Re: Cellphone spam and terrorism

[David Dagon <dagon () cc gatech edu>]

On Wed, Sep 21, 2005 at 05:22:18PM -0400, Richard M. Smith wrote:
> A SMS spammer program could also be written in about 50 lines of JavaScript
> code.  Many wireless companies have Web forms for sending out SMS messages
> which can be driven by JavaScript.  Example:
>
> http://www.vtext.com/customer_site/jsp/messaging_lo.jsp

I've actually looked into this before.  A few observations:

  -- This works well against phones on an unlimited plan, as
     opposed to the 10/10 or 10/2 SMS plans.  Most telcos block
     for their customers who face a charge, and allow unlimited SMS
     spam for unlimted customers.

  -- Mostly teens get unlimited plans; everyone else is on a 10/10
     or 10/2 (or some tier program).  The lack of frontal lobe
     development might make the anthrax scare less convincing to this
     population; the pizza attack might be more effective.  I'm really
     not sure, but expect that someone creative could come up with a
     social engineering attack that fits these demographics.

  -- You would have to create a metamorphic SMS attack, since the
     highly centralized relay of SMS makes filtering easy.  (Imagine
     if all traffic on the internet went through one central
     network.)  The desire to maintain the common carrier exemption
     mitigates against aggressive filtering, but an outbreak would
     be easily stopped once detected.

  -- The latency for SMS is enormous unreal.  We witness variances of
     10 minutes+ on many real-time systems that use SMS for data
     reporting.  (I have some plots if anyone wants to see them.
     We're moving to a GSM/GPRS system as a result.)  With this
     service model, combined with centralized relaying, filtering is
     very possible and powerful.

Better still:

  -- An VXer could create an e-mail/MSRPC virus that syncs with the
     phone, and on the days before Thanksgiving, flood calls various
     airline help lines and reservation systems (along with a PC-based
     DDoS against online reservation pages).  This would effectively
     force the remaining airlines into bankruptcy.  It might even
     constitute the "digital Pearl Harbor" everyone is predicting,
     if only because it involves planes.

We've seen a better opportunity in VoIP-based malware.  In the lab,
we're now building experimental botnets for VoIP devices, since it's
easier to leverage propagation in the IP world, and easier to be
annoying/abusive in the telco world.  We're adding in voice
recognition routines (e.g., recording the conversation when the words
"password", "credit card number" and "mother's maiden name" are heard
client-side).  Right now the payload just dials 900 porn numbers, but
I suppose you could add in voice-generation warnings about a fake
FEMA-alert, stock manipulation messages, or other garbage.

What defenses are possible?  Because the vendor APIs for VoIP devices
have few, if any authentication or security mechanisms, it's very easy
to spam, DDoS or attack most users on a VoIP IOS network, Skype, etc.
Some features like Call Admission Control (CAC) on IOS can throttle
levels, but degrade the normal traffic as well.

The key problem: the telco legislative world was designed to *permit*
spam (i.e., phone salesmen), and the only limiting factors so far have
been (1) tepid Do-Not-Call legislation, and (2) the high cost of
hiring people to drive the sales calls.  The second factor has been
the only effective barrier to mass disruption of the telco system, on
the scale we see with SMTP.  VoIP and voice generation viruses promise
to change this.  One T1 line can multiplex hundreds of VoIP spam calls
that otherwise would have required hundreds of people and PBX lines.

Similarly, a VoIP-ready botnet can bring down key phone circuits,
since telco lines are more heavily over-subscribed than even cable
modem services.  Likewise, if SCADA devices are run by IP or
non-leased telco lines, a similar dirsuption is possible.  (I can tell
you a funny story about a manhole cover in Atlanta that tied up half
the cars in a police zone, because a county water monitoring unit
malfunctioned and repeatedly dialed 911.)  It's just all too easy.

Oh, what fun we'll have...

-- 
David Dagon              /"\                          "When cryptography
dagon () cc gatech edu      \ /  ASCII RIBBON CAMPAIGN    is outlawed, bayl
Ph.D. Student             X     AGAINST HTML MAIL      bhgynjf jvyy unir
Georgia Inst. of Tech.   / \                           cevinpl."
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.