funsec mailing list archives
Re: Cellphone spam and terrorism
From: David Dagon <dagon () cc gatech edu>
Date: Wed, 21 Sep 2005 18:17:47 -0400
On Wed, Sep 21, 2005 at 05:22:18PM -0400, Richard M. Smith wrote:
A SMS spammer program could also be written in about 50 lines of JavaScript code. Many wireless companies have Web forms for sending out SMS messages which can be driven by JavaScript. Example: http://www.vtext.com/customer_site/jsp/messaging_lo.jsp
I've actually looked into this before. A few observations: -- This works well against phones on an unlimited plan, as opposed to the 10/10 or 10/2 SMS plans. Most telcos block for their customers who face a charge, and allow unlimited SMS spam for unlimted customers. -- Mostly teens get unlimited plans; everyone else is on a 10/10 or 10/2 (or some tier program). The lack of frontal lobe development might make the anthrax scare less convincing to this population; the pizza attack might be more effective. I'm really not sure, but expect that someone creative could come up with a social engineering attack that fits these demographics. -- You would have to create a metamorphic SMS attack, since the highly centralized relay of SMS makes filtering easy. (Imagine if all traffic on the internet went through one central network.) The desire to maintain the common carrier exemption mitigates against aggressive filtering, but an outbreak would be easily stopped once detected. -- The latency for SMS is enormous unreal. We witness variances of 10 minutes+ on many real-time systems that use SMS for data reporting. (I have some plots if anyone wants to see them. We're moving to a GSM/GPRS system as a result.) With this service model, combined with centralized relaying, filtering is very possible and powerful. Better still: -- An VXer could create an e-mail/MSRPC virus that syncs with the phone, and on the days before Thanksgiving, flood calls various airline help lines and reservation systems (along with a PC-based DDoS against online reservation pages). This would effectively force the remaining airlines into bankruptcy. It might even constitute the "digital Pearl Harbor" everyone is predicting, if only because it involves planes. We've seen a better opportunity in VoIP-based malware. In the lab, we're now building experimental botnets for VoIP devices, since it's easier to leverage propagation in the IP world, and easier to be annoying/abusive in the telco world. We're adding in voice recognition routines (e.g., recording the conversation when the words "password", "credit card number" and "mother's maiden name" are heard client-side). Right now the payload just dials 900 porn numbers, but I suppose you could add in voice-generation warnings about a fake FEMA-alert, stock manipulation messages, or other garbage. What defenses are possible? Because the vendor APIs for VoIP devices have few, if any authentication or security mechanisms, it's very easy to spam, DDoS or attack most users on a VoIP IOS network, Skype, etc. Some features like Call Admission Control (CAC) on IOS can throttle levels, but degrade the normal traffic as well. The key problem: the telco legislative world was designed to *permit* spam (i.e., phone salesmen), and the only limiting factors so far have been (1) tepid Do-Not-Call legislation, and (2) the high cost of hiring people to drive the sales calls. The second factor has been the only effective barrier to mass disruption of the telco system, on the scale we see with SMTP. VoIP and voice generation viruses promise to change this. One T1 line can multiplex hundreds of VoIP spam calls that otherwise would have required hundreds of people and PBX lines. Similarly, a VoIP-ready botnet can bring down key phone circuits, since telco lines are more heavily over-subscribed than even cable modem services. Likewise, if SCADA devices are run by IP or non-leased telco lines, a similar dirsuption is possible. (I can tell you a funny story about a manhole cover in Atlanta that tied up half the cars in a police zone, because a county water monitoring unit malfunctioned and repeatedly dialed 911.) It's just all too easy. Oh, what fun we'll have... -- David Dagon /"\ "When cryptography dagon () cc gatech edu \ / ASCII RIBBON CAMPAIGN is outlawed, bayl Ph.D. Student X AGAINST HTML MAIL bhgynjf jvyy unir Georgia Inst. of Tech. / \ cevinpl." _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: Cellphone spam and terrorism Blanchard_Michael (Sep 21)
- Re: Cellphone spam and terrorism Valdis . Kletnieks (Sep 21)
- Re: Cellphone spam and terrorism Valdis . Kletnieks (Sep 21)
- RE: Cellphone spam and terrorism Richard M. Smith (Sep 21)
- Re: Cellphone spam and terrorism David Dagon (Sep 21)
- Re: Cellphone spam and terrorism Valdis . Kletnieks (Sep 21)