Researchers: SMS attacks could cripple cell phones

Attackers could use text messaging to cripple mobile networks, according to a University of Pennsylvania report.

Hackers armed with a moderately sized network of zombie computers theoretically could knock out cellular service throughout the U.S., according to security researchers at Pennsylvania State University. In a report published Wednesday, the researchers explained how such an attack could exploit weaknesses in Short Message Service (SMS), which is used to send and receive text messages between mobile phones.

By engaging in a little creative hacking, attackers could build up databases of mobile numbers from specific regions and then flood those numbers with unwanted text messages. Attackers could use publicly available Web sites or messaging clients on zombie computers to send the text messages, which could eventually jam up the cellular towers that carriers use to send and receive SMS messages from mobile phones.

Because mobile phones use the same small portion of radio frequency, called the "control channel," to both set up calls and send SMS messages, a flood of SMS messages could so overwhelm a cellular tower that it would effectively prevent any new telephone calls from going through.

This technique, called a denial-of-service (DoS) attack, has been used successfully to take down Web sites, but to date, it has not been used on cellular networks, the researchers say.

To be most successful, the attack would need to target telephones within a certain geographic region, but the Penn State researchers said that this can be done by using public databases and creative Google searches.

In fact, it would take little more than a cable modem to deny service to large metropolitan areas in the U.S. For example, a city the size of Washington, D.C., could be taken out by a DoS attack with a bandwidth of about 2.8M bps, they said.

"The amount of bandwidth that's allocated to the control channel is exceedingly small," said Patrick McDaniel, a professor of computer science and engineering at the university and one of the authors of the report. "The reason why we can mount this attack with so few messages is the fact that there's so little control channel bandwidth to be congested."

In fact, some European networks have already been overwhelmed when legitimate SMS messaging has hit unexpectedly high levels, McDaniel said. "It's happened by accident," he said.

Though McDaniel and his fellow researchers said they expect U.S. carriers to change practices in response to their research, the report did not come as a surprise to some.

"We're aware of this potential, and it is a very limited potential," said John Polivka, a spokesman for Sprint Nextel Corp. "We have measures in place now to protect the network and our customers, including what's been described in this paper."

Even a successful attack would, at best, shut down most networks for only a short period of time, said Shiv Bakhshi, director of wireless infrastructure research with IDC.

"Every network operator has to be aware of this," he said. "If for no other reason than they have seen such clogging with the legitimate use of SMS messaging."

Still, the researchers have a few basic recommendations that could significantly mitigate the risk of this type of attack, McDaniel said. Mobile operators could, for example, separate the text messaging and phone call initiation features within the control channel. They could also make it harder for attackers to do on-line reconnaissance by reducing the amount of information they provide on the Internet, he said.

The Penn Sate report is available here: