Jamming Cellphones with Text Messages

Steve writes "Some Penn State professors and students have published a way to jam cellular voice service with simple text messages. From the article: 'Because text messages are transmitted on the same signal that is used to set up voice calls, just 165 messages a second is enough to disrupt all cellphones in Manhattan.' Cellular providers, of course, fired back, one stating that it 'constantly and aggressively monitors potential threats to the integrity and security of its network.'"

Magic Link

[JS_RIDDLER]

Magic Link, hopefully without a session id.

http://www.nytimes.com/2005/10/05/technology/05pho ne.html?ex=1286164800&en=d917b9cd43dfaa31&ei=5090& partner=rssuserland&emc=rss [nytimes.com]

URLs for actual paper

[mblaze]

A more detailed description of the threat is at smsanalysis.org/ [smsanalysis.org]. The actual paper at smsanalysis.org/smsanalysis.pdf [smsanalysis.org].

Re:One problem.

[jerw134]

$990/minute, assuming a charge of 10 cents per message.

Texting phones is free with Google

[popo]

Most people don't know that you can send text messages for free through Google's text messaging service.

http://toolbar.google.com/send/sms/index.php [google.com]

Now all you need is a perl script and ... hello? ...hello?

-------------

judge a man by his wallet [jfold.com]

Re:How fast can you think and type!???!

[metternich]

Can you say Copy and Paste [linxnet.com] Troll?

Re:One problem.

[maxrate]

You can send text messages for free via e-mail, recieving is usually free too.

What?

[EvanED]

Your comments directly contradict the NY Times article...

The system works even when cellular calls do not because text messages are small packets of data that are easy to send, and because the companies transmit them on the high-priority channel whose main purpose is to set up cellphone calls.

Do you have a source?

Re:What?

[timmyf2371]

I don't have a source, but from my experience with Orange (in the UK), I've found it to be the same as the OP.

One day while I was sending text messages I was getting a surprisingly high percentage of failed sends, so I called their technical helpline, gave my postal code etc and was told the base station nearest to me was undergoing maintanence and thus would have a reduced capacity for around 24 hours, and because voice traffic had priority over SMS/data there may be intermittent issues.

I don't buy it.

[Johnno74]

There must be at least a million cellphones in Manhattan. I'd say its safe to say that each cellphone would send an average of one text message a day.

So there are already somewhere in the rough ballpark of 1 million text messsages being sent a day. Possibly many more, probably no less.
that equates to 41,000 per hour, or 72 per second, on average.

Now of course the texts aren't spread evenly over those 24 hours. The majority of those messages will be sent during 12 hours of the day, which would mean during those 12 hours the average texts/second would be pretty close to the number of texts they say would overload the network.

Re:Text is low priority raffic

[Lehk228]

sending smsm messages uses the control channel, which is required for setting up each voice call. ever noticed sometimes you can send/recv SMS messages but when you try to call you get no service

Re:165 msgs a sec OR

[maxrate]

Think about it - usually text messages are a max of 200 characters a message X 165 / sec = 33,000 characters a second. 33,000 DIVIDED by 1024 (1k) = 32K/sec of bandwidth. The average telephone call consumes about 19.2K/sec maximum (after compression, so yes a voice circuit can use a heck of a lot less, I believe they say the average duplexing and use of a bi-directional voice link bandwidth efficiency is about 60% as a rule of thunmb --- the consumption of bandwidth generally, meaning at least 40 percent of a call is wasted circuit switched bandwidth on average). So let's say the bandwidth of 165 200 character text messages a second is like the bandwidth of a maximum of 2 to 4 simultanous telephone calls. If you think 2 to 4 simultaneous telephone calls will take down a cellular network, the thing would have stopped working a long time ago.

I'm sure there are at least 165 text messages being sent every second already.

Yes I do know there are store and forwarding to consider/routing etc, however I find this unlikely.

Re:I don't buy it.

[Anonymous Coward]

41,000 per hour is 12 per second, not 72. So there's plenty of capacity.

Re:One problem.

[kd5ujz]

true, and if other providers are like cingular, you can just write a script to go through a given range of telephone prefixes. with cingular, an email to 1231231234@my.cingular.com will result in a text message being sent to 123-123-1234's cell phone.

Not with Verizon

[everphilski]

.... with Verizon's *in* network, $5 a month flat rate to other Verizon members.

