Network Security Library
Javascript Feeds    RSS Feed    Security Dashboard    SearchSecurity.com
About | Contact | Advertise | Site Map
Print Printer Friendly      PDF PDF Version
intrusion detection E-mail      Save Save This

Security & Vulnerability Analysis of Wireless Messaging Protocols & Applications


{LANG_NAVORIGIN} Vulnerability Management Risk Assessment
By: Atique Ahmed Khan, 02/21/2005



Section 1. Introduction

Abstract
Wireless messaging is now a dynamic ingredient in the communication modes of our life. Many applications over the Internet now use wireless messages to contact with the enduser. This paper describes the messaging infrastructure and the related protocols used in this scenario. It also presents many ways you can use the wireless networks to talk with your applications. There is also a growing concern over how much these services are secure and how they can be compromised, which are described briefly in this presentation.

About the author
Atique Ahmed Khan is a web developer in the country’s leading stock exchange, an organization whose online system provides stock trading over the Internet. He has also developed Wireless SCADA (Supervisory Control & Data Acquisition System) to control appliances over the web, WAP and by using SMS in his graduation project. For comments about this tutorial, please contact at nimbus81@yahoo.com

Overview of this paper
Starting with a brief introduction of telecommunication infrastructure and wireless messaging protocols, the discussion will move towards the integration of wireless networks and the Internet. Some success stories of SMS-powered applications and ways to develop them are presented. Finally security threats and their effective measures to protect them are presented.


Section 2. Cellular communication networks

Reading the air
GSM (Global System for Mobile Communication) is the most common wireless system in the world. Along with the telephony services, it also provides non-voice services called data (bearer) services. These include General Packet Radio Service (GPRS) for packet switched network connection, Short Message Service (SMS) that can contain alphanumeric characters, audio and video contents, facsimile and email facility. A core GSM network contains the following components to perform the telephony/data service: Mobile Station
This is the equipment from where the user initiates the wireless services. It can be a mobile phone or a hardware component such as GSM modem. Nowadays, many modern types of equipment can do the task to talk with the GSM network, ranging from smart phones and paging devices to PDAs and communicators. All of them resemble in the air interface and the way they receive the data from wireless network, but their features can be a lot more different.

Base Transceiver Station (BTS)
A very common sign found in the urban area is the tower painted with white and red strips. This is the Base Transceiver Station, or BTS in short. Its main functioning is to provide the air interface to the mobile equipment, that is, a pure wireless connection with the mobile phone. All the data to and from the communication network is transferred to the mobile phone using the BTS. It has a very short coverage area (or cells); so many BTSs are installed on strategic positions over the country to provide seamless service for end-users.

Base Station Controller (BSC)
Base Station Controller (BSC) provides all the control functions and physical link between the BTS and Mobile Service Switching Center (MSC). It is actually a high capacity switch providing handover among cells, control of Radio Frequency (RF) power levels in BTSs and monitors the BTSs in its Location Area (LA).

Mobile Service Switching Center (MSC)
It is the core component and the heart of cellular network. It has multi functions and some very important data resides over here. It performs the telephony switching functions of the system and controls call to and from other telephones and data systems. MSC acts like a standard exchange and performs registration, authentication, location updating, handovers, call routing to other subscribers and roaming etc. Various databases assist MSC in executing the above-described actions, commonly called registers.

The Registers Signaling Transfer Point (STP)
A good analogy to understand the Signaling Transfer Point (STP) is the network router, whose task is to route traffic on the Internet. An STP performs routing, address translation and failover functionality. Just like the Internet router uses TCP/IP protocol, STP uses SS7, commonly known as C7. Multiple dedicated high capacity access paths exist among several STPs for reliable connections, since they carry a huge amount of data and they are responsible for the transportation of all the traffic. With the increase in pressure of telephony and bearer services, many carriers are in need of cost-effective, high bandwidth inter-STP connections, and they are planning to migrate over IP networks using SS7 over IP SIGTRAN standards.

Short Message Service Center (SMSC)
Short Message Service Center (SMSC) is a place where all the SMS are brought before they are sent to their destination. It uses store-and-forward technique for SMS transfer, as the recipient mobile station may be turned off, or it could be out of range. So the SMS is stored as long as it is not delivered to the destination. Only a successful delivery to recipient or a time out (normally three days) will delete the entry from the SMSC.

1 message received
Take a brief look of what we have been studying in this section. Suppose a message from mobile station is written and destined to be sent to another mobile station that is turned off at the moment. The message will be received from mobile equipment by BTS and passed to BSC, MSC and the core network, until it finally reaches to SMSC. At this moment, an acknowledgement is sent to the sender mobile equipment and ‘Message Sent’ will be displayed over the screen of the sender. Now the message is stored in the SMSC, it requests HLR to provide the information about the recipient status. Unfortunately HLR responds that the recipient’s mobile phone is switched off and tells the SMSC to wait. When the mobile phone is turned on, the HLR will notify the SMSC and provides the correct MSC address to route the address. SMSC then delivers the message to MSC and MSC will send the message to indicated BSC by checking out the location of mobile equipment through local VLR. BTS will receive message from BSC and finally delivers the message to recipient’s mobile phone.


Section 3. Wireless messaging protocols

Sneaking into the wires
In order to talk directly to the SMSC, the application must understand the protocol over which SMSC communicates, and a plethora of protocols exist made by the SMSC vendors. These are the protocols that handle data transfer over the wires in the form of packets, between an application or network component to SMSC. The vendor-specific protocols make the life of application developers uneasy, as they have to make customized changes in their application for different SMSC. Nevertheless some of the protocols that cover major market share are as follows: Short Message Peer to Peer (SMPP)
The SMS Forum is responsible to nurture the most popular SMS protocol. It is the widely accepted protocol that is used by major SMSC vendors and application softwares. Currently SMPP version 3.4 is used over the network, and many development toolkits are available to write programs that can understand this protocol. Using this interface, an external Short Message Entity such as a Paging or VoiceMail system may bind/unbind to the SMSC, submit, cancel, replace and query short messages. The SMSC forwards responses and short messages (e.g. delivery receipts, pager messages) to the external Short Message Entity.

Universal Computer Protocol (UCP)
European Telecommunication Standards Institute (ETSI) formally used the Universal Computer Protocol, or UCP for short, for paging networks. It is the strong competitor of SMPP in Western Europe, a place where SMS market is successful. UCP version 3.5 is nowadays used and supported by most SMSC vendors. An innovative trend will be provided along with UCP 4.0, in which content-based reverse charging can become possible, so its popularity is expected to rise sharply.

Open Interface Specifications (OIS)
The Open Interface Specification (OIS) was originated by Sema Group, now owned by Schlumberger. OIS is not so popular as SMPP or UCP, but it is as important as other protocols. This is because OIS is the only SMS application protocol that makes Vodafone networks accessible, the world’s largest network of cellular communication. OIS version 5.1 is used nowadays that is supported by Schlumberger and CMG SMSCs.

Computer Interface to Message Distribution (CIMD)
The well-known Finnish-based company Nokia created the Computer-Interface to Message Distribution (CIMD2). It is used in very few networks and only on Nokia’s SMSCs, but its importance is now diminishing because of Nokia SMSCs are now capable to understand SMPP and UCP.

Telocator Alphanumeric Protocol (TAP) and Simple Mail Transfer Protocol (SMTP)
American-originated protocol, the Telocator Alphanumeric Protocol (TAP) was originally used for two-way paging networks. Its importance is unique in a sense that it is used to interconnect SMS networks and the American paging networks, and porting the pagingpowered applications to SMS networks. It is supposed to be a legacy system and does not support sending the ring tones, picture messages and so on. Not a good choice for the development of SMS applications.

The Internet Engineering Task Force (IETF) guys defined the SMTP and never thought that it can be used other than sending the emails, but many network providers are rolling the email addresses that are similar to the subscriber’s phone number and any mail sent to that number can be received as a wireless message. Mostly the SMTP is used for sending the multi-media messages to the mobile phones, reading and posting the mails from the mobile phones.


Section 4. SMPP over TCP/IP

Out in the wild
Just like other Internet packets traveling across the networks, an SMPP packet can travel freely over IP networks and can be destined to an SMSC or SMS-powered application. Thanks to many Application Programming Interfaces (APIs) and toolkits, these unique packets can be created and sent to the wireless messaging networks by using computer networks. Thus TCP/IP can be used as an underlying protocol for the communication between an application and SMSC. Note that External Short Message Entity (ESME) refers to such external sources and sinks of short messages as Voice Processing Systems, WAP Proxy Servers or Message Handling computers. It specifically excludes SMEs, which are located within the Mobile Network, i.e., a mobile station (MS).

