Text Hackers Could Jam Cellphones, a Paper Says http://www.nytimes.com/2005/10/05/technology/05phone.html
By JOHN SCHWARTZ Published: October 5, 2005 Malicious hackers could take down cellular networks in large cities by inundating their popular text-messaging services with the equivalent of spam, said computer security researchers, who will announce the findings of Such an attack is possible, the researchers say, because cellphone companies provide the text-messaging service to their networks in a way that could allow an attacker who jams the message system to disable the voice network as well. And because the message services are accessible through the Internet, cellular networks are open to the denial-of-service attacks that occur regularly online, in which computers send so many messages or commands to a target that the rogue data blocks other machines from connecting. By pushing 165 messages a second into the network, said Patrick D. McDaniel, a professor of computer science and engineering at Pennsylvania State University and the lead researcher on the paper, "you can congest all of Manhattan." Professor McDaniel and the other faculty author, Thomas F. La Porta, have extensive experience in computer security, including work in the telecommunications industry. The findings are expected to be released today at Penn State, and as a formal research paper at a computer security conference next month. Cellular companies acknowledge that such attacks are possible, but say that they have developed systems to prevent effective ones. "If you're not prepared, that could happen," said Brian Scott, senior manager for wireless messaging operations at Sprint. "If you are prepared and you have means in place to identify, detect and mitigate that, it's not as much of a concern." Other specialists said such systems would face many of the same obstacles as those that try to block denial-of-service attacks, one of the thorniest problems in countering hackers. "The solutions don't tend to be very elegant" in the Internet world, said Gary McGraw, chief technical officer of Cigital, a security consultant to the computing and telecommunications industries. "And I believe it will be the same thing on cellphones." In their research, the authors concluded that all major cellular networks were vulnerable, and that a single computer with a cable modem could do the job. The researchers do not appear to believe that anyone has deliberately disrupted cellphone networks in this way, although it appears to have occurred by accident in other nations. The text-messaging system, called S.M.S. for short messaging service, is an increasingly important part of the cellular network. Aside from its popularity with users, especially teenagers, it has gained prominence as a way to communicate when voice networks fail, as in emergencies like the terrorist attacks on Sept. 11, 2001. The system works even when cellular calls do not because text messages are small packets of data that are easy to send, and because the companies transmit them on the high-priority channel whose main purpose is to set up cellphone calls. But therein lies part of the vulnerability, Professor McDaniel said. The control channel cannot handle large amounts of data, he said, so by flooding the channel with messages, it is possible to prevent voice calls from going through. "This is a traffic-jam problem," he said. "You're sending too many cars down a two-lane road." Specialists not connected with the study said that weak link, combined with computers' ability to automatically repeat Internet processes at blinding speed, added up to a serious threat. "Any time a vulnerability in the physical world exists that can be exploited via computer programs running on the Internet, we have a recipe for disaster," said Aviel D. Rubin, technical director of the Information Security Institute at Johns Hopkins. "It is as though those who wish to harm us have a magic switch that can turn off the cellular network." The Penn State researchers said that once they began exploring the vulnerabilities of the network, they proved their concepts on a small scale by using their own cellphones. "We were very, very careful," Professor McDaniel said. "We never sent more traffic than was necessary." Their research proved that blocking networks was possible, a conclusion they later verified in private conversations with telephone company engineers and government regulators, he said. One challenge for would-be attackers, according to the paper, is pulling together a list of working cellphones in a specific geographical area. But that, too, is made simpler via the Internet; the authors describe a process using Google and some search tricks that allowed them to collect 7,308 cellular numbers in New York City and 6,184 from Washington "with minimal time and effort." Though the vulnerability is serious, Professor McDaniel said, it is still the kind of thing that could only be carried out by skilled attackers, at least for now. "It seems to me unlikely that a small number of unsophisticated users would be able to mount this attack effectively," he said. The paper, to be posted online at www.smsanalysis.org, also offers suggestions for heading off the problem. The most direct solution, simply disconnecting the short messaging services from the Internet gateways, is not practical, Professor McDaniel said. But technologies to limit the messages being inserted into the network could provide some protection. Among the other recommendations is separating the voice and data in the next generation of cellphone technology so data jams cannot affect voice calls. Cellular companies said they were moving forward on this and other security issues. A spokesman for Cingular, Mark Siegel, said his company "constantly and aggressively monitors potential threats to the integrity and security of its network," but added, "As a rule, we don't comment on the defensive measures we have put in place or may put in place." Dave Oberholzer, a marketing manager for information at Verizon WirelessVerizon Communications, said the company was well protected against this kind of attack because of software the company had put in place to insulate users from cellphone message spam. "We have fairly robust spam filters on those gateways," he said. "All of that is pretty much automated at this point." Mr. McGraw, the chief technical officer of Cigital, said the goal of research like the Penn State paper was not to help hackers scale new heights, but to alert companies to problems before someone exploited them. Getting the word out "has to be done very responsibly and very carefully," he said. "You don't want people to panic, but you do want them to sit up take notice and do something about it." You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
