Exploiting Open Functionality in SMSCapable Cellular Networks William Enck Patrick Traynor - PDF document

izetheresilienceofcellularnetworkstoelevatedmessagingloads.ReningTargetSearchSpace:Wediscussavarietyoftech-niquesthat,whenusedincombination,resultinanaccuratedatabaseoftargets(“hit-lists”)fordirectedattacksoncellu-larnetworks.Theselistsareabsolutelyessentialtomountingeffectiveattacksagainstthesenetworks.SMS/CellularNetworkVulnerabilityAnalysis:Weillu-minatethefragilityofcellularphonenetworksinthepres-enceofevenlow-bandwidthattacks.WedemonstrateandquantifytheabilitytoincapacitatevoiceandSMSservicetoneighborhoods,majormetropolitanareasandentireconti-nents.Theremainderofthispaperisorganizedasfollows:Section2givesahigh-leveloverviewofGSMnetworkarchitectureandde-scribestextmessagedelivery;Section3investigatescellularnet-worksfromanattacker'sperspectiveandidentiesthemechanismsnecessarytolaunchDenialofService(DoS)attacks;Section4modelsandquantiesDoSattacksinmultipleenvironments;Sec-tion5discussesanumberofattacksinherenttoattachinggeneralpurposecomputingplatformstotheInternet;Section6proposesvarioussolutionstohelpalleviatetheseproblems;Section7dis-cussesimportantrelatedworks;Section8presentsconcludingre-marks.2.SMS/CELLULARNETWORKOVERVIEWThissectionoffersasimpliedviewofanSMSmessagetravers-ingaGSM-basedsystemfromsubmissiontodelivery.Thesepro-ceduresaresimilarinothercellularnetworksincludingCDMA.2.1SubmittingaMessageTherearetwomethodsofsendingatextmessagetoamobiledevice-viaanothermobiledeviceorthroughavarietyofExter-nalShortMessagingEntities(ESMEs).ESMEsincludealargenumberofdiversedevicesandinterfacesrangingfromemailandweb-basedmessagingportalsatserviceproviderwebsitestovoicemailservices,pagingsystemsandsoftwareapplications.WhetherthesesystemsconnecttothemobilephonenetworkviatheInter-netorspecicdedicatedchannels,messagesarerstdeliveredtoaserverthathandlesSMStrafcknownastheShortMessagingServiceCenter(SMSC).Aserviceprovidersupportingtextmes-sagingmusthaveatleastoneSMSCintheirnetwork.Duetotherisingpopularityofthisservice,however,itisbecomingincreas-inglycommonforserviceproviderstosupportmultipleSMSCsinordertoincreasecapacity.Uponreceivingamessage,thecontentsofincomingpacketsareexaminedand,ifnecessary,convertedandcopiedintoSMSmes-sageformat.Atthispointinthesystem,messagesfromtheInternetbecomeindistinguishablefromthosethatoriginatedfrommobilephones.MessagesarethenplacedintoanSMSCqueueforfor-warding.2.2RoutingaMessageTheSMSCneedstodeterminehowtoroutemessagestotheirtargetedmobiledevices.TheSMSCqueriesaHomeLocationReg-ister(HLR)database,whichservesasthepermanentrepositoryofuserdataandincludessubscriberinformation(e.g.callwaitingandtextmessaging),billingdata,availabilityofthetargeteduserandtheircurrentlocation.Throughinteractionwithothernetworkel-ements,theHLRdeterminestheroutinginformationforthedesti-nationdevice.IftheSMSCreceivesareplystatingthatthecurrent (a)SMSNetwork (b)SMSFlowFigure1:SimpliedexamplesofanSMSNetworkandmessageowuserisunavailable,itstoresthetextmessageforlaterdelivery.Oth-erwise,theresponsewillcontaintheaddressoftheMobileSwitch-ingCenter(MSC)currentlyprovidingservice.Inadditiontocallrouting,MSCsareresponsibleforfacilitatingmobiledeviceau-thentication,locationmanagementforattachedbasestations(BS),performinghandoffsandactingasgatewaystothePublicSwitchedTelephoneNetwork(PSTN).WhenatextmessagearrivesfromtheSMSC,theMSCfetchesinformationspecictothetargetdevice.TheMSCqueriesadatabaseknownastheVisitorLocationRegister,whichreturnsalocalcopyofthetargeteddevice'sinformationwhenitisawayfromitsHLR.TheMSCthenforwardsthetextmessageontotheappropriatebasestationfortransmissionovertheairinterface.Adiagramofamo-bilephonenetworkisdepictedinFigure1(a),followedbyasim-pliedSMSmessageowinFigure1(b).2.3WirelessDeliveryTheairinterfaceisdividedintotwoparts-theControlChan-nels(CCH)andTrafcChannels(TCH).TheCCHisfurtherdi-videdintotwotypesofchannels-theCommonCCHandDedicatedCCHs.TheCommonCCH,whichconsistsoflogicalchannelsin-cludingthePagingChannel(PCH)andRandomAccessChannel(RACH),isthemechanismusedbythebasestationtoinitiatethedeliveryofvoiceandSMSdata.Accordingly,allconnectedmobiledevicesareconstantlylisteningtotheCommonCCHforvoiceandSMSsignaling.ThebasestationsendsamessageonthePCHcontainingthe Figure2:AsimpliedSMSairinterfacecommunication.Thebasestationnotiestwomobilehosts(MH1andMH2)ofnewmessages.MH1hearsitsidentierandresponds.Afterauthen-ticatingandestablishinganencryptedchannel,thetextmes-sageisdeliveredoveradedicatedcontrolchannel.TemporaryMobileSubscriberID(TMSI)associatedwiththeenddestination.ThenetworkusestheTMSIinsteadofthetargetedde-vice'sphonenumberinordertothwarteavesdroppersattemptingtodeterminetheidentityofthereceivingphone.WhenadevicehearsitsTMSI,itattemptstocontactthebasestationovertheRACHandalertsthenetworkofitsavailabilitytoreceiveincomingcallortextdata1.Whentheresponsearrives,thebasestationinstructsthetar-geteddevicetolistentoaspecicStandaloneDedicatedControlChannel(SDCCH).UsingtheSDCCH,thebasestationisabletofacilitateauthenticationofthedestinationdevice(viathesubscriberinformationattheMSC),enableencryption,deliverafreshTMSIandthendelivertheSMSmessageitself.Inordertoreduceover-head,ifmultipleSMSmessagesexistontheSMSC,morethanonemessagemaybetransmittedoveranSDCCHsession[5].Ifavoicecallhadbeenwaitingatthebasestationinsteadofatextmessage,alloftheabovechannelswouldhavebeenusedinthesamemannertoestablishaconnectiononatrafcchannel.AnillustrationofthisnalstageofdeliveryovertheairinterfaceisshowninFigure2.3.SMS/CELLULARNETWORKVULNERABILITYANALYSISThemajorityoflegitimateusesforSMScanoftenbecharacter-izedasnonessential,rangingfromsocialinteractionstolowprioritybusiness-relatedexchanges.Thesalientfeatureofthesecommuni-cationsisthattheycantypicallybeaccomplishedthroughanum-berofother,albeitpotentiallylessconvenientchannels.DuringtheterroristattacksofSeptember11,2001,however,thenatureoftextmessagingprovedtobefarmoreutilitarian.Withmillionsofpeopleattemptingtocontactfriendsandfam-ily,telecommunicationscompanieswitnessedtremendousspikesincellularvoiceserviceusage.VerizonWireless,forexample,re-portedvoicetrafcrateincreasesofupto100%abovetypicallev-els;CingularWirelessrecordedanincreaseofupto1000%oncallsdestinedfortheWashingtonD.C.area[44].Whilethesenetworksareengineeredtohandleelevatedamountsoftrafc,thesheernum-berofcallswasfargreaterthancapacityforvoicecommunicationsintheaffectedareas.However,withvoice-basedphoneservicesbe-ingalmostentirelyunavailableduetoTCHsaturation,SMSmes-sageswerestillsuccessfullyreceivedineventhemostcongestedregionsbecausethecontrolchannelsresponsiblefortheirdeliveryremainedavailable.Textmessagingallowedthelinesofcommunicationtoremainopenformanyindividualsinneedinspiteoftheirinabilitytocom-pletevoicecalls.Accordingly,SMSmessagingisnowviewedbymanyasareliablemethodofcommunicationwhenallothermeansappearunavailable. 1AhighnumberofcallinitiationsatagivenbasestationslowsthisresponseastheRACHisasharedaccesschannelrunningtheSlottedAlohaprotocolDuetothisproliferationoftextmessaging,weanalyzeInternet-originated,SMSattacksandtheireffectsonvoiceandotherser-vicesincellularnetworks.Werstcharacterizethesesystemsthro-ughanextensivestudyoftheavailablestandardsdocumentationandgray-boxtesting.Fromthisdata,wediscussanumberofattacksandthesusceptibilityofmobilephonenetworkstoeach.Lastly,fromgray-boxtesting,weassesstheresilienceofthesenet-workstotheseattacks.Beforediscussingthespecicsofanyattackoncellularnet-works,itisnecessarytoexaminethesesystemsfromanadversary'sperspective.Inthissection,wepresentsimplemethodsofdiscov-eringthemostfragileportionsofthesenetworksbydeterminingsystembottlenecks.Wetheninvestigatethecreationofeffectivetargetingsystemsdesignedtoexploitthesechokepoints.3.1DeterminingBottlenecksinCellularNetworksThereisaninherentcostimbalancebetweeninjectingSMSmes-sagesintothephonenetworkanddeliveringmessagestoamobileuser.SuchimbalancesaretherootofDoSattacks.Recognizingthesebottlenecksrequiresathoroughunderstand-ingofthesystem.Thecellularnetworkstandardsdocumentationprovidestheframeworkfromwhichthesystemisbuilt,butitlacksimplementationspecicdetails.Inanefforttobridgethisgap,weperformedgray-boxtesting[7,14].Wecharacterizethesesystemsbydeliverydisciplines,deliveryrates,andinterfaces.Alltestswereperformedusingourownphones.Atnotimedidweinjectadamagingvolumeofpacketsintothesys-temorviolateanyserviceagreement.3.1.1DeliveryDisciplineThedeliverydisciplineofanetworkdictatesthewaymessagesmovethroughthesystem.Bystudyingthisow,wedeterminesystemresponsetoaninuxoftextmessages.Theoverallsystemresponseisacompositeofmultiplequeuingpoints.Thestandardsdocumentationindicatestwopointsofinterest-theSMSCandthetargetdevice.SMSCsarethelocusofSMSmessageow;allmessagespassthroughthem.Duetopracticallimitations,eachSMSConlyqueuesanitenumberofmessagesperuser.AsSMSCsroutemessagesaccordingtoastoreandforwardmechanism,eachmessageishelduntileitherthetargetdevicesuccessfullyreceivesitoritisdroppedduetoage.Thebuffercapacityandevictionpolicythereforedeter-minewhichmessagesreachtherecipient.TheSMSCbufferandevictionpolicywereevaluatedbyslowlyinjectingmessageswhilethetargetdevicewaspoweredoff.Threeofthemostprominentserviceproviderswereevaluated:AT&T(nowpartofCingular),Verizon,andSprint.Foreachprovider,400messageswereseriallyinjectedatarateofapproximatelyoneper60seconds.Whenthedevicewasreconnectedtothenetwork,therangeoftheattachedsequencenumbersindicatedbothbuffersizeandqueueevictionpolicy.WefoundthatAT&T'sSMSCbufferedtheentire400messages.Whileseeminglylarge,400160-bytemessagesisonly62.5KB.TestsofVerizon'sSMSCyieldeddifferentresults.Whenthede-vicewasturnedon,therstmessagedownloadedwasnotsequencenumberone;insteadtherst300messagesweremissing.ThisdemonstratesthatVerizon'sSMSChasabuffercapacityof100messagesandaFIFOevictionpolicy.Sprint'sSMSCproveddif-ferentthanbothAT&TandVerizon.Uponreconnectingthedevicetothenetwork,wefoundonly30messagesstartingwithmessagenumberone.Therefore,Sprint'sSMSChasamessagecapacityof30messagesandaLIFOevictionpolicy. Table1:MobileDeviceSMSCapacity Device Capacity(numberofmessages) Nokia3560 30 LG4400 50 Treo650 