The general format of an SMPP PDU consists of a PDU header followed by a PDU body as outlined in the following table:


A Message Transfer Scenario (from ESME to SMSC)



The ESME first initiates a connection with SMSC in ‘transmitter’ mode (BIND TRANSMITTER 1). If the credentials submitted are valid, the SMSC will acknowledge the connection (RESPONSE 1). If the SMSC is free to serve the ESME, it generates the request to handover the message (DELIVER MSG 2). Upon receiving this signal, the ESME will acknowledge it (RESPONSE 2) and transfers the message along with recipient’s necessary information (SUBMIT MSG 3). If the data transfer is successful, the SMSC will generate an acknowledgement to it (RESPONSE 3). If the ESME does not wish to send another message, it generates unbind request (UNBIND 4), which is granted by SMSC (RESPONSE 4), and the connection is closed.


Section 5. Current wireless messaging applications

Success stories
In general, wireless messaging applications can be categorized into three kinds of services; Information Services, Location-Based Services (LBS), Communication and Entertainment Services. These cover the major market share in real world today. Some of the most successful messaging services are described below: Citialerts – Wireless Banking
Citibank Middle East provides its customers s service that can send alerts related to their spending habits and withdrawals, as well as the latest movements in the Stock Markets of the world. It is a service that provides customers flexibility to keep track of their bank accounts and receive the latest news and stock prices.

Shazam Entertainment – Song Tagging
Shazam has developed a real-time song identification service. Any sound track a customer hears can be identified by this service. A 15 second sound sample is fetched and send by the customer to Shazam via SMS, and within seconds a comprehensive reply can be received containing the name of the song and the artist, moreover information regarding how to purchase the album can also be sent.

Jurong Point – Location-Based Marketing
By identifying the nearest cell to the mobile phone, network operators can gain a rough idea where the customer is and that information is used to push information according to the surroundings of the recipients. In the above mentioned shopping center, the shoppers receive a series of short messages as long as they stay within the shopping area, concerning about the shop events and incentives in the shopping mall.

KDDI – In - Car Telemetry
Telematics deals with the route guidance is another Location-Based Service (LBS). The recipients of messages from this service are directed about shortest routes, traffic congestions ahead, GPS tracking and text based directions in guiding the drivers from unknown regions.

BattleMail – Mobile KungFu
A worldwide competition in which players can challenge one another to a virtual KungFu BattleMail, making moves using SMS to try to outwit their opponents with a series of high kicks and karate chops. This multiplayer fighting game achieved the heights of success. Since the launch, 25 million challenges and more than 20,000 fights have taken place across networks, boundaries, and nationalities.

SMS2Email & IM – Mobile Mailbox
Email is the killer app ion the Internet, and is now moving over the mobile networks. With the launch of services such as MSN Mobile Hotmail and i-mode, users can now entertain themselves with web-based email services over their mobile phones. Until 2003, more than 110 million Hotmail users were subscribed to their MSN Hotmail accounts on their mobile phones.

Instant Messaging (IM) is also another attractive service for 2-way instant communication and entertainment. It is merely a faster version of SMS or email; it also provides information like online status of the users.


Section 6. Developing SMS-powered applications

Many ways to skin a cat
Until now we have discussed the rich features of wireless messaging applications and their usage in commercial areas. Lets take a look at how these applications can be developed in real world and using the lowest possible set of resources.

The application development of SMS-powered application is categorized by handling the middleware architecture. The sole responsibility of handling wireless messages can be assigned to third-party vendor, a proprietary SMSC, or can be delivered to personally owned hardware.

Using the third-party
This is the most popular way to make SMS-powered applications. With some amount paid to the message vendors, you can relieve yourself from the pain to delivering the messages. A set of Application Programming Interface (API) is provided by the vendor, which is then implemented in your application software. Usually a socket-based Internet connection is established from the application and message servers. The contents are transferred via Internet from client side to the vendor server, it then moves forward to the wireless networks. Many third party vendors also provide 2-way messaging system.

Connecting to SMSC directly
The fastest way to transfer wireless messaging contents is the direct connection to the SMSC, but it includes many complexities. For example, the SMSC is exposed to any external connection, legal issues of using the provider resources, maximum connection capability of SMSC and authentication credentials floating over insecure connections. The communication link between SMSC and application software can be a TCP/IP network or an X.25 connection.

