research-article

Public Access

New Security Threats Caused by IMS-based SMS Service in 4G LTE Networks

Authors:

Songwu LuAuthors Info & Claims

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Pages 1118 - 1130

https://doi.org/10.1145/2976749.2978393

Published: 24 October 2016 Publication History

Abstract

SMS (Short Messaging Service) is a text messaging service for mobile users to exchange short text messages. It is also widely used to provide SMS-powered services (e.g., mobile banking). With the rapid deployment of all-IP 4G mobile networks, the underlying technology of SMS evolves from the legacy circuit-switched network to the IMS (IP Multimedia Subsystem) system over packet-switched network. In this work, we study the insecurity of the IMS-based SMS. We uncover its security vulnerabilities and exploit them to devise four SMS attacks: silent SMS abuse, SMS spoofing, SMS client DoS, and SMS spamming. We further discover that those SMS threats can propagate towards SMS-powered services, thereby leading to three malicious attacks: social network account hijacking, unauthorized donation, and unauthorized subscription. Our analysis reveals that the problems stem from the loose security regulations among mobile phones, carrier networks, and SMS-powered services. We finally propose remedies to the identified security issues.

References

[1]

3GPP. TS23.228: IP Multimedia Subsystem (IMS);Stage 2, 2012.

[2]

3GPP2. IMS Security Framework.

[3]

S. B. Almina and M. Chatterjee. A novel approach to detect android malware. In ELSEVIER ICACTA, 2015.

[4]

A. J. Alzahrani and A. A. Ghorbani. Sms mobile botnet detection using a multi-agent system: Research in progress. In ACM ACySe, 2014.

Digital Library

[5]

Arm inc.: Trustzone, 2016. http://www.arm.com/products/processors/technologies/trustzone/.

[6]

AT&T, T-Mobile, Sprint to stop charging for most premium text messages. http://www.computerworld.com/article/2486212.

[7]

AT&T to Retire 2G - GSM Sunset. http://www.sine-wave.com/blog/2g-sunset-retiring#.VmDW-narRaQ.

[8]

A. Bose, X. Hu, K. G. Shin, and T. Park. Behavioral detection of malware on mobile handsets. In ACM Mobisys, 2008.

Digital Library

[9]

A. Bose and K. G. Shin. On mobile viruses exploiting messaging and bluetooth services. In IEEE Securecomm and Workshops, 2006.

[10]

China arrests 1500 people sending TEXT from fake base stations. http://www.ibtimes.co.uk/china-arrests-1500-people-sending-spam-text-messages-fake-mobile-base-stations-1442099.

[11]

China spammers' latest weapon: fake base stations. http://www.electricspeech.com/journal/2013/12/6/china-spammers-latest-weapon-fake-base-stations.html.

[12]

com.android.internal.telephony.itelephony. http://grepcode.com.

[13]

A. Dabrowski, N. Pianta, T. Klepp, M. Mulazzani, and E. Weippl. Imsi-catch me if you can: Imsi-catcher-catchers. In ACM ACSAC, Dec. 2014.

Digital Library

[14]

A. Dmitrienko, C. Liebchen, C. Rossow, and A.-R. Sadeghi. On the (in)security of mobile two-factor authentication. In FC, 2014.

[15]

W. Enck, P. Traynor, P. McDaniel, and T. La Porta. Exploiting open functionality in sms-capable cellular networks. In ACM CCS, 2005.

Digital Library

[16]

Facebook texts. https://www.facebook.com/help/170960386370271/.

[17]

Fortune 500: Top 1000 companies. http://fortune.com/fortune500/.

[18]

Galaxy S7 Locked Bootloader May Stay Locked. http://www.androidheadlines.com/2016/03/galaxy-s7-locked-bootloader-may-stay-locked.html.

[19]

K. Hamandi, A. Chehab, I. H. Elhajj, and A. Kayssi. Android sms malware: Vulnerability and mitigation. In IEEE WAINA, 2013.

Digital Library

[20]

R. He, G. Zhao, C. Chang, H. Xie, X. Qin, and Z. Qin. A pk-sim card based end-to-end security framework for sms. Computer Standards & Interfaces, 31(4):629--641, 2009.

Digital Library

[21]

H. Holma and A. Toskala. WCDMA for UMTS - HSPA Evolution and LTE. Wiley, 2007.

Digital Library

[22]

R. Jover. Security attacks against the availability of lte mobility networks: Overview and research directions. In WPMC, 2013.

[23]

H. Kim, D. Kim, M. Kwon, H. Han, Y. Jang, D. Han, T. Kim, and Y. Kim. Breaking and fixing volte: Exploiting hidden data channels and mis-implementations. In ACM CCS, Oct. 2015.

Digital Library

[24]

C.-Y. Li, G.-H. Tu, C. Peng, Z. Yuan, Y. Li, S. Lu, and X. Wang. Insecurity of voice solution volte in lte mobile networks. In ACM CCS, 2015.