500* *500messagesdepletedafullbattery.MessagesalsoremainintheSMSCbufferwhenthetargetde-vice'smessagebufferisfull.Thisoccurs,asnotedintheGSMstandards[5],whenthemobilephonereturnsaMobile-Station-Memory-Capacity-Exceeded-FlagtotheHLR.Becauseitisimpos-sibletodeterminetheinboxcapacityofeveryphone,wechosetotestthreerepresentativedevicesofvaryingageandexpense:theNokia3560(AT&T),theslightlynewerLG4400(Verizon),andtherecentlyreleasedhigh-endTreo650(Sprint)containinga1GBremovablememorystick.Mobiledevicecapacitywasobservedbyslowlysendingmessagestothetargetphoneuntilawarningin-dicatingafullinboxwasdisplayed.TheresultingdevicebuffercapacitiesvariedasshowninTable1.ThedeliverydisciplineexperimentationresultsindicatehowtheSMSsystemwillreacttoaninuxoftextmessages.WeconrmedthatnitebuffercapacitiesexistinmostSMSCsandmobilede-vices.IntheeventofaDoSattack,messagesexceedingthesesat-urationlevelswillbelost.Therefore,asuccessfulDoSattackmustbedistributedoveranumberofsubscribers.3.1.2DeliveryRateThespeedatwhichacollectionofnodescanprocessandfor-wardamessageisthedeliveryrate.Inparticular,bottlenecksarediscoveredbycomparinginjectionrateswithdeliveryrates.Addi-tionally,duetovariationsininjectionsizefordifferentinterfaces,theinjectionsizepermessageisestimated.Determiningthemaximuminjectionrateforacellularnetworkisanextremelydifculttask.TheexactnumberofSMSCsinanetworkisnotpubliclyknownordiscoverable.Giventhesheernumberofentrancesintothesenetworks,includingbutnotlimitedtowebsiteinterfaces,email,instantmessaging,anddedicatedcon-nectionsrunningtheShortMessagingPeerProtocol(SMPP),weconservativelyestimatethatitiscurrentlypossibletosubmitbe-tweenseveralhundredandseveralthousandmessagespersecondintoanetworkfromtheInternetusingsimpleinterfaces.AbriefsamplingofavailableinterfacesisprovidedinTable2.Theseinterfacescanbegroupedintothreemaincategories:instantmessaging,informationservices,andbulkSMS.Instantmessag-ingprovidesthesamefunctionalityastextmessaging,butconnectsnewnetworksofuserstocellularnetworks.With24hournews,customersarefrequentlyoodedwith“onthego”updatesofhead-lines,sports,andstocksfrominformationserviceproviderssuchasCNNandMSNBC.Lastly,throughbulkSMSproviders,com-paniescanprovideemployeeswithupdatesrangingfromserverstatustogeneralofcenotications.Whileinjectionratesforinstantmessagingandtheinformationservicesareunknown,thebulkSMSprovidersofferplanswithratesashighas30-35messagespersecond,perSMPPconnec-tion.Furthermore,byusingmultipleSMPPconnections,STARTCorp.(www.startcorp.com)offersrates“anorderofmagni-tude”greater.Combiningalloftheseconduitsprovidesanadver-sarywiththeabilitytoinjectanimmensenumberofmessages.Whenmessagedeliverytimeexceedsthatofmessagesubmis-sion,asystemissubjecttoDoSattacks.Wethereforecomparethetimeittakesforseriallyinjectedmessagestobesubmittedandthendeliveredtothetargetedmobiledevice.ThiswasaccomplishedviaTable2:AbriefsamplingofSMSaccessservices ServiceURL InstantMessagingAOLIMmymobile.aol.com/portal/index.htmlICQwww.icq.com/sms/MSNMessengermobile.msn.comYahooMessengermessenger.yahoo.com/messenger/wireless/InformationServicesCNNwww.cnn.com/togo/Googlesms.google.comMSNBCnet.msnbc.com/tools/alert/sub.aspxBulkSMSClickatellwww.clickatell.comSimpleWirewww.simplewire.com/services/smpp/STARTCorp.www.startcorp.com/StartcorpX/Mobile Developer.aspx aPERLscriptdesignedtoseriallyinjectmessagesapproximatelyoncepersecondintoeachprovider'swebinterface.Fromthis,werecordedanaveragesendtimeof0.71seconds.Measurementofincomingmessageswasmoredifcultduetoalacklow-levelaccesstothedeviceoperatingsystem.Viainfor-malobservation,werecordedinterarrivaltimesof7-8secondsforbothVerizonandAT&T.InterarrivaltimesforSprintwereunde-terminedduetosporadicmessagedownloadsoccurringanywherebetweenafewsecondsandfewminutesapart.Theexperimentsclearlydemonstrateanimbalancebetweenthetimetosubmitandthetimetoreceive.WhileSMSmessageshaveamaximumsizeof160bytes,eachsubmissionrequiresadditionaloverhead.Usingtcpdump,weob-servedbothrawIPanduserdatatrafc.NotconsideringTCP/IPdataoverhead,Sprint,AT&T,andVerizonallrequiredunder700bytestosenda160byteSMSmessage.ThisincludedtheHTTPPOSTandbrowserheaders.DuetotheACKsrequiredfordownloadingthewebpage(8.5KBforSprint,13.6KBforAT&T,36.4KBforVerizon),theactualdatauploadsizewassignicantlyhigher.Whiletheoverheadisrela-tivetoretransmissionsandwindowsize,werecordeduploadsizesof1300bytes(Sprint),1100bytes(AT&T),and1600bytes(Ver-izon).InanefforttoreducetheoverheadinducedbyTCPtrafc,weobservedthetrafcresultingfromemailsubmission.EvenwithTCP/IPtrafcoverhead,lessthan900byteswasrequiredtosendamessage.Forthepurposesofthefollowinganalysis,weconser-vativelyestimate1500bytes(astandardMTUsize)astherequireddatasizetotransmitanSMSmessageovertheInternet.3.1.3InterfacesLostmessagesandnegativelyacknowledgedsubmitattemptswereobserved.Weexpectthiswasduetowebinterfacelimitationsim-posedbytheserviceproviders.Itisthereforeimportanttodeter-mineboththemechanismsusedtoachieveratelimitationontheseinterfacesandtheconditionsnecessarytoactivatethem.Agroupof50messageswassubmittedseriallyatarateofap-proximatelyonepersecond.Thiswasfollowedbyamanualsendviathewebinterfaceinordertocheckforanegativeacknowledg-ment.Ifanupperboundwasnotfound,thenumberofsequentialmessageswasincreased,andthetestwasrepeated.Duringtheinjectionexperimentsperformedforrateanalysis,weencounteredinterfacelimitations2.After44messagesweresentin 