Hackers armed with a moderately sized network of zombie computers theoretically could knock out cellular service throughout the US, say security researchers at Pennsylvania State University. In a report published this week, the researchers explained how such an attack could exploit weaknesses in Short Message Service (SMS), which is used to send and receive text messages between mobile phones.
By engaging in a little creative hacking, attackers could build up databases of mobile numbers from specific regions and then flood those numbers with unwanted text messages. Attackers could use publicly available websites or messaging clients on zombie computers to send the text messages, which could eventually jam up the cellular towers that carriers use to send and receive SMS messages from mobile phones.
Because mobile phones use the same small portion of radio frequency, called the "control channel" to both set up calls and send SMS messages, a flood of SMS messages could so overwhelm a cellular tower that it would effectively prevent any new telephone calls from going through.
Such denial-of-service (DoS) attacks have been used successfully to take down websites, but to date, have not been used on cellular networks, the researchers say.
To be most successful, the attack would need to target telephones within a certain geographic region, but the researchers says that this can be done by using public databases and creative Google searches.
It would take little more than a cable modem to deny service to large metropolitan areas in the US. For example, a city the size of Washington DC, could be taken out by a DoS attack with a bandwidth of about 2.8Mbit/s they say.
"The amount of bandwidth that's allocated to the control channel is exceedingly small," says Patrick McDaniel, a professor of Computer Science and Engineering at the university and one of the authors of the report. "The reason why we can mount this attack with so few messages is the fact that there's so little control channel bandwidth to be congested."
Some European networks have already been overwhelmed when legitimate SMS messaging has hit unexpectedly high levels, McDaniel says. "It's happened by accident," he says.
Though McDaniel and his fellow researchers say they expect US carriers to change practices in response to their research, the report did not come as a surprise to some.
"We're aware of this potential, and it is a very limited potential," says John Polivka, a spokesman for Sprint Nextel. "We have measures in place now to protect the network and our customers, including what's been described in this paper."
Even a successful attack would, at best, shut down most networks for only a short period of time, says Shiv Bakhshi, director of wireless infrastructure research at IDC.
"Every network operator has to be aware of this," he says. "If for no other reason than they have seen such clogging with the legitimate use of SMS messaging."
Still, the researchers have a few basic recommendations that could significantly mitigate the risk of this type of attack, McDaniel saysys. Mobile operators could, for example, separate the text messaging and phone call initiation features within the control channel. They could also make it harder for attackers to do on-line reconnaissance by reducing the amount of information they provide on the internet, he says.