Jamming Cellphones with Text Messages

Steve writes "Some Penn State professors and students have published a way to jam cellular voice service with simple text messages. From the article: 'Because text messages are transmitted on the same signal that is used to set up voice calls, just 165 messages a second is enough to disrupt all cellphones in Manhattan.' Cellular providers, of course, fired back, one stating that it 'constantly and aggressively monitors potential threats to the integrity and security of its network.'"

One problem.

165 messages a second would cost you about ten thousand dollars a minute, at the prices the cell companies charge.

Re:One problem.

$990/minute, assuming a charge of 10 cents per message.

Ch-rist! For that price, I could have a dozen women heavy breathing on my cellphone, telling me how much they love it when I do that to them!

Text is low priority raffic

AFAIK, text is typically low priority traffic, but that can depend on configuration, network type etc. Network control is highest, voice next, followed by data and text.

The reason for this prioritisation is that delaying isochronous (eg. voice) data makes it unusable, but backing up text is OK. If you try jamming with text all you'll end up with is a load of backed up text.

What?

Your comments directly contradict the NY Times article...

The system works even when cellular calls do not because text messages are small packets of data that are easy to send, and because the companies transmit them on the high-priority channel whose main purpose is to set up cellphone calls.

Do you have a source?

Re:What?

I don't have a source, but from my experience with Orange (in the UK), I've found it to be the same as the OP.

One day while I was sending text messages I was getting a surprisingly high percentage of failed sends, so I called their technical helpline, gave my postal code etc and was told the base station nearest to me was undergoing maintanence and thus would have a reduced capacity for around 24 hours, and because voice traffic had priority over SMS/data there may be intermittent issues.

VERY TYPICAL OF GSM

Several years ago I was involved in solving a similiar problem in the GSM/MAP/SS7 backbone network of a major European cellular provider/broker. In that case, there was an problem because the SMS messaging is carried in the MAP "signalling" layer, which resulted in the waste of the vast majority of the bandwidth that was meant to be used to handle subscriber management, roaming, authentication, etc. The network (which provided roaming between 100+ sizable European, Asian, and North African carriers) was being saturated with internet-generated SMS text messaging. Essentially, we were only able to block the traffic, having little control over its generation and/or entry into the network.

Clearly the people that designed the air interface made the same poor architectural decision.

Magic Link

Magic Link, hopefully without a session id.

http://www.nytimes.com/2005/10/05/technology/05pho ne.html?ex=1286164800&en=d917b9cd43dfaa31&ei=5090& partner=rssuserland&emc=rss [nytimes.com]

165 msgs a sec OR

You could send 165 text messages a second OR you could keep calling the phone you want to disrupt!

Re:165 msgs a sec OR

You could send 165 text messages a second OR you could keep calling the phone you want to disrupt!

Except this isn't about disrupting one phone - this is about disrupting the entire regional network. Just the sort thing a criminal or terrorist might want to do during or in the wake of some mal-behavior. So it costs a bunch to send those messages? So what? Bad guys can have some real (or fraudulant) financial resources when that's part of their plan.

Re:165 msgs a sec OR

So it costs a bunch to send those messages? So what? Bad guys can have some real (or fraudulant) financial resources when that's part of their plan.

1) Sign cell phone contract with monthly billing.
2) Send massive amounts of text messages.
3) Blow self up.
4) Don't care if phone bill is high at end of month - having too much fun with the 72 virgins.
5) ...
6) Profit?

Re:165 msgs a sec OR

6) Profit?

Don't you mean "Prophet?"

Re:165 msgs a sec OR

If you think 2 to 4 simultaneous telephone calls will take down a cellular network, the thing would have stopped working a long time ago.

But... I think it's not the vox bandwidth - it's that part of the system that manages the call overhead (per the summary, the part of the system that "sets up" the calls). I believe that housekeeping does indeed take place in a smaller, and separate piece of the spectrum and the network's plumbing. Of course, IANATE (I am not a telecommunications engineer). Text messaging piggy-backs on the data that keeps the system and the phones aware of each other - long before a call (and the related bandwidth) is actually assigned to an user that dials/answers. This would be when someone who works for Verizon or Spring would anonymously chime. We can hear you now, good.

u r hot

165 times a second? Beauty.

