI> . . . 01
bit encoded. This field will play an important role during the URL . . . 73 61 74 6E 61 63 2E 6F 72 67 2E 7A 61 ( s a t n a c . o r g . z a )

attack to be described later. Further details are available in the F u l l PDU ( 4 0 o c t e t s + + ) . . ∗∗


0605040 B8423F0DC0601AE02056A0045C60C037361746E61632E6F72672E7A610001036869000101
relevant specification document [8]. ∗∗ p l a c e FULL PDU i n s h o r t m e s s a g e f i e l d o f Submit Sm PDU
An example of a 7-bit SMPP Submit Sm PDU is provided ++ O c t e t i s a g r o u p o f 8 b i t s , o f t e n r e f e r r e d t o a s a b y t e

for in Listing 1. SMS messages are binary encoded according If an application encodes GSM User Data Header Infor-
to the 7-bit GSM Default Alphabet table, found in GSM 03.38 mation (UDHI) in the short message user data, it must set
[7]. Listing 1 is GSM 03.38 encoded and represented in the UDHI flag in the esm class field [8]. In other words,
Hexadecimal (Hex) as it is easier to read hexadecimal numbers we must indicate that this message is a 8-bit binary message
rather than a binary representation. (WAP Push SMS). This is achieved in SMPP by setting the
Listing 1. Example of SMPP Submit Sm PDU Encoding
esm class field to 64 (0x40). Likewise, the encoding of the
E n c o d i n g PDU H e a d e r . . message must be set to represent 8-bit binary encoding. This
’ c om mand length ’ , ( 7 1 ) . . . 00 00 00 47
’ command id ’ , ( 4 ) . . . 00 00 00 04 is achieved by setting the data coding field to 4 (0x04) (refer
’ c o m m a n d s t a t u s ’ , ( 0 ) . . . 00 00 00 00
’ s e q u e n c e n u m b e r ’ , ( 1 ) . . . 00 00 00 01 to [7], [8]).
V. S ENDING A “S ILENT ” SMS B. Manipulating Timing in a WAP Push Message
This section considers strategies to launch a silent SMS Another example of a “Silent” SMS is to manipulate the
attack. A successful attack strategy will be one that i) sends scheduled delivery time or validity period when sending a
an SMS to an MS without displaying the SMS on the MS and WAP push SMS. However, this approach was not transparent
ii) is useable on as many SMPP gateways as possible. through all gateways we tested and warrants investigation.
In order to find possible attack strategies the SMS specifi- By setting the scheduled delivery time or validity period
cations were scrutinized and bulk SMS providers questioned before today’s date, we were able to achieve similar results.
regarding the sending of a “Silent” SMS. Once possible The format of the scheduled delivery time and validity period
strategies have been found, it would be necessary to test a is in the form (YYMMDDhhmmsstnn). Figure 4 illustrates a
“Silent” SMS in principle. Furthermore, to identify the number WAP Push “Silent” SMS example by calling an exposed web
of bulk SMS providers providing “Silent” SMS capabilities. service method again at an SMPP supported SMS gateway.
We have currently found two known ways to send a “Silent”
SMS. There are however, countless ways to malform an SMS
PDU which may cause the handset to malfunction or SMSC
to crash.

A. Manipulating the Data Coding Scheme


Using GSM 03.38 [7], we set the data coding to 192
(0xC0) (11000000). This sets the Message Waiting Indication
Group identifier, which translates to “Discard Message”. With
bits 7..4 set to 1100, the mobile may discard the contents of
the message [7]. Figure 2 shows a “Silent” SMS example by
calling an exposed web service method at an SMPP supported
SMS gateway.

Fig. 4. Web Service “Silent” SMS Call (WAP Push) using [22]

Figure 5 shows the PDU dump of a WAP Push “Silent”


SMS and the delivery receipt notification received. The SMS
message status is DELIVRD, however the message never
displays on the mobile handset.

