September 19, 2020

Cellphone Denial of Service

A new paper by Enck, Traynor, McDaniel, and La Porta argues that cellphone networks that support SMS, a technology for sending short text messages to phones, are subject to denial of service attacks. The researchers claim that a clever person with a fast home broadband connection could potentially block cell phone calling in Manhattan or Washington, DC.

A mobile phone network divides up the world up into cells. A phone connects to the radio tower that serves the cell it is currently in. Within each cell, the system uses a set of radio channels to carry voice conversations, and one radio channel for control. The control channel is used to initiate calls; but once initiated, a call switches over to one of the voice channels.

It turns out that the control channels are also used to deliver SMS messages to phones in the cell. If too many SMS messages show up in the same cell all at once, they can monopolize that cell’s control channel, leaving no openings on the control channel left over for initiating calls. The result is that a large enough burst of SMS messages effectively blocks call initiation in a cell.

The paper discusses how an attacker create a large enough flurry of SMS messages, including how he might figure out which phones are likely to be active in the target area. (An SMS message only uses a cell’s control channel if the message is direct to a phone that is currently in the cell.)

Today’s New York Times makes a big deal out of this, but I don’t think it’s as important as the Times implies. For one thing, it’s relatively easy to fix, for example by reserving a certain fraction of each cell’s control channel for call initiation.

Others have speculated that this problem must already have been fixed, because it seems implausible that such a simple flaw would exist in an advanced network run by a large, highly competent provider. I wouldn’t draw that conclusion, though. It’s in the nature of security that there are a great many mistakes a system designer can make, each of which seems obvious once you think of it. A big part of securing a complicated system is simply thinking up all of the straightforward mistakes you might have made, and verifying that you haven’t made them. Big systems built by competent designers have seemingly obvious flaws all the time.

(Putting on my professor’s hat, I’m obliged to point out that systems that are small and easily modeled are best handled by building formal proofs of security; but that’s a nonstarter for anything as complex as a cell network. (In case you’re wondering what my professor’s hat looks like, it’s purple and eight-sided, with a little gold tassel.))

The biggest surprise to me is how few SMS messages it takes to clog the system. The paper estimates that hundreds of SMS messages per second, sent in the right way, are probably enough to block cell calling in a major provider’s network in all of Manhattan, or all of Washington, DC. Given those numbers, I’m surprised that the networks aren’t congested all the time, just based on ordinary traffic. I guess people use SMS less than one might have thought.


  1. Well, it could be that service outages have been caused by too much SMSing, only people in those cells didn’t realize it, because they weren’t attempting to call, and no calls were coming in. I used to get a lot of dropped calls when I lived near the center of a major metropolitan area ( about 1 call in 3 would be dropped before 5 minutes were up ). I assume that those few hundred messages would have had to be sent in a very specific way to block *all* traffic.

  2. The DoS implications may be new, but the bandwidth limitations are old news. Like me, you may have been fairly incredulous at the insane prices for SMS messages. You can call somebody for the equivalent of a few cents per minute, which uses something like 120kB per minute, yet SMS messages often charge much more for a message that’s one thousandth the size.

    This bandwidth limitation is one reason why SMS is so expensive. GSM was designed before people realized how popular SMS would be, and so it doesn’t make much bandwidth available for it. Sharing that bandwidth with other control messages just makes the situation even worse.

    Prioritizing actual control messages seems like a no-brainer in this situation. SMS delivery was never meant to be reliable in the first place, and it’s far more important for a call to arrive in a timely manner than a text message.

  3. you have got to post a picture of you in that hat. It’s amazing the things they make us wear…

  4. Seems a little unlikely, based on UK SMS usage patterns – young people here (that’s maybe between 5 and 25, at least) are obsessive about “texting” – there are concerns about a whole generation growing up with RSI in their thumbs – and I’m unaware of any network overloads caused thereby.

    I guess the issue may only arise with the way SMS is implemented on CDMA, being as we’re entirely GSM (with a smattering of UMTS) over on this side of the pond.