Digital Library

[25]

X. Li, H. Hu, G. Bai, Y. Jia, Z. Liang, and P. Saxena. Droidvault: A trusted data vault for android devices. In IEEE ICECCS, 2014.

Digital Library

[26]

J. L.-C. Lo, J. Bishop, and J. H. P. Eloff. Smssec: An end-to-end protocol for secure sms. In Computers & Security, 2008.

Digital Library

[27]

W. Luo, S. Xu, and X. Jiang. Real-time detection and prevention of android sms permission abuses. In ACM SESP, 2013.

Digital Library

[28]

M. Ma. Security investigation in 4g lte networks. In IEEE GLOBECOM, 2012.

[29]

Market share of wireless subscriptions held by carriers in the U.S. http://www.statista.com/statistics/199359/market-share-of-wireless-carriers-in-the-us-by-subscriptions/.

[30]

U. Meyer and S. Wetzel. On the impact of gsm encryption and man-in-the-middle attacks on the security of interoperating gsm/umts networks. In IEEE PIMRC, 2004.

[31]

C. Mulliner, R. Borgaonkar, P. Stewin, and J.-P. Seifert. Sms-based one-time passwords: Attacks and defense. In DIMVA, 2013.

Digital Library

[32]

Premium SMS. http://vodafone.intelliresponse.com.

[33]

Pushbullet. http://www.androidcentral.com/pushbullet-adds-end-end-encryption-sms-notification-mirroring-and-more.

[34]

R. Racic, D. Ma, and H. Chen. Exploiting mms vulnerabilities to stealthily exhaust mobile phone's battery. In IEEE Securecomm and Workshops, 2006.

[35]

B. Reaves, N. Scaife, D. Tian, L. Blue, P. Traynor, and R. K. Butler. Sending out an sms: Characterizing the security of the sms ecosystem with public gateways. In IEEE S&P, May 2016.

[36]

RFC3261: SIP: Session Initiation Protocol, 2002.

[37]

Rooting SIM cards with SMS OTA. https://srlabs.de/rooting-sim-cards/.

[38]

P. Rovelli and Ý. Vigfússon. Pmds: Permission-based malware detection system. In ICISS, 2014.

[39]

N. Saxena and N. Chaudhari. Easysms: A protocol for end-to-end secure transmission of sms. In IEEE Transactions on Information Forensics and Security, 2014.

Digital Library

[40]

E. Shablygin and S. Bratus. How to count to two: What "two factor authentication" misses. Feb. 2015.

[41]

A. Shaik, R. Borgaonkar, N. Asokan, V. Niemi, and J.-P. Seifert. Practical attacks against privacy and availability in 4g/lte mobile communication systems. In IEEE NDSS, Feb. 2016.

[42]

S. W. Smith. Outbound Authentication for Programmable Secure Coprocessors. In ESORICS, 2002.

Digital Library

[43]

Sms phishing. http://en.wikipedia.org/wiki/SMS\_phishing.

[44]

Smsspoofing. http://www.smsspoofing.com/.

[45]

Y. Song, K. Zhou, and X. Chen. Fake bts attacks of gsm system on software radio platform. JOURNAL OF NETWORKS, 7(2):275--281, 2012.

[46]

Spoofcard. http://www.spoofcard.com.

[47]

Spooftexting. http://www.spooftexting.com.

[48]

M. Toorani and A. Beheshti. Solutions to the GSM security weaknesses. In IEEE NGMAST, 2008.

Digital Library

[49]

P. Traynor, W. Enck, P. McDaniel, and T. La Porta. Mitigating attacks on open functionality in sms-capable cellular networks. IEEE/ACM Transactions on Networking, 17(1):40--53, 2009.

Digital Library

[50]

Trojan Sends Premium-rate SMS Messages, Aims at European and Canadian Android Users. http://www.pcworld.com/article/245021.

[51]

G.-H. Tu, C.-Y. Li, C. Peng, and S. Lu. How voice call technology poses security threats in 4g lte networks. In IEEE CNS, 2015.