Fig. 5. PDU dump of WAP Push “Silent” SMS from [22]


Fig. 2. Web Service “Silent” SMS Call using [22]

Figure 3 shows the PDU dump of a “Silent” SMS and C. Cost of the attack
the delivery receipt notification received. The SMS message Now that we have established how to send both 7-bit
status is DELIVRD, however the message never displays on and 8-bit messages using SMPP, how much would it cost
the mobile handset. to send a message? Purchasing SMS messages in large pre-
paid volume bundles, from messaging providers or network
operators, results in substantial cost reductions. A few years
ago, some operators were not charging for the sending of
bulk SMS messages. Although rare, some network operators
still provide for this free messaging service. Message costs
Fig. 3. PDU dump of “Silent” SMS from [22] may further be reduced if the application is assigned a fixed-
number sender identifier. This effectively means that a message
The “Silent”SMS defined by manipulating the data cod- will always arrive on a handset from the application with
ing scheme worked on every SMPP enabled gateway we a predetermined number. A base cost of 0.01 Euro cents is
tested (six different SMPP gateways in total). SMPP gateways not unobtainable per message. Then for example the cost
are stringently built according GSM standards [8]. This associated in sending one “Silent” SMS every second for one
effectively guarantees the sending of a “Silent” SMS via hour will amount to Euro 36 (1 x 60 x 60 x 0.01 = Euro 36).
manipulating the Data Coding Scheme through any SMPP This shows that a “Silent” SMS DoS attack is economically
gateway. feasible.
VI. T HWARTING “S ILENT ” D O S SMS ATTACKS R EFERENCES
We have proved a “Silent” SMS attack is indeed a reality [1] M. Rahnema, “Overview of the gsm system and protocol architecture,”
and cheap enough to the detriment of all mobile GSM sub- IEEE Communications Magazine, vol. 31, no. 4, pp. 92–100, April 1993.
[2] Recommendation GSM 02.09; Security related network functions, Eu-
scribers. The most obvious solution to this form of attack, or ropean telecommunications Standard Institute, ETSI, June 1993, tech.
any bulk SMS attack, would simply be to check each message Rep.
and discard it based on a predetermined set of criteria. One [3] 3rd Generation Partnership Project, “3gpp,” Web Reference:
http://www.3gpp.org, accessed October 2006.
such criteria is to simply discard any identical messages (same [4] GSM Association, “homepage,” Web Reference:
content and recipient). With the current volumes [5] of SMS http://www.gsmworld.com/index.shtml, accessed April 2006.
messages sent worldwide, a real-time check on each message [5] ——, “SMS (Short Message Service),” Web reference,
http://www.gsmworld.com/yechnology/sms. Accessed May 2005.
is impracticable and will no doubt have an adverse effect on [6] Digital cellular telecommunications system (Phase 2+); Technical real-
network performance. ization of the Short Message Service (SMS); Point to Point (PP)(GSM
The market leader in terms of SMS Fraud Management 03.40 version 6.0.0), European telecommunications Standard Institute,
ETSI, March 1998.
Systems (FMS) is WhiteCell [23]. Such a FMS counters [7] Digital cellular telecommunications system (Phase 2+); Alphabets and
threats by providing the mobile network operator with an language-specific information (GSM 03.38 version 7.0.0 Release 1998),
additional security layer on top of its existing SMS infras- European telecommunications Standard Institute, ETSI, July 1998.
[8] Short Message Peer to Peer Protocol Specification v3.4, The SMS
tructure. This security program identifies potential threats, and Forum, October 1999.
prevents unwanted traffic from passing through the network. [9] Short Message Peer to Peer Protocol Specification v5.0, The SMS
Although such technologies do exist, implementing this across Forum, February 2003.
[10] N. Croft, “Secure Interoperations of Wireless Technologies,” Masters
GSM worldwide is a near impossible task given the global Dissertation, University of Pretoria, School of Computer Science, Oc-