Use your own hardware
It is a cost effective way to implement lightweight applications within the complete administration of the application developer. Many hardware products are available that can act as an adapter between the TCP/IP network and wireless networks. For instance, a GSM modem connected to serial port of a computer can transfer data to and from GSM networks and pass it to application running on that computer. However the performance of GSM hardware can be a serious issue during heavy loads of data transfer.


Section 7. SMS vulnerability analysis

All about wareZ
With the advent of Multimedia Messaging Service (MMS) and SS7 over IP, core GSM network equipments are more exposed to the malicious attacks. These attacks can cause serious blow on Quality of Service (QoS), privacy and authenticity of subscribers, and disturbance in normal operations of life. Numerous vulnerabilities can be found in wireless messaging infrastructure and they can be categorized according to their environment. The most vulnerable places where the hackers of the future will likely compromise are: Each category posses its own risk level and payload of the attack can devastate the whole of network. Until now, no such severe attacks were launched on the wireless messaging systems, but it is only a matter of time. Below is the discussion of most likely attacks that will occur in the future of wireless messaging systems.

Denial of Service (DOS) Attack
Most SMSCs are behind the firewall, but that greatly increases the network latency and delay in message transmission, so vendors do put SMSC exposed to DOS attacks for the sake of high performance. Nevertheless an improper configured firewall cannot protect an SMSC from DOS attacks, and talking about Distributed Denial of Service (DDOS), they are the most difficult to defend against.

Service Interruption Attack
Similar to DOS attacks, a Service Interruption Attack often occurs against a poorly tested platform, containing several security holes or 0-day exploits that can be used to compromise the target. Like the “WinNuke” vulnerability of 1997, which causes Windows 95 System to crash when it receives a specifically formatted TCP header, the SMSC can be on the target of such deliberately crafted SMPP packets to exploit the holes and bugs in the system.

Service Hijacking Attack
It relates to the gaining of control over the compromised target, what the hackers termed as access to ‘root’. Service Hijacking involves unauthorized access to user that can cause change or loss of data on the system. This can involve message capturing, alteration of text and block of outgoing packets from the system.

Buffer Overflow Attack
It can be part of Service Hijacking Attack, to gain control over the box. Buffer Overflow occurs due to the uncheck bounds in the allocated memory, and that can cause arbitrary instructions to be executed on the target machine. The Buffer Overflow can be related to the SMSC kernel, the operating system underlying the SMSC, the database used by SMSC or the type of server used by the SMSC.

Password Compromise Attack
Social Hijacking and Brute Force technique can do a lot in this type of attack. If enough time is given, the password of SMSC can be detected using trial and error method. Once a password is guessed, it can cause severe blow to the messaging system. Another way to compromise password is “piggybacking”. In this type of attack, a hacker first gains access to trusted machines by SMSC, normally a mail server. It then uses the compromised machine to drive the SMSC according to its will.

Snooping
Snooping or Sniffing, it can capture packets from the network through any kind of sniffer. The captured packets are decoded and they can give most valuable information. Many advanced sinffers like Ethereal, can capture SMPP packets along with the capability of tracing the handshakes during the whole session. This can give the idea what is going on between the ESME and the SMSC.

Spoofing
SMS packets can be created and injected in the network by using any ordinary packet creation utility, like Nessus that creates packets for TCP/IP network. Spoofing obfuscates the identity of the sender, and pretends that the message was originated form some other source. Just like there is no check in the current SMTP messages, a hacker can create a malicious control message under the disguise of trusted user and can compromise the network.

Radio Frequency Jamming
It is truly a non-Internet based attack that is related to the wireless interface of the communication system. Its sole purpose is to deny the service from being used by the subscribers in a particular area. The jamming equipment can be a noise-generating source that emits arbitrary signals in the frequency spectrum of GSM (normally 900 and 1800 MHz). It not only disrupts the SMS messages but voice calls can also be affected.

OSS Penetration
The most important part of a GSM network is actually not the Network Equipments themselves but the Operation and Support System (OSS) itself. It is a network of devices that manage important functions like billing system environment and those functions are very critical to the security of the GSM. Most interesting part of OSS is that this infrastructure is accessible via IP, so all the vulnerabilities in the network are inherited directly into OSS.