Re:u r hot

Easy enough, about 3 or 4 japanese school girls should be able to send a sustained rate of 180 messages a second.

Re:u r hot

Yeah, but lets face it. There are so much better things to do with 3 or 4 japanese school girls than text messages.

BugMeNot

So you don't have to give up your first born:

NY Times Registration [bugmenot.com]

URLs for actual paper

A more detailed description of the threat is at smsanalysis.org/ [smsanalysis.org]. The actual paper at smsanalysis.org/smsanalysis.pdf [smsanalysis.org].

Slashdotting a cell phone

I guess it's kinda like a cell phone getting slashdotted too!

NSA better hire those kids quick

and have the University fire the professors for sparing the rod!

I call shenanigans...

Don't you think that there are already more than 165 text messages being sent out every second in Manhattan?

Re:I call shenanigans...

I don't think its even close. 165/sec lets say from 8am to 8pm is 7,128,000. Around 1.5 million people in Manhattan. So that would be saying every single man, woman, and child in the Manhattan send 4.75 text messages a day.

Texting phones is free with Google

Most people don't know that you can send text messages for free through Google's text messaging service.

http://toolbar.google.com/send/sms/index.php [google.com]

Now all you need is a perl script and ... hello? ...hello?

-------------

judge a man by his wallet [jfold.com]

now I know why text messages cost a fortune...

Because text messages are transmitted on the same signal that is used to set up voice calls

Ah. So that's why it costs an insane amount of money to send a text message (well, that and a text message may mean "no phone call to bill for".)

Also- can anyone explain why data is still so damn expensive? I have a data capable phone w/bluetooth, I travel a fair bit...but I don't ever use the data service, because it's so incredibly expensive. 2-8MB runs you almost as much as the voice service does!

Seems like they could make a lot of people happy if they made data more affordable. I guess we'll have to wait for one of the providers to start competing on that front, instead of buying each other up? :-)

No 12 Days of Christmas

Last year I had a friend that wrote an app that would text message a verse from the 12 days of Christmas every day, but something went horribly wrong and I was getting messaged a verse from that damn song every few milliseconds for a couple hours straight. Not fun.

Hey Steve! (you ass)

some alarming quotes from the NYT article

In their research, the authors concluded that all major cellular networks were vulnerable, and that a single computer with a cable modem could do the job.

...

One challenge for would-be attackers, according to the paper, is pulling together a list of working cellphones in a specific geographical area. But that, too, is made simpler via the Internet; the authors describe a process using Google and some search tricks that allowed them to collect 7,308 cellular numbers in New York City and 6,184 from Washington "with minimal time and effort."

...

The system works even when cellular calls do not because text messages are small packets of data that are easy to send, and because the companies transmit them on the high-priority channel whose main purpose is to set up cellphone calls.

But therein lies part of the vulnerability, Professor McDaniel said. The control channel cannot handle large amounts of data, he said, so by flooding the channel with messages, it is possible to prevent voice calls from going through.

"This is a traffic-jam problem," he said. "You're sending too many cars down a two-lane road."

the research paper with technical details [smsanalysis.org]

Nice observation

From the article, Professor McDaniel says

"It seems to me unlikely that a small number of unsophisticated users would be able to mount this attack effectively."

Who cares! Those aren't the people we're worried about. It would just take ONE sophisticated user to mount this attack.

Computer to the Rescue

Well like all above me said it would be damn expensive to text 165 times a second. Even for a few seconds. Enter Verizons VText [vtext.com].

With this simple website you could send out countless text messages to the same phone. BEst of all its free to send, not to recieve.

If we all did it (no, we should not all do this) it would , if I understand the article correctly, crash the system that phone is on.

But I am sure the Slashdot crowd could get more than 165 per second out

I don't buy it.

There must be at least a million cellphones in Manhattan. I'd say its safe to say that each cellphone would send an average of one text message a day.

