Cellular networks are a critical component of the economic and social infrastructures in which we live. In addition to voice services, these networks deliver alphanumeric text messages to the vast majority of wireless subscribers. To encourage the expansion of this new service, telecommunications companies offer connections between their networks and the Internet. The ramifications of such connections, however, have not been fully recognized. In this paper, we evaluate the security impact of the SMS interface on the availability of the cellular phone network. Specifically, we demonstrate the ability to deny voice service to cities the size of Washington D.C. and Manhattan with little more than a cable modem. Moreover, attacks targeting the entire United States are feasible with resources available to medium-sized zombie networks. This analysis begins with an exploration of the structure of cellular networks. We then characterize network behavior and explore a number of reconnaissance techniques aimed at effectively targeting attacks on these systems. We conclude by discussing countermeasures that mitigate or eliminate the threats introduced by these attacks.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Denial of service attacks. Technical report, CERT Coordination Center, October 1997. http://www.cert.org/tech tips/denial_of_service.html.
	2	Mobile networks facing overload. http://www.gateway2russia.com/st/art 187902.php, December 31, 2003.
	3	Record calls, text again expected for nye. http://www.itnews.com.au/newsstory.aspx?CIaNID=17434, December 31, 2004.
	4	3rd Generation Partnership Project. Physical layer on the radio path; general description. Technical Report 3GPP TS 05.01 v8.9.0.
	5	3rd Generation Partnership Project. Technical realization of the short message service (sms). Technical Report 3GPP TS 03.40 v7.5.0.
	6	Anti-Phishing Working Group. Reports of email fraud and phishing attacks increase by 180% in april; up 4,000% since november. http://www. antiphishing.org/news/05-24-04_Press%20Release-PhishingApr04.html, May 24, 2004.
	7	Andrea C. Arpaci-Dusseau , Remzi H. Arpaci-Dusseau, Information and control in gray-box systems, Proceedings of the eighteenth ACM symposium on Operating systems principles, October 21-24, 2001, Banff, Alberta, Canada
	8	Tuomas Aura , Pekka Nikander , Jussipekka Leiwo, DOS-Resistant Authentication with Client Puzzles, Revised Papers from the 8th International Workshop on Security Protocols, p.170-177, April 03-05, 2000
	9	S. M. Bellovin, Security problems in the TCP/IP protocol suite, ACM SIGCOMM Computer Communication Review, v.19 n.2, p.32-48, April 1, 1989  [doi>10.1145/378444.378449]
	10	Steven M. Bellovin, Spamming, phishing, authentication, and privacy, Communications of the ACM, v.47 n.12, December 2004  [doi>10.1145/1035134.1035159]
	11	Sara Berg , Alex S. Taylor , Richard Harper, Mobile phones for the next generation: device designs for teenagers, Proceedings of the SIGCHI conference on Human factors in computing systems, April 05-10, 2003, Ft. Lauderdale, Florida, USA  [doi>10.1145/642611.642687]
	12	S. Buckingham. What is GPRS? http://www.gsmworld.com/technology/gprs/intro.shtml#5, 2000.
	13	J. V. D. Bulck. Text messaging as a cause of sleep interruption in adolescents, evidence from a cross-sectional study. Journal of Sleep Research, 12(3):263, September 2003.
	14	Nathan C. Burnett , John Bent , Andrea C. Arpaci-Dusseau , Remzi H. Arpaci-Dusseau, Exploiting Gray-Box Knowledge of Buffer-Cache Management, Proceedings of the General Track: 2002 USENIX Annual Technical Conference, p.29-44, June 10-15, 2002
	15	Simon Byers , Aviel D. Rubin , David Kormann, Defending against an Internet-based attack on the physical world, ACM Transactions on Internet Technology (TOIT), v.4 n.3, p.239-254, August 2004  [doi>10.1145/1013202.1013203]
	16	Cellular Online. Uk sms traffic continues to rise. http://www.cellular.co.za/news 2004/may/0500404-uk sms traffic continues to rise.htm, May 2004.