2Presumablyformitigatingcellphonespam,seeSection5 Figure3:Thenegative(top)andpositive(bottom)responsemessagescreatedbymessagesubmissiontoa)Verizon,b)Cingularandc)SprintPCS.Blackrectangleshavebeenaddedtopreservesensitivedata.ateanextremelyaccuratehit-listforagivenNPA/NXXdomain.Everypositiveresponsegeneratedbythesystemidentiesapoten-tialfuturetarget.Negativeresponsescanbeinterpretedinmultipleways.Forexample,ifthenumbercorrespondingtoanegativere-sponsewasfoundthroughwebscraping,itmayinsteadbetriedagainatanotherprovider'swebsite.Iffurthersearchingdemon-stratesanumberasbeingunassigned,itcanberemovedfromthelistofpotentialfuturetargets.Whileanautomated,highspeedversionofthismethodofhit-listcreationmaybenoticedforrepeatedaccesstodarkaddressspace,aninfrequentqueryingoftheseinterfacesoveralongperiodoftime(i.e.a“lowandslow”attack)wouldbevirtuallyundetectable.Aparallelresultcouldinsteadbeaccomplishedbymeansofanautomateddialingsystem;however,thesimplicityofcodewritingandtheabilitytomatchaphonetoaspecicprovidermakesaweb-interfacetheoptimalcandidateforbuildinghit-listsinthisfashion.3.2.4AdditionalCollectionMethodsAnumberofspecictechniquescanalsobeappliedtohit-listdevelopment.Forexample,awormcouldbedesignedtocollectstoredphonenumbersfromvictimdevicesbyaddressbookscrap-ing.Inordertoincreasethelikelihoodthatalistcontainedonlyvalidnumbers,thewormcouldinsteadbeprogrammedtotakeonlythenumbersfromthe“RecentlyCalled”list.Theeffectivenessofhismethodwouldbelimitedtomobiledevicesrunningspecicop-eratingsystems.Theinteractionbetweenmanymobiledevicesanddesktopcomputerscouldalsobeexploited.AnInternetwormde-signedtoscrapethecontentsofasynchronizedaddressbookandthenpostthatdatatoapubliclocationsuchasachatroomwouldyieldsimilardata.Lastly,Bluetoothenableddeviceshavebecomenotoriousforleakinginformation.Hiddeninabusyareasuchasabus,subwayortrainterminal,adevicedesignedtocollectthissortofinformation[56]throughcontinuouspollingofBluetooth-enabledmobilephonesinthevicinitywouldquicklybeabletocre-atealargehit-list.Ifthissystemwaslefttorunforanumberofdays,acorrelationcouldbedrawnbetweenaphonenumberandalocationgivenatimeanddayoftheweek.4.MODELINGDOSATTACKSGiventheexistingbottlenecksandtheabilitytocreatehit-lists,wenowdiscussattacksagainstcellularnetworks.AnadversarycanmountanattackbysimultaneouslysendingmessagesthroughthenumerousavailableportalsintotheSMSnetwork.Theresult-ingaggregateloadsaturatesthecontrolchannelstherebyblockinglegitimatevoiceandSMScommunication.Dependingonthesizeoftheattack,theuseoftheseservicescanbedeniedfortargetsranginginsizefrommajormetropolitanareastoentirecontinents.4.1MetropolitanAreaServiceAsdiscussedinSection2,thewirelessportionofSMSdeliv-erybeginswhenthetargeteddevicehearsitsTemporaryMobileSubscriberID(TMSI)overthePagingChannel(PCH).ThephoneacknowledgestherequestviatheRandomAccessChannel(RACH)andthenproceedswithauthenticationandcontentdeliveryoveraStandaloneDedicatedControlChannel(SDCCH).VoicecallestablishmentisverysimilartoSMSdelivery,exceptaTrafcChannel(TCH)isallocatedforvoicetrafcatthecom-pletionofcontrolsignaling.TheadvantageofthisapproachisthatSMSandvoicetrafcdonotcompeteforTCHs,whichareheldforsignicantlylongerperiodsoftime.Therefore,TCHusecanbeop-timizedsuchthatthemaximumnumberofconcurrentcallsispro-vided.BecausebothvoiceandSMStrafcusethesamechannelsforsessionestablishment,contentionfortheselimitedresourcesstilloccurs.GivenenoughSMSmessages,thechannelsneededforsessionestablishmentwillbecomesaturated,therebyprevent-ingvoicetrafctoagivenarea.Suchascenarioisnotmerelytheo-retical;instancesofthiscontentionhavebeenwelldocumented[30,2,18,38,46,3].Inordertodeterminetherequirednumberofmessagestoinducesaturation,thedetailsoftheairinterfacemustbeexamined.WhilethefollowinganalysisofthisvulnerabilityfocusesonGSMnet-works,othersystems(e.g.CDMA[55])areequallyvulnerabletoattacks.TheGSMairinterfaceisatimesharingsystem.Thistechniqueiscommonlyemployedinavarietyofsystemstoprovideanequaldistributionofresourcesbetweenmultipleparties.Eachchannel Figure4:Anexampleairinterfacewithfourcarriers(eachshowingasingleframe).ThersttimeslotoftherstcarrieristheCommonCCH.Thesecondtimeslotoftherstchan-nelisreservedforSDCCHconnections.Overthecourseofamultiframe,capacityforeightusersisallotted.Theremainingtimeslotsacrossallcarriersaredesignatedforvoicedata.Thissetupiscommoninmanyurbanareas.isdividedintoeighttimeslotsand,whenviewedasawhole,formaframe.Duringagiventimeslot,theassigneduserreceivesfullcontrolofthechannel.Fromthetelephonyperspective,auseras-signedtoagivenTCHisabletotransmitvoicedataonceperframe.Inordertoprovidetheillusionofcontinuousvoicesampling,theframelengthislimitedto4.615ms.AnillustrationofthissystemisshowninFigure4.Becausethebandwidthwithinagivenframeislimited,data(es-peciallyrelatingtotheCCH)mustoftenspananumberofframes,asdepictedinFigure5.Thisaggregationisknownasamultiframeandistypicallycomprisedof51frames6.Forexample,overthecourseofasinglemultiframe,thebasestationisabletodedicateupto34ofthe51CommonCCHslotstopagingoperations.Eachchannelhasdistinctcharacteristics.WhilethePCHisusedtosignaleachincomingcallandtextmessage,itscommitmenttoeachsessionislimitedtothetransmissionofaTMSI.TCHs,ontheotherhand,remainoccupiedforthedurationofacall,whichonaverageisanumberofminutes[44].TheSDDCH,whichhasap-proximatelythesamebandwidthasthePCHacrossamultiframe,isoccupiedforanumberofsecondspersessionestablishment.Ac-cordingly,inmanyscenarios,thischannelcanbecomeabottleneck.Inordertodeterminethecharacteristicsofthewirelessbottle-neck,itisnecessarytounderstandtheavailablebandwidth.AsshowninFigure5,eachSDCCHspansfourlogicallyconsecutivetimeslotsinamultiframe.With184bitspercontrolchannelunitandamultiframecycletimeof235.36ms,theeffectivebandwidthis782bps[4].Giventhatauthentication,TMSIrenewal,theen-ablingofencryption,andthe160bytetextmessagemustbetrans-ferred,asingleSDCCHiscommonlyheldbyanindividualsessionforbetweenfourandveseconds[44].Thegray-boxtestinginSection3.1reinforcestheplausibilityofthisvaluebyobservingnomessagesdeliveredinundersixseconds.Thisservicetimetranslatesintotheabilitytohandleupto900SMSsessionsperhouroneachSDCCH.Inrealsystems,thetotalnumberofSDCCHsavailableinasectoristypicallyequaltotwicethenumberofcarriers7,oroneperthreetofourvoicechannels.Forexample,inanurbanlocationsuchastheonedemonstratedinFigure4whereatotaloffourcarriersareused,atotalofeightSDCCHsareallocated.Alesspopulatedsuburbanorruralsectormayonlyhavetwocarriersperareaandthereforehavefourallo- 6Multiframescanactuallycontain26,51or52frames.Ajustica-tionforeachcaseisavailableinthestandards[4].7ActualallocationofSDCCHchannelsmayvaryacrossimplemen-tations;however,thesearethegenerallyacceptedvaluesthrough-outthecommunity. Figure5:Timeslot1fromeachframeinamultiframecreatesthelogicalSDCCHchannel.Inasinglemultiframe,uptoeightuserscanreceiveSDCCHaccess.catedSDCCHs.Denselypopulatedmetropolitansectorsmayhaveasmanyassixcarriersandthereforesupportupto12SDCCHsperarea.Wenowcalculatethemaximumcapacityofthesystemforanarea.AsindicatedinastudyconductedbytheNationalCommuni-cationsSystem(NCS)[44],thecityofWashingtonD.C.has40cel-lulartowersandatotalof120sectors.Thisnumberreectssectorsofapproximately0.5to0.75mi2throughthe68.2mi2city.Assum-ingthateachofthesectorshaseightSDCCHs,thetotalnumberofmessagespersecondneededtosaturatetheSDCCHcapacityCis:C'(120sectors)8SDCCH 1sector900msgs/hr 1SDCCH'864;000msgs/hr'240msgs/secManhattanissmallerinareaat31.1mi2.AssumingthesamesectordistributionasWashingtonD.C.,thereare55sectors.Duetothegreaterpopulationdensity,weassume12SDCCHsareusedpersector.C'(55sectors)12SDCCH 1sector900msg/hr 1SDCCH'594;000msg/hr'165msg/secGiventhatSMSCsinusebyserviceprovidersin2000werecapa-bleofprocessing2500msgs/sec[59],suchvolumesareachievableeveninthehypotheticalcaseofasectorhavingtwicethisnumberofSDCCHs.Usingasourcetransmissionsizeof1500bytesasdescribedinSection3.1tosubmitanSMSfromtheInternet,Table3showsthebandwidthrequiredatthesourcetosaturatethecontrolchannels,therebyincapacitatinglegitimatevoiceandtextmessagingservicesforWashingtonD.C.andManhattan.Theadversary'sbandwidthrequirementscanbereducedbyanorderofmagnitudewhenat-tackingprovidersincludingVerizonandCingularWirelessduetotheabilitytohaveasinglemessagerepeatedtouptotenrecipients.DuetothedatagatheredinSection3.1,sendingthismagnitudeofmessagestoasmallnumberofrecipientswoulddegradetheef-fectivenessofsuchanattack.Asshownintheprevioussection,tar-getedphoneswouldquicklyseetheirbuffersreachcapacity.Unde-liverablemessageswouldthenbebufferedinthenetworkuntilthespaceallotedperuserwasalsoexhausted.Theseaccountswouldlikelybeaggedandpotentiallytemporarilyshutdownforreceiv-ingahighnumberofmessagesinashortperiodoftime,thereby Area #Sectors #SDCCHs/sector SMSCapacity UploadBandwidth* Multi-RecipientBandwidth* WashingtonD.C. 120 8 240msgs/sec 2812.5kbps 281.25kbps (68.2mi2) 12 360msgs/sec 4218.8kbps 421.88kbps 24 720msgs/sec 8437.5kbps 843.75kbps Manhattan 55 8 110msgs/sec 1289.1kbps 128.91kbps (31.1mi2) 12 165msgs/sec 1933.6kbps 193.66kbps 24 330msgs/sec 3867.2kbps 386.72kbps *assuming1500bytespermessageTable3:Requireduploadbandwidthtosaturateanemptynetworkfullyextinguishingtheattack.Cleverusageofwellconstructedhit-listskeepsthenumberofmessagesseenbyindividualphonesfarbelowrealisticthresholdsforratelimitationonindividualtargets.UsingtheconservativepopulationanddemographicnumberscitedfromtheNCStechnicalbulletin[44]8andassuming50%ofthewirelesssubscribersinWashingtonareservicedbythesamenet-work,anevendistributionofmessageswouldrequirethedeliveryofapproximately5.04messagestoeachphoneperhour(1messageevery11.92minutes)tosaturateWashingtonD.C.Ifthepercentageofsubscribersreceivingservicefromaprovideriscloserto25%,thenumberisonly10.07messagesperhour(1messageevery5.96minutes).InamoredenselypopulatedcitysuchasManhattan,withapopulationestimatedat1,318,000with60%wirelesspen-etrationand12SDCCHs,only1.502messageswouldhavetobereceivedperuserperhourifhalfofthewirelessclienteleusethesameprovider.Thatnumberincreasesslightlyto3.01ifthenumberiscloserto25%.Dependingontheintendeddurationofanattack,thecreationofverylargehit-listsmaynotbenecessary.Anadversarymayonlyrequireaveminuteserviceoutagetoaccomplishtheirmis-sion.Assumingthattheattackercreatedahit-listwithonly2500phonenumbers,witheachtargethavingabufferof50messagesandlaunchedtheirattackinacitywith8SDCCHs(e.g.Washing-tonD.C.),uniformrandomuseofthehit-listwoulddeliverasinglemessagetoeachphoneevery10.4seconds,allowingtheattacktolast8.68minutesbeforebufferexhaustion.Similartothemostdan-gerouswormsintheInternet,thisattackcouldbecompletedbeforeanyonecapableofthwartingitcouldrespond.Whencomparedtotherequisitebandwidthtolaunchtheseat-tackslistedinTable3,manyofthesescenarioscanbeexecutedfromasinglehigh-endcablemodem.Amoredistributed,lessbandwidthintenseattackmightinsteadbelaunchedfromasmallzombienetwork.4.2RegionalServiceBothpopularityandthepotentialforhighrevenuehaveforcedserviceproviderstoinvestigatemethodsofincreasingSMScapac-ityintheirnetworks.Already,anumberofmajorindustrialplay-ers[20,32]offersolutionsdesignedtoofoadSMStrafcfromthetraditionalSS7phonesystemontolessexpensive,higherband-widthIP-basednetworks.NewSMSCs,eachcapableofprocessingsome20,000SMSmessagespersecond,wouldhelptoquicklydis-seminatetheconstantlyincreasingdemand.AdvancedservicesincludingGeneralPacketRadioService(GPRS)andEnhancedDataratesforGSMEvolution(EDGE)promisehighspeeddataconnectionstotheInternetformobiledevices.Whileof-feringtoalleviatemultimediatrafcattheSMSCandpotentiallysendsomeSMSmessages,thesedataservicesarewidelyviewedascomplimentarytoSMSandwillthusnotreplaceSMS'sfunction- 8572,059peoplewith60%wirelesspenetrationand8SDCCHs(andthatdevicesarepoweredon).alityintheforeseeablefuture[12]9.IntermsofSMSdelivery,allaspectsofthenetworkareincreasingavailablebandwidthexcepttheSDCCHbottleneck.WeexamineaconservativeattackonthecellularinfrastructureintheUnitedStates.FromtheUnitedStatesCensusin2000,ap-proximately92,505mi2[57]areconsideredurban.This2.62%ofthelandishometoapproximately80%ofthenation'spopulation.Werstmodeltheattackbyassumingthatallurbanareasinthecountryhavehigh-capacitysectors(8SDCCHspersector).Thisassumptionleadstotheresultsshownbelow:C'8SDCCH 1sector900msg/hr 1SDCCH1:7595sectors 1mi2(92;505mi2)'1;171;890;342msg/hr'325;525msg/secThisattackwouldrequireapproximately3.8Gbpsandanation-widehit-listtobesuccessful.Iftheadversaryisabletosubmitasinglemessagetouptotendifferentrecipients,therequisiteband-widthfortheattackerdropstoapproximately370Mbps.Consid-eringthatpreviousdistributedDoS(DDoS)attackshavecrippledwebsitessuchasYahoo!(www.yahoo.com)withgigabitpersec-ondbandwidth,thisattackontheentirecellularinfrastructureiswhollyrealizablethrougharelativelysmallzombienetwork.4.3TargetedAttacksWhiletotalnetworkdegradationattackscanoccur,Internetat-tackscanbetargeted.Internetdrivenattacksdirectedatspecictargetsinthephysicaldomainarenotnew.In2002,anonymousin-dividualsinundatedspammerAlanRalskywiththousandsofmail-ordercatalogsonadailybasis.Throughtheuseofsimplescriptingtoolsandalackofmechanismstopreventautomation[15],theseindividualssubscribedtheirtargettopostalmailinglistsatamuchfasterratethanhecouldpossiblyberemoved.Insodoing,Mr.Ral-sky'sabilitytoreceivenormalmailathisprimaryresidencewasallbutdestroyed.ThissameattackcanbeappliedtoSMSservice.Whilethecom-pletedisruptionofauser'sSMSserviceisdangerous,amorein-terestingattackoccurswhentheadversarywishestostopavictimfromreceivingusefulmessages.Forexample,ajealousex-lovermaywishtokeepamessagefrombeingdelivered;astocktradermaywanttodelayupdatesreceivedbycompetitors;anattackermaywanttokeepasystemsadministratorfromreceivinganoti-cation. 9SMSoverGPRSisalreadyinservice;however,itisnotthedefaultmethodofSMSdeliveryonGPRS-capablephonesandmustbeactivatedbytheuser.Furthermore,SMSoverGPRSstilldefaultstothestandardSMSdeliverymechanismwhenGPRSisunavailable 6.SOLUTIONSManyofthemechanismscurrentlyinplacearenotadequatetoprotectthesenetworks.Theprovenpracticalityofaddressspoongordistributedattacksviazombienetworksmakestheuseofauthen-ticationbaseduponsourceIPaddressesanineffectivesolution[9].AsdemonstratedinSection4,limitingthemaximumnumberofmessagereceivedbyanindividualoveratimeperiodisalsoinef-fective.Duetothetremendousearningspotentialassociatedwithopenfunctionality,itisalsodifculttoencourageserviceproviderstorestrictaccesstoSMSmessaging.Solutionsmustthereforetakeallofthesemattersintoconsideration.Themechanismsbelowof-ferbothlongtermandtemporaryoptionsforsecuringcellularnet-works.6.1SeparationofVoiceandDataItishighlyunlikelythatthenumerousconnectionsbetweentheInternetandcellularnetworkswillorcanbeclosedbyserviceproviders.Inlightofthis,themosteffectivemeansofeliminatingtheaboveattacksisbyseparatingallvoiceanddatacommunica-tions.Insodoing,theinsertionofdataintocellularnetworkswillnolongerdegradethedelityofvoiceservices.Thisseparationshouldoccurinboththewirednetworkandattheairinterface.Dedicatingacarrierontheairinterfacefordatasignalinganddeliveryeliminatesanattacker'sabilitytotakedownvoicecommunications.Dedicateddatachannels,however,areaninefcientuseofspectrumandarethereforeunattractive.Evenifthissolutionisimplemented,thebottleneckmaybepushedintotheSS7network.Moreimportantly,separatingtextmessagingtraf-contoIPordedicatedSS7linksdoesnotpreventanattackfromoverloadingtheairinterface.Untilofoadingschemes[20,32]arefullyimplementedinthesenetworks,overloadcontrols[34]baseduponoriginpriorityshouldbeimplementedtohelpshapetrafc.AsmentionedinSection4.2,apartialseparationhasalreadybegunwiththeintroductionofdataservicesincludingGRPSandEDGE;however,thesenetworkswillremainvulnerabletoattackaslongasInternet-originatedtextmessagesexist.Theseparationofvoiceanddataisnotenoughtocompletelyensureunaffectedwirelesscommunications.Insituationssimi-lartoSeptember11thwherevoicecapacityissaturated,Internet-originatedSMSmessagescanstillbeusedtolldatachannelssuchthatlegitimatetextmessagingisstillimpossible.SMStrafcshouldthereforebesubjecttooriginclassication.Textmessagesoriginatingoutsideofthenetworkshouldbeassignedlowpriorityondatachannels.Messagesoriginatingwithinthephonenetworkshouldreceivehighpriority.ThissolutionassumesthattheSMSCissufcientlyprotectedfromphysicalcompromisebyanattacker.Ifthisexpectationdoesnothold,moresophisticated,distributedmechanismswillhavetobeemployedthroughouttheSS7network.6.2ResourceProvisioningManyserviceprovidershaveexperiencedealingwithtemporaryelevationsinnetworktrafcsuchasashcrowds.COSMOTE,theGreektelecommunicationscompanyresponsibleforprovidingservicetothe2004Olympicgames,deployedadditionalbasesta-tionsandanextraMSCintheareasurroundingtheOlympicCom-plex[22].Thisextraequipmentallowedthissystemtosuccess-fullydeliverover100milliontextmessagesduringthe17daydu-rationofthegames[37].Similarly,sportingeventsandlargepub-licgatheringsintheUnitedStatesregularlytakeadvantageofso-calledCellular-on-Wheels(COW)servicesinordertoaccountforlocation-dependenttrafcspikes.TheeffectsofInternet-originatedSMSattackscouldbereducedbyincreasingcapacitytocriticalareasinasimilarfashion.Unfor-tunately,thecostofadditionalequipmentmakesthissolutiontooexpensive.Evenifaproviderrationalizedtheexpense,theelevatedprovisioningmerelymakesDoSattacksmoredifcultbutnotim-possible.Additionally,theincreasednumberofhandoffsresultingfromreducedsectorsizewouldinducesignicantstrainonthenet-workcore.6.3RateLimitationDuetothetimeandmoneyrequiredtorealizeeitheroftheabovesolutions,itisnecessarytoprovideshorttermmeansofsecuringcellularnetworks.Thesetechniquesharnesswell-knownratelimi-tationmechanisms.Ontheairinterface,thenumberofSDCCHchannelsallowedtodelivertextmessagescouldberestricted.Giventheadditionofnormaltrafcllingcontrolchannels,thisattackwouldstillbeef-fectiveindenyingservicetoallbutafewindividuals.Additionally,thisapproachslowstheratethatlegitimatetextmessagescanbedelivered,potentiallyelevatingcongestioninthecoreofthephonenetwork.Thisapproachisthereforenotanadequatesolutiononitsown.Becausemanyoftheseattacksareheavilyreliantuponaccu-ratelyconstructedhit-lists,impedingtheircreationshouldbeofthehighestpriority.Specically,allofthewebinterfacesshouldceasereturningbothpositiveandnegativeacknowledgmentsforsubmit-tedSMSmessages.Instead,amessageindicatingonlythatthesubmissionwasbeingprocessedshouldbereturnedsoastonotpermitanattackerfromaccuratelymappinganNPA/NXXdomain.Thisiscurrentlythebehaviorseenwhenamobile-to-mobilemes-sageissent.Unfortunately,becauselegitimateusersareunabletodeterminewhetherornottheirmessagehasbeenacceptedbythesystem,thetradeoffforimplementingthispolicyisareductioninthereliabilityofInternet-originatedtextmessages.Furthermore,allwebinterfacesshouldlimitthenumberofre-cipientstowhichasingleSMSsubmissionissent.TheabilitytosendtenmessagespersubmissionatboththeVerizonandCingularWirelesswebsitesisparticularlydangerousasoodingthesystemrequiresone-tenthofthemessagesandbandwidthnecessarytoin-terferewithothernetworks.Reducingtheabilitytoautomatesubmissionsisanotherapproachthatshouldbeconsideredasatemporarysolutionfortheseinter-faces.Havingthesender'scomputercalculatetractablebutdif-cultpuzzles[8,62]beforeasubmissioniscompletedlimitsthefrequencywithwhichanymachinecaninjectmessagesintoasys-tem.TheuseofCAPTCHAs[61,43],orimagescontainingembed-dedtextthatisdifcultforcomputerstoparse,isalsoplausible.BecauseCAPTCHAsarenotunbreakable[42]andpuzzlesonlyimpedethesubmissionspeedforindividuals,bothofthesecoun-termeasurescanbecircumventedifanattackeremploysalargeenoughzombienetwork.Thelastandcertainlyleastpopularsuggestionistoclosetheinterfacebetweenthewebandcellularnetworks.Whilethissolu-tionisthemostcomplete,itisextremelyunlikelytoreceiveseriousconsiderationduetothepotentialnancialconsequencesitwouldcausetobothserviceprovidersandthird-partycompaniesprovid-inggoodsandservicesthroughthisinterface.Giventhesizeofthesenetworksandthenumberofconnectedexternalentities,im-plementingthisoptionmayactuallybeimpossible.6.4EducationWhiletheabovemechanismsareappropriateforthepreventionofDoSattacks,theyhavelimitedsuccesspreventingphishingscams.Phisherswillstillbeabletosendmessagestoindividualsthroughthewebinterfacewithanonymity;however,theirabilitytoblanket [22]COSMOTEWhitepaper.COSMOTEandthe'Athens2004'olympicsponsorship.Technicalreport,2003.http://www.cosmote.gr/content/en/attached les/investorrelations/COSMOTE Annual Report 2003 77-84.pdf.[23]L.CranorandB.LaMacchia.Spam!CommunicationsoftheACM,41(8):74–83,August1998.