So there are already somewhere in the rough ballpark of 1 million text messsages being sent a day. Possibly many more, probably no less.
that equates to 41,000 per hour, or 72 per second, on average.

Now of course the texts aren't spread evenly over those 24 hours. The majority of those messages will be sent during 12 hours of the day, which would mean during those 12 hours the average texts/second would be pretty close to the number of texts they say would overload the network.

SMS is quite popular in Europe, how come not DoS

SMS is quite popular in Europe. Many people in some European countries use SMS more than they would a voice call. With some many people using SMS, how come we don't see a lot of denial of service from a lot of use of SMS?

Re:SMS is quite popular in Europe, how come not Do

The reason is in the EU areas, bandwidth isn't so TIGHTLY restricted. That's why they've got internet connections better than what most of the USA has. Most people I know of in the EU areas pay roughly equivalent to what we do for a 10 mbit down / 2 mbit up connection, if not higher. (These are people on IRC, I wouldn't know about those I know thru IM services)

We've got, what?? Comcast with 7 mbit (shared) down and 1.5 mbit (dedicated) up, as the "potentially best" service? (Roadrunner offers 10 mbit down, but only 512 kbit up, Speakeasy is 6 mbit down dedicated, 768 kbit up dedicated?)

These people have a much larger pipeline to use. *NOW* the big difference is the pipeline leaving their country to go to other countries. Any bets on where most of that data gets sent? You betcha, USA.

Wrong terminology, yet again...

A spammer is not a hacker. Mail bombers have existed for ages but nobody does it anymore because it's pretty traceable (even through open relays)

Per City, or per Cell?

I don't buy it for one very big reason - the cells are functionally independant and Manhattan has a *lot* of cells. That means you could shut down a single cell with text messages if you targetted a single phone but a simple throttle on the number of messages to a single phone number would prevent that.

Now if you could figure out how to send messages to a bunch of different phones all in the same cell then you may be able to take that one cell out of business for a while, but DoS all of Manhattan? I think not.

Grand Central Station

Manhattan usually has 5+ million people in it all day long. 165 msgs:sec is only 10K msgs:minute. I'm surprised Manhattan doesn't already get that kind of traffic. Especially after a big event, like a World Series win, or a stock market crash. I'd say "terrorist attack", but the last one destroyed the 7 World Trade building, which took out Verizon a lot more definitively than a DoS attack. But that hardly seems necessary to generate texts from 0.5% of Manhattan within a minute.

All you guys in Manhattan!

Hey all you guys in Manhattan! Are your cell phones working? If so, then I'll up the number of SMS/second.

GSM SMSC bandwidth/throughput

I know from connections to several european 'short message service centers' that they won't accept more then 10 or 100 messages a second even for wholesale connections (content providers, chat providers, tv games etc.). The overal capacity can never overflow the network since there is a limiter on the SMSC.

New Cell Security

Cellular providers, of course, fired back, one stating that it 'constantly and aggressively monitors potential threats to the integrity and security of its network

Yeah, we've upped it, now you have to send 172 texts per second!

Next up

Next up, the Motorola JAMR!

QUICK! Let's take down some websites!

Everybody on the count of three! Start text messaging microsoft.com as fast as you can! From there we'll move on to Yahoo.com, and maybe even cnn.com for fun!

what is even more evil...

You can email a text message to someone's phone, and for some carriers it is an automatic $0.10 or more a message received and the reciever can't not recieve it. Here are all the SMS addys:

Sprint: 10-digit-number@messaging.sprintpcs.com
Verizon: 10-digit-nmber@vtext.com
AT&T: 10-digit-number@mobile.att.net
T Mobile: 10-digit-number@tmomail.net
Nextel: 10-digit-number@messaging.nextel.com
Cingular: 10-digit-number@mobile.mycingular.net
Alltel: 10-digit-number@message.alltel.com

i can see how they could put in safe-guards like monitoring multiple messages from an IP in a certain time frame. but, smart programmers can work around this fairly easily.

Maybe I missed something...?