Verizon kicks ass.

-everphilski-

Re:What?

[glesga_kiss]

You believed what Orange Customer Support said? Let me guess...you don't check out many cellular formus do you? ;-) They fib about technical problems all the time.

GSM SMSC bandwidth/throughput

[ReVeL75]

I know from connections to several european 'short message service centers' that they won't accept more then 10 or 100 messages a second even for wholesale connections (content providers, chat providers, tv games etc.). The overal capacity can never overflow the network since there is a limiter on the SMSC.

what is even more evil...

[first_tracks]

You can email a text message to someone's phone, and for some carriers it is an automatic $0.10 or more a message received and the reciever can't not recieve it. Here are all the SMS addys:

Sprint: 10-digit-number@messaging.sprintpcs.com
Verizon: 10-digit-nmber@vtext.com
AT&T: 10-digit-number@mobile.att.net
T Mobile: 10-digit-number@tmomail.net
Nextel: 10-digit-number@messaging.nextel.com
Cingular: 10-digit-number@mobile.mycingular.net
Alltel: 10-digit-number@message.alltel.com

i can see how they could put in safe-guards like monitoring multiple messages from an IP in a certain time frame. but, smart programmers can work around this fairly easily.

Re:now I know why text messages cost a fortune...

[kesuki]

a couple reasons... bandwith available is very limited. the entire licensed spectrum for cell phone coverage is less than the frequency a single analog TV broadcaster uses.

so yeah data is expensive, and frankly the answer to that was going to be the FCC taking all 13 channels of VHF broadcast and converting them to various products including a large subset to be licensed for cellular broadcasts... but the states is nowhere near the numbers that would allow the FCC to license off those frequencies.

if you have more frequency you can sell 'data' for less. they've already gotten to the point where voice calls are unlimited on weekends and evenings, so they can get virtually everyone paying $40 a month for service they can only realistically use during the day when it takes off plan minutes/really costs money.

Re:What?

[kesuki]

Your comments directly contradict the NY Times article...

The system works even when cellular calls do not because text messages are small packets of data that are easy to send, and because the companies transmit them on the high-priority channel whose main purpose is to set up cellphone calls.


Do you have a source?

Bad reporting, Yes cell phones use SMTP to contact towers, and verify the accessability of circuits, and those SMTP packets are highly flaged, and YES text messages are SMTP packets (same as ICQ and e-mail, AIM, MSN etc etc) But they are Flagged as Junk priority by the mailer dameon that negotiates these things. which means that basically even if you're trying to send 165 text messages a second the tower can tell Instantly if it's a text message or a negotiation signal, and Instantly drops the signal on the floor if it doesn't have room for the text message. and this attack is only possible of being done from the cell phone side, because if you sent it on the 'internet' side it simply creates a backlog of messages to be sent. the server will either discard or wait to transmit until it feels OK with doing one or the other.

BTW the main reason text messages work when normal calling doesn't is because the phone can legally retry sending the message say, every minute until the tower 'acknowledges' the transmission although i don't know for certain if this is done, or if it's a simple 'trust' system where the phone does it best to send it and if the tower doesn't have bandwith for it when it gets the message it's just lost forever...

Re:One problem.

[alc6379]

true, and if other providers are like cingular, you can just write a script to go through a given range of telephone prefixes. with cingular, an email to 1231231234@my.cingular.com will result in a text message being sent to 123-123-1234's cell phone.

While it is technically feasible that this could be done, implementing an anti-spam filter, or similar, on the mail address in question. While everything is still going through a server (and I'm sure similar solutions can/will exist for SMS), whether it's email or SMS, I'm pretty confident that a modern IDS could already help if someone tried to do this by emailing a phone.

Not hard to implement.

[digital photo]

Let's look at it this way:

Sources of Bandwidth/Attacks

• College Campuses(1.5mbps to 45mbps, depending on campus)
• Cable and DSL Users(1.5mbps - 6.0mbps per connection)
• Business Servers(1.5mbps - 1gbps, depending on business system)

The original article assumes you wanted to take out more than one sector in the cellular coverage. If you wanted to be more specific and pinpoint only a handful of sectors, you would need less than the numbers the article specifies.

Most text messaging service providers have email gateways. This is one of the reasons why I disabled my text messaging capability. No way to filter the message and at $0.10 / message, it is too abusable.