SMS Spam
Unwanted emails are havoc to any online organization. Similarly unsolicited electronic messages become a nuisance for users of wireless devices. If a wireless provider gets a block of several thousand subscribers, it can send bulk messages of all the recipients, causing unnecessary traffic load and disturbance to the recipients. Legal steps have been taken by some governments for spam protection over wireless, and investment has been done to develop anti-spam systems.

Mobile Virus
It is actually a bug in the mobile equipment software that can allow unauthorized access to programs or execution of instructions. Most SMS viruses ever noted can cause shutdown and crash of system software. Examples of other viruses are: SMS Crash
Many text patterns are discovered that can be used to crash the recipient mobile equipment. The flaw lies not in the SMS packet format, but the operating system of the recipient mobile phone. News from BBC reported several hundreds of specific model equipment of a mobile phone crashed in Scandinavia upon receiving a unique pattern of SMS text message.


Section 8. Securing the message

“To the keep!”
Below is a short description of how to secure the wireless messaging applications.

Air Interface Algorithms
GSM level encryption must be enhanced that would be hard to break. Currently used Symmetric Algorithm encryption ‘A5’ provides radio communication ciphering, and has four levels of encryption. Recommended level is A5/3 (Note that A5/3 has been broken in 1999).

Proprietary Encryption
Proprietary encryption should be applied for intra-network communication and among network equipment. This kind of state of the art cryptographic technique is also necessary to keep the data transfer secure to and from ESME and SMSC.

Firewalls
SMSC and OSS should be behind well-configured firewalls and their network structure must be kept hidden from public network as far as it is possible. Modern IDS must be coupled with the network component to keep them safe from DOS Attacks and Network Scanning.

Secure Socket Layer
For the Internet and Transport layer, SSL and VPN should be used that can reduce the penetration threats. Moreover a white list of IP addresses should be maintained for the communication among allowed machines, with proper authentication.

AVs for the mobile?
Finally, to keep the mobile equipments safe from the malicious code, proper virus scanners should be installed with the mobile operating system, unsigned codes must be disabled.


Section 9. Conclusion

If you think it is secure, think again!
This sums up our discussion on wireless messaging protocols and applications, with the relevant threats faced by them. Although this is not a complete document, but it focuses the potential targets of the future panorama. The precautions and security measures can be applied to all level of the system, ranging from encrypted air interface to hiding the machines behind stateful firewalls and IDS dogwatch. More sensitive applications like bank account alerts and debit/credit card payment services must be ensured to keep the verification of the origin of message. No doubt that the network operators will eventually switch to IP networks in order to overcome bandwidth issues and multimedia messages, and that decision can open doors to many security threats that linger today due to isolated networks so far.

Wireless Messaging can be very effective medium of communication in the future. With new technologies like EMS, MMS, LBS, and VR technologies, its perspective can expand manifolds. The best thing about wireless messaging applications is that it can be developed with no or very little cost, and easy to implement. However, there is a strong requirement to improve security and authentication/authorization techniques in SMS based applications.


Section 10. References

[1] Donald J. Longueuil. Wireless Messaging Demystified: SMS, EMS, MMS, IM, and others. McGraw-Hill Professional Publishing, 2003
[2] The International Engineering Consortium.http://www.iec.net
[3] Kannel Userguide.http://www.kannel.org
[4] SMPP Protocol Sepcification.http://www.smsforum.com
[5] NetSec Mobile Computing Security Threats
[6] SMS over SS7, National Communication System.http://www.comtechnologies.com
[7] SMPP v3.4 Implementation Guide.http://www.smsforum.net
[8] GSM Association Official Documentation
[9] Toni Janveski. Traffic Analysis and Design of Wireless IP Networks. Artech House
[10] Ethereal Network Traffic Analyzer.http://www.ethereal.com













E-Mail Link

Your IP address will be sent with this e-mail
From e-mail to e-mail



Stats
8274 Views
4.11/5 Rating
9 Votes
Papers
Newest
Highest Rated
Most Viewed
Reference

Services
Javascript Feeds
RSS (New Papers)
Security Dashboard

Our Stuff
About SecurityDocs
Advertise
Contact

Valid HTML 4.01!
Valid CSS!


Unless otherwise noted, all paper copyrights are owned by the author. The rest copyright 2003-2005 TechTarget

Privacy : Contact