What is the point of the study or what not that these professors were doing? ... and why publish the results out loud?

If it were true, and they release findings like that, wouldn't that be like just painting a big target sign on cellular infrastructure? ... someone set me straight if I am reading these things wrongly...

Blackberry has the same problem

Back in 2000 I was writing native Blackberry applications. At the time the RIM network was Artus, and you could send 100's of short Artus packets directly to the MIN of the device. BAM! The tower went down till you stopped. The smaller the message the higher the priority - the easier it was to bring down the tower.

"We monitor our network for security issues - BULLSHIT", they monitor the billing systems and channels for abuse - sure - but not the QOS.

how about a JAMMER?

you could jam it with a signal jammer too.

and a whole lot of other ways. but their method isn't good for anything if the priorities are set up correct for the cell.

Wow

Someone try this, I'm in Manhattan now, and I'll write back if it works.

Not hard to implement.

Let's look at it this way:

Sources of Bandwidth/Attacks

• College Campuses(1.5mbps to 45mbps, depending on campus)
• Cable and DSL Users(1.5mbps - 6.0mbps per connection)
• Business Servers(1.5mbps - 1gbps, depending on business system)

The original article assumes you wanted to take out more than one sector in the cellular coverage. If you wanted to be more specific and pinpoint only a handful of sectors, you would need less than the numbers the article specifies.

Most text messaging service providers have email gateways. This is one of the reasons why I disabled my text messaging capability. No way to filter the message and at $0.10 / message, it is too abusable.

A weak computer running a fast multi-threaded emailer(Postfix) can dump a fair amount of email at a email-to-sms gateway. It is amazing how many messages/sec you can achieve if you tweak your configuration. 3-4 well placed and configured systems could take out a sector or 2. Distribute that over 10-20 thousand zombies, and you have much greater capacity and better redundancy. The provier will either need to already have anti-DDOS equipment in place or shut down the gateway. Bounce those over open relays and it makes dynamic rerouting even more difficult.

Scenario:

There is a convention going on. Someone was going to launch an attack on the convention site. They don't need to wipe out access to the entire city. They only need to wipe out acccess to the cellualr cells/sectors covering the convention area itself.

So, they gain access to a list of peoples' phone numbers, who will be attending and SMS-bombard those numbers.

Guess what? Since all of those numbers are at the convention site and being serviced by a fixed number of cellular cells, you have now effectively targetted those cells and overloaded them.

With the cell access busy, to the people trying to make calls or receive calls at the convention, an attack on the convention would only be reportable by landline and/or by bystanders outside of the convention center.

Say the attack is a silent one: chemical, toxin, biological. The emergency response would be delayed enough that most of the target individuals would be dead before help could arrive. Most people these days depend heavily on their cell phones. The first thought isn't to try to make a call on a landline for many.

Another abuse would be to use the system to financially deplete another organization's funds by ramping up their telco fees through excessive messaging via a zombie network. While most organizations might have flat fee subscriptions, some do not. Especially for their one-off need-it-now celphone plans.

I've actually called my provider and asked them about filtering and blocking, but they have told me that it was either completely on or completely off. I chose completely off.

Regional cell DOS unlikely

You can have your 1Gbps net connection or your network of 10,000 zombies out there. It seems to me that if you were trying to cause a cellular outage to a large region via this method (like a city), you'd quickly DOS the SMS or Email-to-text gateway before you'd ever cause an actual voice cell outage.

One would think the guys and gals that set these systems up have thought of such things and keep their eyes open for it (think message throttling). A text-message outage wouldn't have nearly the impact of a voice outage.

In other news...

I'm writing a paper on how you put enough cars thru a major traffic intersection and it will create a problem and cause downtime in that area. I'm going to to call it a 'traffic jam'.

Tell us something we didn't know.. every technology has it's limit, flood it beyond capacity and you will see it fail.

nice.