A weak computer running a fast multi-threaded emailer(Postfix) can dump a fair amount of email at a email-to-sms gateway. It is amazing how many messages/sec you can achieve if you tweak your configuration. 3-4 well placed and configured systems could take out a sector or 2. Distribute that over 10-20 thousand zombies, and you have much greater capacity and better redundancy. The provier will either need to already have anti-DDOS equipment in place or shut down the gateway. Bounce those over open relays and it makes dynamic rerouting even more difficult.

Scenario:

There is a convention going on. Someone was going to launch an attack on the convention site. They don't need to wipe out access to the entire city. They only need to wipe out acccess to the cellualr cells/sectors covering the convention area itself.

So, they gain access to a list of peoples' phone numbers, who will be attending and SMS-bombard those numbers.

Guess what? Since all of those numbers are at the convention site and being serviced by a fixed number of cellular cells, you have now effectively targetted those cells and overloaded them.

With the cell access busy, to the people trying to make calls or receive calls at the convention, an attack on the convention would only be reportable by landline and/or by bystanders outside of the convention center.

Say the attack is a silent one: chemical, toxin, biological. The emergency response would be delayed enough that most of the target individuals would be dead before help could arrive. Most people these days depend heavily on their cell phones. The first thought isn't to try to make a call on a landline for many.

Another abuse would be to use the system to financially deplete another organization's funds by ramping up their telco fees through excessive messaging via a zombie network. While most organizations might have flat fee subscriptions, some do not. Especially for their one-off need-it-now celphone plans.

I've actually called my provider and asked them about filtering and blocking, but they have told me that it was either completely on or completely off. I chose completely off.

Telco networks are not like the Internet

[AB3A]

For those of you who have never looked at a real phone network, allow me some bandwidth:

Nobody has ever allowed for a one to one switching network like you may have seen with a switched hub. It's too expensive. They use trunk lines instead. The number of trunk lines depends on the statistics of the local area calling. There are benchmarks to use for various types of service. These systems are designed for four and five nines of up time. But it's not overload proof. You have all gotten fast busy signals before. That's because there were no trunks available.

What these folks have figured out is how much bandwidth a typical cell site can have. They have figured out how many text messages it would take to fill up that available bandwidth. Big Deal. Cell sites do saturate. This is not a design "flaw" --it's a design point. Just as almost nobody builds buildings to withstand 200 MPH winds, almost nobody builds that much bandwidth in to a cell site. You could, but it would almost never get used.

Instead we build them to handle almost all conditions. Yes, they can saturate. That's a political design issue. Someone who knows the design points can certainly overload one. But during normal use, they will work just fine. Since there are no lasting effects from such overload, most engineers figure that people will just clear out before things get too dicey.

Naturally, some twits who want to jam cell phone conversations will find plenty of ways to do this. The network is built for civil use --not military use. That's why police and fire authorities use seperate communications networks (or if they don't they're just asking for trouble). That's why ham radio operators are often able to render assistance when everyone else is busy trying to call home. Common Carrier networks will overload at some point, just as roads can saturate and slow to a crawl. We'll never have enough bandwidth or enough roads. But we can ensure that there will be enough to get by.

The Times could do for a brief lesson in engineering design criteria...

Re:Texting phones is free with Google

[shutdown -p now]

You forgot to mention that this service is restricted to U.S. mobiles. Just in case someone goes there to check just to waste his time, like I did.

New Years Eve in Australia, anyone?

[Anonymous Coward]

Over here in Australia, on New Years eve, the entire network is brought to it's knees. I assume there are not only bandwidth issues with the local spectrum provided, but also between cells or with the central aggregation point.

Using your cell phone pretty much within 30 minutes either side of Midnight is practically impossible, unless you have very good patience - and that's only to send a text message, a phone call is like asking jesus to appear for you. It seems to get worse every year, as usage gets higher and higher. And messages often take hours to be delivered, I received half a dozen messages, scattered between about 2 30 am and 4 30 am on the 1st of January this year, all sent at 12:00:xx.

I forgot to mention, I live in a small town (probably 2 000 or so people), served by atleast half a dozen cells (well, half a dozen are available with good signal quality, with the one dedicated to us being visible all through town and often from remote locations as our town is slightly risen)

I've always wondered why when watching the countdown on TV (Regular free-to-air) the video feed usually distorts fairly noticeably as soon as the new year is it - like interference.. What could that be?