RSS
Twitter
Is It Still A Security Threat If It Was Fixed Ages Ago?
from the uh,-yeah,-prepared-for-that-already dept
We can't seem to go a week without having some security researchers getting headlines for a completely obvious security risk that probably isn't much of a risk at all. Last week it was that (gasp! no!) spammers might attach embarrassing music files to their spam, and this week it's that someone could launch a text message-based denial of service attack against a cellular network. It's not hard to figure out how it would work. Basically, someone (probably using an internet gateway) would spam a ton of SMS numbers, and that would, in theory, slow down the network. Apparently, this "threat" is so important that it's getting its own research paper and a writeup in the NY Times. Of course, it's an amazingly obvious threat -- so obvious, in fact, that most operators have already thought about it and put in place preventative measures. In other words, it's not much of a threat at all.
Reader Comments
(Flattened / Threaded)
SMS spam
This is not a new issue, and I agree that it doesn’t warrant the scare type of write-up. We have seen several attacks on individual users where someone sends several hundred SMS messages to one number, known as SMS Bombing. There was also a virus that had as the payload code to send SMS messages on one of the Portuguese networks, but that was about 5 years ago.
There is also quite a bit of SMS spam floating around, though some operators have filters in place many do not and the international nature of SMS delivery means that any open network can be used to send. There are major SMS marketing operations in Jersey Telecom, Swisscom, and MTN South Africa that I know of that generate the majority of SMS spam.
Lastly there are some instances of malformed SMS messages that can cause particular failures on some phones, there was one that would corrupt a particular model of a Nokia phone such that the phone software needed to be reloaded into the phone to fix, but most of the problems can be fixed by power cycling the phone.
The paper talks about a “theoretical” attack and looks at the limitations that GSM has on the air interface for delivery of these messages. This completely ignores the role of the SMSC (short message centre) in the delivery of messages. The only way to send a SMS is to use a SMSC somewhere in the world, and that would require access to the target network over SS7 signaling interface, these interfaces are normally carried over dedicated circuits normally 2 or 3 by 64k (56k in the USA) this is plenty for the normal inter-carrier SMS and other signaling but would choke a denial of service attack. The only other way would be to use the target operators own SMSC and these usually have rate limitations on incoming message delivery connections, especially if these are coming from the internet.
(reply to this comment) (link to this comment)
Add Your Comment