Cell phone networks are so vulnerable to denial-of-service-style attacks that an assault carried out by a mid-sized bot network could bring down the United States' entire mobile infrastructure, a group of academic researchers said in a paper made public Wednesday.
The paper, which will be presented by four Pennsylvania State University researchers at the ACM Conference on Computer and Communications Security in November, outlined how an attack exploiting weaknesses in SMS (Short Message Service) could overload a cell network, and bring both voice and text messaging to a screeching stop.
The key to an attack, said the four in their paper, is that both voice and text messaging share the same small slice of the radio network -- which they called "control channels" -- to set up calls and SMS delivery, and assign the much broader "traffic channels" to voice calls. If the control channels are overloaded with, say, a large number of text messages, those channels are exhausted, making it impossible for voice calls to be connected.
The result: no cell communication at all.
The researchers, lead by Patrick McDaniel, a Penn State professor of computer science and engineering, noted that such an attack would require text messaging a large number of cell phones; sending massive numbers to only one phone, or even a few, doesn't do the trick.
But thanks to the Internet, it's not tough to compile a big list of numbers.
Using a combination of Google and public databases, an attacker could easily assemble a large pool of numbers to text message in a denial of service attack. With Google, the researchers "were able to collect 865 unique numbers from the greater State College, Penn., region, 7,308 from New York City, and 6,184 from Washington D.C. with minimal time and effort," they wrote in the paper.
The most successful attacks, said McDaniel and his colleagues, Thomas La Porta, another professor and the director of the school's the Networking and Security Research Center; PhD student Patrick Traynor; and graduate student William Enck, would be those directed against cell phone numbers in a defined geographic area, such as a metropolis.
Bringing down a city's cell system wouldn't require anything more than a cable or high-speed DSL modem, the four estimated, and access to the numerous Web sites which let people send text messages to mobile users.
Saturating the Washington D.C. cell network would take just 2.8Mbps of bandwidth; to bring down Manhattan's, no more than 1.3Mbps. Consumer-grade cable and DSL lines offer that much, and more.
To hack the whole U.S., about 370Mbps of bandwidth would be needed. "Such bandwidth could be harnessed from a moderately sized 'zombie' network," the paper went on. "Much larger distributed denial of service (DoS) attacks have already been seen, making this attack plausible."
While DoS attacks are relatively common against Web sites and servers, they've not been launched -- not purposefully, anyway -- against cellular networks. That could change at any time.
"An adversary injecting text messages from the Internet can cause almost twice the yearly expected network down-time in a metropolitan area using hit-lists containing as few as 2,500 targets," the Penn State researchers said. "With additional resources, attacks capable of denying voice and SMS service to an entire continent are also feasible."
The Penn State paper is available in PDF format from the university's Web site.