-b

Telco networks are not like the Internet

For those of you who have never looked at a real phone network, allow me some bandwidth:

Nobody has ever allowed for a one to one switching network like you may have seen with a switched hub. It's too expensive. They use trunk lines instead. The number of trunk lines depends on the statistics of the local area calling. There are benchmarks to use for various types of service. These systems are designed for four and five nines of up time. But it's not overload proof. You have all gotten fast busy signals before. That's because there were no trunks available.

What these folks have figured out is how much bandwidth a typical cell site can have. They have figured out how many text messages it would take to fill up that available bandwidth. Big Deal. Cell sites do saturate. This is not a design "flaw" --it's a design point. Just as almost nobody builds buildings to withstand 200 MPH winds, almost nobody builds that much bandwidth in to a cell site. You could, but it would almost never get used.

Instead we build them to handle almost all conditions. Yes, they can saturate. That's a political design issue. Someone who knows the design points can certainly overload one. But during normal use, they will work just fine. Since there are no lasting effects from such overload, most engineers figure that people will just clear out before things get too dicey.

Naturally, some twits who want to jam cell phone conversations will find plenty of ways to do this. The network is built for civil use --not military use. That's why police and fire authorities use seperate communications networks (or if they don't they're just asking for trouble). That's why ham radio operators are often able to render assistance when everyone else is busy trying to call home. Common Carrier networks will overload at some point, just as roads can saturate and slow to a crawl. We'll never have enough bandwidth or enough roads. But we can ensure that there will be enough to get by.

The Times could do for a brief lesson in engineering design criteria...

DoS'ing != Hacking

I was listening to NPR earlier (and also checked random news sources when I got home) and found that quite a few news sources analogized "hacking on the internet" like this form of hacking. However, this sort of attack sounds more similar to a DoS attack rather than finding exploits to break in.

Network monitoring...

• "Cellular providers, of course, fired back, one stating that it 'constantly and aggressively monitors potential threats to the integrity and security of its network."

I have personally witnessed the monitoring that is performed by cellular network providers. I was actually pretty impressed with Verizon for it. Our company uses the Verizon network for cellular networking of computers (Internet connectivity through a PCMCIA-based cellular modem). We received a phone call out of the clear blue one day from a Verizon network technician who asked if we were having a problem with one of our machines. Though we hadn't seen any connectivity loss according to the machine's logs, they reported more than 10,000 attempted connection failures from our machine in a 24 hour period. They said this was usually indicative of an antenna problem on one of their towers, apologized profusely and said they had a crew out at the tower probing for the failure already. All this and we weren't even aware there was a problem.

CDMA?

I wonder if CDMA networks would be less likely to be affected by this sort of attack since all data is sent on the same channel anyway. There is a quote in the article from Verizon (who uses a CDMA network) but it didn't really go into specifics.

Working for Virgin Mobile

Who uses Sprints network, I have seen effects of cell sites being overloaded. In areas where hurricane evacuees flocked, we've gotten tons of calls about people unable to make voice calls. I don't know if SMS spam could do the same thing, but cell networks are quite possible to strain. Don't know if this helps the discussion, but it's what my experience has taught me.

No sh*t Sherlock

This is another of those great stories where people release research on the bleeding obvious.

Has anyone tried to use their handset in a heavilly populated urban area at around midnight on New Year's Eve? Suprisingly enough, due to all the people sending "Happy New Year" SMSs the network falls to it's knees - the spike in traffic traffic is such, we were carrying of the order of thousands of SMSs/second, that it is simply uneconomical to build a network that will support it (you would have half your capacity unused for the rest of the year).

Maybe I should apply for a professorship at Penn State as not only did I already know that, I was also responsible for putting a solution together to deal with these very issues at my empolyer (large mobile telco) last Xmas/New Year. You can actually manage the level of service you offer to get around this and give priority to 999 (911) calls and calls made by handsets owned by the emergency services (and network engineers).

monitor what?

my ISP monitors my internet too but i go way over my monthly limit (some odd 40GB a month) and they dont catch that...

Hysterically Funny...

How cellphones have become so much like miniature computers that you can actually take them down with a Denial-of-Service attack! And the company responds by hiding it's head in the sand - terrific! By the way, you can spend gobs of money sending the text messages, or have pager-alerts sent for free all day from your email account; I know Yahoo already does this.