	17	CERT. Advisory CA-1996-26 'denial-of-service attack via ping'. http://www.cert.org/advisories/CA-1996-26.html, December 1996.
	18	A. Choong. Wireless watch: Jammed. http://asia.cnet.com/reviews/handphones/wirelesswatch/0,39020107,39186280,00.htm, September 7, 2004.
	19	Cingular Wireless. Text messaging. https://www.cingular.com/media/text messaging purchase.
	20	Cisco Systems Whitepaper. A study in mobile messaging: The evolution of messaging in mobile networks, and how to efficiently and effectively manage the growing messaging traffic. Technical report, 2004. http://www.cisco.com/warp/public/cc/so/neso/mbwlso/mbmsg wp.pdf.
	21	Computer Associates. Carko. http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453075555.
	22	COSMOTE Whitepaper. COSMOTE and the 'Athens 2004' olympic sponsorship. Technical report, 2003. http://www.cosmote.gr/content/en/attachedfiles/investorrelations/COSMOTE Annual Report 2003 77--84.pdf.
	23	Lorrie Faith Cranor , Brian A. LaMacchia, Spam!, Communications of the ACM, v.41 n.8, p.74-83, Aug. 1998  [doi>10.1145/280324.280336]
	24	F-Secure Corporation. F-Secure mobile anti-virus. http://www.f-secure.com/products/fsmavs60/.
	25	F-Secure Corporation. F-Secure virus descriptions: Cabir.h. http://www.f-secure.com/v-descs/cabir h.shtml, December 2004.
	26	F-Secure Corporation. F-Secure virus descriptions: Mabir.a. http://www.f-secure.com/v-descs/mabir.shtml, April 2005.
	27	F-Secure Corporation. F-Secure virus descriptions: Skulls.a. http://www.f-secure.com/v-descs/skulls.shtml, January 2005.
	28	E. Felten, D. Balfanz, D. Dean, and D. Wallach. Web spoofing: An internet con game. Software World, 28(2):6-9, March 1997.
	29	Greg Goth, Phishing Attacks Rising, But Dollar Losses Down, IEEE Security and Privacy, v.3 n.1, p.8, January 2005  [doi>10.1109/MSP.2005.21]
	30	M. Grenville. Operators: Celebration messages overload sms network. http://www.160characters.org/news.php?action=view&nid=819, November 2003.
	31	K. Houle and G. Weaver. Trends in denial of service attack technology. Technical report, CERT Coordination Center, October 2001. http://www.cert.org/archive/pdf/DoS trends.pdf.
	32	Intel Whitepaper. SMS messaging in SS7 networks: Optimizing revenue with modular components. Technical report, 2003. http://www.intel.com/network/csp/pdf/8706wp.pdf.
	33	J. Ioannidis and S. Bellovin. Implementing pushback: Router-based defense against DDoS attacks. In Proceedings of Network and Distributed System Security Symposium, February 2002.
	34	C. Loader , A. Hari, Fast and Robust Signaling Overload Control, Proceedings of the Ninth International Conference on Network Protocols, p.323, November 11-14, 2001
	35	Elias Levy, Interface Illusions, IEEE Security and Privacy, v.2 n.6, p.66-69, November 2004  [doi>10.1109/MSP.2004.104]
	36	G. Lorenz, T. Moore, G. Manes, J. Hale, and S. Shenoi. Securing ss7 telecommunications networks. In Proceedings of the IEEE Workshop on Information Assurance and Security, 2001.
	37	S. Makris. Athens 2004 games: The "extreme makeover" olympics!, April 2005. Slides presented at CQR 2005 Workshop, St. Petersburg Beach, Florida USA.
	38	S. Marwaha. Will success spoil sms? http://wirelessreview.com/mag/wireless success spoil sms/, March 15, 2001.
	39	Jelena Mirkovic , Peter Reiher, A taxonomy of DDoS attack and DDoS defense mechanisms, ACM SIGCOMM Computer Communication Review, v.34 n.2, April 2004  [doi>10.1145/997150.997156]
	40	David Moore , Vern Paxson , Stefan Savage , Colleen Shannon , Stuart Staniford , Nicholas Weaver, Inside the Slammer Worm, IEEE Security and Privacy, v.1 n.4, p.33-39, July 2003  [doi>10.1109/MSECP.2003.1219056]
	41	T. Moore, T. Kosloff, J. Keller, G. Manes, and S. Shenoi. Signalling system 7 network security. In Proceedings of the IEEE 45th Midwest Symposium on Circuits and Systems, August 4-7, 2002.