[24]F-SecureCorporation.F-Securemobileanti-virus.http://www.f-secure.com/products/fsmavs60/.[25]F-SecureCorporation.F-Securevirusdescriptions:Cabir.h.http://www.f-secure.com/v-descs/cabir h.shtml,December2004.[26]F-SecureCorporation.F-Securevirusdescriptions:Mabir.a.http://www.f-secure.com/v-descs/mabir.shtml,April2005.[27]F-SecureCorporation.F-Securevirusdescriptions:Skulls.a.http://www.f-secure.com/v-descs/skulls.shtml,January2005.[28]E.Felten,D.Balfanz,D.Dean,andD.Wallach.Webspoong:Aninternetcongame.SoftwareWorld,28(2):6–9,March1997.[29]G.Goth.Phishingattacksrising,butdollarslossesdown.IEEESecurityandPrivacyMagazine,3(1):8,January2005.[30]M.Grenville.Operators:Celebrationmessagesoverloadsmsnetwork.http://www.160characters.org/news.php?action=view&nid=819,November2003.[31]K.HouleandG.Weaver.Trendsindenialofserviceattacktechnology.Technicalreport,CERTCoordinationCenter,October2001.http://www.cert.org/archive/pdf/DoS trends.pdf.[32]IntelWhitepaper.SMSmessaginginSS7networks:Optimizingrevenuewithmodularcomponents.Technicalreport,2003.http://www.intel.com/network/csp/pdf/8706wp.pdf.[33]J.IoannidisandS.Bellovin.Implementingpushback:Router-baseddefenseagainstDDoSattacks.InProceedingsofNetworkandDistributedSystemSecuritySymposium,February2002.[34]S.Kasera,J.Pinheiro,C.L.M.Karaul,A.Hari,andT.L.Porta.Fastandrobustsignalingoverloadcontrol.InProceedingsIEEEConferenceonNetworkProtocols(ICNP),pages323–331,November2001.[35]E.Levy.Interfaceillusions.IEEESecurity&PrivacyMagazine,2(6):66–69,December2004.[36]G.Lorenz,T.Moore,G.Manes,J.Hale,andS.Shenoi.Securingss7telecommunicationsnetworks.InProceedingsoftheIEEEWorkshoponInformationAssuranceandSecurity,2001.[37]S.Makris.Athens2004games:The”extrememakeover”olympics!,April2005.SlidespresentedatCQR2005Workshop,St.PetersburgBeach,FloridaUSA.[38]S.Marwaha.Willsuccessspoilsms?http://wirelessreview.com/mag/wireless success spoil sms/,March15,2001.[39]J.MirkovicandP.Reiher.AtaxonomyofDDoSattacksandDDoSdefensemechanisms.ACMSIGCOMMComputerCommunicationReview,34(2):39–53,2004.[40]D.Moore,V.Paxson,S.Savage,C.Shannon,S.Staniford,andN.Weaver.Insidetheslammerworm.IEEESecurityandPrivacy,1(4),July2003.[41]T.Moore,T.Kosloff,J.Keller,G.Manes,andS.Shenoi.Signallingsystem7networksecurity.InProceedingsoftheIEEE45thMidwestSymposiumonCircuitsandSystems,August4-7,2002.[42]G.MoriandJ.Malik.Recognizingobjectsinadversarialclutter:Breakingavisualcaptcha.InProc.ofComputerVisionandPatternRecognition,2003.[43]M.Naor.Vericationofhumaninthelooporidenticationviatheturingtest.http://www.wisdom.weizmann.ac.il/naor/PAPERS/human.ps,1996.[44]NationalCommunicationsSystem.SMSoverSS7.TechnicalReportTechnicalInformationBulletin03-2(NCSTIB03-2),December2003.http://www.ncs.gov/library/tech bulletins/2003/tib 03-2.pdf.[45]Nextel.Textmessaging.http://www.nextel.com/en/services/messaging/text messaging.shtml.[46]J.Pearce.Mobilermsgearupfornewyearstext-fest.http://news.zdnet.co.uk/communications/networks/0,39020345,39118812,00.htm,December30,2003.[47]H.Project.Thehoneynetproject.http://project.honeynet.org,2005.[48]RedTeam.o2germanypromotessms-phishing.http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-009.txt.[49]P.Roberts.Nokiaphonesvulnerabletodosattack.http://www.infoworld.com/article/03/02/26/HNnokiados 1.html,February26,2003.[50]S.Savage,D.Wetherall,A.Karlin,andT.Anderson.PracticalnetworksupportforIPtraceback.InProceedingsofACMSIGCOMM,pages295–306,October2000.[51]C.Schuba,I.Krsul,M.Kuhn,E.Spafford,A.Sundaram,andD.Zamboni.AnalysisofadenialofserviceattackonTCP.InProceedingsofthe1997IEEESymposiumonSecurityandPrivacy,pages208–223.IEEEComputerSociety,May1997.[52]G.Shannon.Securityvulnerabilitiesinprotocols.InProceedingsofITU-TWorkshoponSecurity,May13-14,2002.[53]S.Staniford,V.Paxson,andN.Weaver.Howto0wntheinternetinyoursparetime.InUsenixSecuritySymposium,pages149–167,2002.[54]J.Swartz.Cellphonesnowrichertargetsforviruses,spam,scams.http://www.usatoday.com/printedition/news/20050428/1a bottomstrip28.art.htm,April28,2005.[55]TelecommunicationIndustryAssociation/ElectronicIndustriesAssociation(TIA/EIA)Standard.Shortmessagingserviceforspreadspectrumsystems.TechnicalReportANSI/TIA/EIA-637-A-1999.[56]Tom'sHardware.Howto:Buildingabluesniperrie.http://www.tomsnetworking.com/Sections-article106.php,March2005.[57]UnitedStatesCensusBureau.Unitedstatescensus2000.http://www.census.gov/main/www/cen2000.html,2000.[58]UnitedStatesCongress,Senate.Controllingtheassaultofnon-solicitedpornographyandmarketingactof2003(CAN-SPAM).PublicLaw108-187,108thCongress,December16,2003.[59]S.vanZanen.Sms:Cannetworkshandletheexplosivegrowth?http://www.wirelessdevnet.com/channels/sms/features/smsnetworks.html,2000.[60]VerizonWireless.Abouttheservice.http://www.vtext.com/customer site/jsp/aboutservice.jsp.[61]L.vonAhn,M.Blum,N.Hopper,andJ.Langford.CAPTCHA:UsinghardAIproblemsforsecurity.InProceedingsofEurocrypt,pages294–311,2003.[62]B.Waters,A.Juels,J.Halderman,andE.Felten.NewclientpuzzleoutsourcingtechniquesforDoSresistance.InProceedingsofACMCCS'04,pages246–256,2004.[63]S.Wolpin.Spamcomescalling.http://techworthy.com/Laptop/June2004/Spam-Comes-Calling.htm,June2004.