complexity of the GSM infrastructure. Added to this, there is tober 2003.
the network profit motive. This insight to network operators [11] N. Croft and M. Olivier, “Using compatible keys in achieving subscriber
privacy channelling for billing in GSM Networks,” in Proceedings of
thinking can be summed up in the following comment: “as the Fifth International Network Conference, S. Furnell, P. Dowland, and
long as messages are being sent, someone is being charged G. Kormentzas, Eds., 2005, pp. 245–252.
for it!”. [12] ——, “Using a Trusted Third Party Proxy in achieving GSM
Anonymity,” in South African Telecommunication Network and Appli-
Thwarting a bulk SMS attack may prove difficult, identi- cations Conference. SATNAC, September 2004.
fying and preventing a “Silent” SMS attack seems even less [13] ——, “Codec-Hopping: Secure and Private Voice Communication in
likely. Bandwidth Constrained Networks,” in SecPerU, Workshop on Security
an Privacy in Pervasive Ubiquitous Computing, Santorini, Greece, April
VII. SMS R ELATED ATTACKS 2005.
[14] ——, “Using an approximated one-time pad for securing Short Message
A. SMSC Attacks Service (SMS),” in South African Telecommunication Network and
Applications Conference. SATNAC, September 2005.
The first attacks is aimed specifically at the SMSC. The [15] M. Mouly and M. Pautet, The GSM System for Mobile Communications.
SMSC is flooded with malformed SMS PDUs or SMS PDUs Telecom Publishing, 1992, foreword By-Thomas Haug.
are manipulated to never exit the SMSC re-try queue. This may [16] E. T. . 929, “Digital cellular telecommunications system (Phase 2); Secu-
rity related network functions,” European Telecommunications Standards
effect the stability of the SMSC, overloading it and eventually Institute, November 1999.
causing it to crash. [17] European digital cellular telecommunications system (Phase 2); Spec-
ification of the Subscriber Identity Module - Mobile Equipment (SIM-
B. Charged for Receiving SPAM ME) interface (GSM 11.11), European Telecommunications Standards
Institute, Sophia Antipolis, France, 1998.
In the United States the GSM billing model includes billing [18] Y. B. Lin, “Signaling System Number 7,” IEEE Potentials, pp. p. 5–8,
the subscriber who receives an SMS message. Through the August 1996.
[19] CIMD Interface Specification, Nokia SMS Center 7.0, Nokia, December
sending of mass SMS messages, the subscriber is charged 2004.
for unsolicited messages (SPAM). This effectively means that [20] LogicaCMG, Web reference, http://www.logicacmg.com. Accessed
subscribers are legitimately charged for receiving SPAM. In March 2007.
[21] The SMS Forum, Web Reference: http://www.smsforum.net, accessed
the case of a “Silent” SMS attack, the end user will be charged April 2007.
for messages that were never even displayed on the handset. [22] SMS BUG COMMUNICATIONS, Web reference,
https://www.smsbug.com/api/webservice.asmx. Accessed April 2007.
VIII. C ONCLUSION [23] WhiteCell, Web reference,http://www.white-cell.com. Accessed April
2007.
In this paper we described, from a technical perspective,
how a silent application-generated denial of service (DoS)
SMS attack is conducted. We illustrated through real-world
examples how such an attack is conducted. We began by Neil Croft Neil Croft is a final year PhD Computer Science student at
providing a detailed description of SMS messages, how they the University of Pretoria. His research interests include security and pri-
are composed and sent. We made use of the SMPP protocol vacy in current and next generation wireless communication networks. He
completed his Masters degree at the University of Pretoria in October 2003
for the sending of “Silent” SMS messages which may be used and undergraduate studies at the Rand Afrikaans University in 2001. He
in performing a Denial of Service (DoS) attack on a mobile currently operates an SMS company called SMS BUG COMMUNICATIONS
handset. We then investigated possible ways of thwarting such (www.smsbug.com).
an attack at a GSM network level. Furthermore we explored
related SMS attacks on an SMSC and billing of a subscriber
within the GSM network.

You might also like