	42	G. Mori and J. Malik. Recognizing objects in adversarial clutter: Breaking a visual captcha. In Proc. of Computer Vision and Pattern Recognition, 2003.
	43	M. Naor. Verification of human in the loop or identification via the turing test. http://www.wisdom.weizmann.ac.il/~naor/PAPERS/human.ps, 1996.
	44	National Communications System. SMS over SS7. Technical Report Technical Information Bulletin 03-2 (NCS TIB 03-2), December 2003. http://www.ncs.gov/library/tech bulletins/2003/tib 03-2.pdf.
	45	Nextel. Text messaging. http://www.nextel.com/en/services/messaging/text messaging.shtml.
	46	J. Pearce. Mobile firms gear up for new years text-fest. http://news.zdnet.co.uk/communications/networks/0,39020345,39118812,00.htm, December 30, 2003.
	47	H. Project. The honeynet project. http://project.honeynet.org, 2005.
	48	RedTeam. o2 germany promotes sms-phishing. http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-009.txt.
	49	P. Roberts. Nokia phones vulnerable to dos attack. http://www.infoworld.com/article/03/02/26/HNnokiados 1.html, February 26, 2003.
	50	Stefan Savage , David Wetherall , Anna Karlin , Tom Anderson, Practical network support for IP traceback, Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, p.295-306, August 28-September 01, 2000, Stockholm, Sweden
	51	Christoph L. Schuba , Ivan V. Krsul , Markus G. Kuhn , Eugene H. spafford , Aurobindo Sundaram , Diego Zamboni, Analysis of a Denial of Service Attack on TCP, Proceedings of the 1997 IEEE Symposium on Security and Privacy, p.208, May 04-07, 1997
	52	G. Shannon. Security vulnerabilities in protocols. In Proceedings of ITU-T Workshop on Security, May 13-14, 2002.
	53	Stuart Staniford , Vern Paxson , Nicholas Weaver, How to Own the Internet in Your Spare Time, Proceedings of the 11th USENIX Security Symposium, p.149-167, August 05-09, 2002
	54	J. Swartz. Cellphones now richer targets for viruses, spam, scams. http://www.usatoday.com/printedition/news/20050428/1a bottomstrip28.art.htm, April 28, 2005.
	55	Telecommunication Industry Association/Electronic Industries Association (TIA/EIA) Standard. Short messaging service for spread spectrum systems. Technical Report ANSI/TIA/EIA-637-A-1999.
	56	Tom's Hardware. How to: Building a bluesniper rifle. http://www.tomsnetworking.com/Sections-article106.php, March 2005.
	57	United States Census Bureau. United states census 2000. http://www.census.gov/main/www/cen2000.html, 2000.
	58	United States Congress, Senate. Controlling the assault of non-solicited pornography and marketing act of 2003 (CAN-SPAM). Public Law 108-187, 108th Congress, December 16, 2003.
	59	S. van Zanen. Sms: Can networks handle the explosive growth? http://www. wirelessdevnet.com/channels/sms/features/smsnetworks.html, 2000.
	60	Verizon Wireless. About the service. http://www.vtext.com/customer site/jsp/ aboutservice.jsp.
	61	L. von Ahn, M. Blum, N. Hopper, and J. Langford. CAPTCHA: Using hard AI problems for security. In Proceedings of Eurocrypt, pages 294-311, 2003.
	62	Brent Waters , Ari Juels , J. Alex Halderman , Edward W. Felten, New client puzzle outsourcing techniques for DoS resistance, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA  [doi>10.1145/1030083.1030117]
	63	S. Wolpin. Spam comes calling. http://techworthy.com/Laptop/June2004/Spam-Comes-Calling.htm, June 2004.