I saw this coming, and I see more coming yet. Cell phones will have all of the bad aspects of computers (crashing, viruses, spam, hacks, expense) and none of the benefits. I've never gotten one - I have too many other tech gizmos to bother with - and I'm beginning to be glad I didn't.

wouldn't work on the original gms spec

I'm not up to date, but 6 years ago when I read the then current GMS spec. SMS data was sub-band data, that is, absolutely limited bandwidth that is always there. It couldn't possibly interfere with phone calls, since it simply get's piggy-backed on existing phone call data.

There are easier ways to jam

What the cellphone companies never mention (and hackets don't
seem to have picked up on) is that if you want to jam a
cellphone network just switch on a high power wideband
UHF transmitter on the same frquency band (easily built by someone
with reasonable RF electronics ability) It shouldn't even
need to be modulated but you could always play metallica on it
just to be sure the phones can't pick up any data.

No telco engineers here , move along please

At +3 lavel i saw only one post containg the word SIGNALLING . Wow , that is so awful , no telco engineers read slashdot. Shame on you .

1500 bytes per message

OK, I'm a little late in reading this story...

From my (albeit quick) reading of the paper, it seems like they are saying that 165 messages a second could overwhelm the control channels of a Manhattan sized cell network, blocking call setup.

However, they are basing this on 1500 bytes per text message packet. That seems way too large for most SMS messages. Wouldn't the easy solution be just to block messages over a couple of hundred characters?

--Barry

Beutiful paper, but not possible

Beautiful paper, but in the practice this couldn't happen. TV SHows in latin america and spain, that I personally know, receives near 150.000 sms per hour (~40 sms/sec). With a modem gprs/gsm we can send 30 sms/second. In fact, i my former job we sent periodically over 50 sms/sec without DOS effect over GSM networks. Are you telling that with 4 modems we can disrupt the all the cell phones in Manhattan? No, is not possible. Even without modems, using SMPP directly, the protocol is so slow that we can't reach a throghput big enough to make this possible. In practice, Cell Phones Companies doesn't allow more than 40-50 sms/sec. Personally, I wrote a ESME application server server with a throughput of 600 sms/sec, using SMPP, but no company ever acepted more than 50 sms/sec, because of contention. There is a lot of contention in SMSC and all ESMEs must be aware of this, and manage their own queues because of this. In the paper the investigator forgot some important bussines step before the SMSC query the HLR. The SMSC must consult de Subscribers Database and check billing systems, for example. This is the main reason of contention of sms messages. I don't know how cell phones billing is in USA, but in many countries there is a limit based on the plan subscripted.

URL of the paper

http://www.smsanalysis.org/smsanalysis.pdf [smsanalysis.org]

Blackberry jam

more like!

How fast can you think and type!???!

This story has been out for a minute and you've written a longer reply than the article!

Re:Expensive

They're sending the messages through the internet - through some sort of gateway. Do you still have to pay for that?

Its not just the spammer's fault

Part of the blame rests on people who complain about spam but then buy things advertised through spam. Without this reinforcement spammers would be greatly diminished.

Re:Maybe it is time to bring back CDPD

Maybe in your neck of the woods. In Canada, the last time I was involved in public safety CDPD-networked software deployment and development, we had segregated channels. So this issue never came up. We segregate voice and data channels up here and that seems to work pretty well. Maybe it has some technical drawbacks in terms of utilization rates, but it kinda removes some potential for abuse.

Re:What flavour?

I knew someone would get the Spaceballs [imdb.com] reference.

Re:Expensive

Yeah, and piloting an airliner into a building leaves you dead. So we don't worry about that, do we?

Re:What flavour?

RADAR TECH. Sir. The radar, sir. It appears to be....
Jam starts dripping down the screen.
RADAR TECH. ....jammed.
HELMET Jammed? (takes a taste of the jam) Raspberry. There's only one man who would dare give me the raspberry. (pulls down mask) Lone Starr!
CAMERA hits HELMET. HELMET falls backwards.