Cited By

Cui ZCui BXu JFu J(2025)A Systematic Security Analysis for Beyond 5G Non-Access Stratum Protocol from the Perspective of Network CoexistenceInformation Systems Frontiers10.1007/s10796-025-10586-2Online publication date: 18-Feb-2025
https://doi.org/10.1007/s10796-025-10586-2
Saeed MAli EKhalifa OMokhtar R(2025)5G Network Security: Unraveling Vulnerabilities and Innovating Defense MechanismsTowards new e-Infrastructure and e-Services for Developing Countries10.1007/978-3-031-81570-6_25(383-392)Online publication date: 12-Feb-2025
https://doi.org/10.1007/978-3-031-81570-6_25
Gegenhuber GHolzbauer FFrenzel PWeippl EDabrowski ABalzarotti DXu W(2024)Diffie-hellman picture showProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698926(451-468)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698926
Show More Cited By

Index Terms

New Security Threats Caused by IMS-based SMS Service in 4G LTE Networks
1. Networks
  1. Network types
    1. Mobile networks
2. Security and privacy

Recommendations

Security Analysis of Handover Key Management in 4G LTE/SAE Networks

The goal of 3GPP Long Term Evolution/System Architecture Evolution (LTE/SAE) is to move mobile cellular wireless technology into its fourth generation. One of the unique challenges of fourth-generation technology is how to close a security gap through ...
Real Threats to Your Data Bills: Security Loopholes and Defenses in Mobile Data Charging
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Secure mobile data charging (MDC) is critical to cellular network operations. It must charge the right user for the right volume that (s)he authorizes to consume (i.e., requirements of authentication, authorization, and accounting (AAA)). In this work, ...
Insecurity of Voice Solution VoLTE in LTE Mobile Networks
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

VoLTE (Voice-over-LTE) is the designated voice solution to the LTE mobile network, and its worldwide deployment is underway. It reshapes call services from the traditional circuit-switched telecom telephony to the packet-switched Internet VoIP. In this ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

October 2016

1924 pages

ISBN:9781450341394

DOI:10.1145/2976749

General Chairs:
Edgar Weippl
SBA Research, Austria
,
Stefan Katzenbeisser
TU Darmstadt, CYSEC, Germany
,
Program Chairs:
Christopher Kruegel
University of California, Santa Barbara, USA
,
Andrew Myers
Cornell University, USA
,
Shai Halevi
IBM Research, USA

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

CCS'16

Sponsor:

SIGSAC

CCS'16: 2016 ACM SIGSAC Conference on Computer and Communications Security

October 24 - 28, 2016

Vienna, Austria

Acceptance Rates

CCS '16 Paper Acceptance Rate 137 of 831 submissions, 16%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

41
Total Citations
View Citations
2,159
Total Downloads

Downloads (Last 12 months)530
Downloads (Last 6 weeks)70

Reflects downloads up to 08 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Cui ZCui BXu JFu J(2025)A Systematic Security Analysis for Beyond 5G Non-Access Stratum Protocol from the Perspective of Network CoexistenceInformation Systems Frontiers10.1007/s10796-025-10586-2Online publication date: 18-Feb-2025
https://doi.org/10.1007/s10796-025-10586-2
Saeed MAli EKhalifa OMokhtar R(2025)5G Network Security: Unraveling Vulnerabilities and Innovating Defense MechanismsTowards new e-Infrastructure and e-Services for Developing Countries10.1007/978-3-031-81570-6_25(383-392)Online publication date: 12-Feb-2025
https://doi.org/10.1007/978-3-031-81570-6_25
Gegenhuber GHolzbauer FFrenzel PWeippl EDabrowski ABalzarotti DXu W(2024)Diffie-hellman picture showProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698926(451-468)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698926
Bitsikas ESchnitzler TPöpper CRanganathan ADoupé AMilburn A(2024)Amplifying threatsProceedings of the 18th USENIX Conference on Offensive Technologies10.5555/3696933.3696939(59-73)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696933.3696939
Hriberšek MLaxar DHammerle FUlbing STeufel ABartos SGauß NNiederle MKimberger OSchaden E(2024)Development and testing of a remote hybrid SMS/web-based perioperative messenger: A mixed-methods studyDIGITAL HEALTH10.1177/2055207624128876010Online publication date: 15-Dec-2024
https://doi.org/10.1177/20552076241288760
Tsunoda A(2024)Investigating Threats Posed by SMS Origin Spoofing to IoT DevicesDigital Threats: Research and Practice10.1145/36960115:4(1-12)Online publication date: 13-Sep-2024
https://dl.acm.org/doi/10.1145/3696011
Ren ZLi XMiao YZhu MYuan SDeng RLuo BLiao XXu JKirda ELie D(2024)PIC-BI: Practical and Intelligent Combinatorial Batch Identification for UAV assisted IoT NetworksProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670303(3645-3658)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670303
Yang YZhang YWan TWang CDuan HChen JLi YKim YKim JKoushanfar FRasmussen K(2024)Uncovering Security Vulnerabilities in Real-world Implementation and Deployment of 5G Messaging ServicesProceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3643833.3656131(265-276)Online publication date: 27-May-2024
https://dl.acm.org/doi/10.1145/3643833.3656131
Shi JWang SChen MTu GXie TChen MHu YLi CPeng CGanesan DShi W(2024)IMS is Not That Secure on Your 5G/4G PhonesProceedings of the 30th Annual International Conference on Mobile Computing and Networking10.1145/3636534.3649377(513-527)Online publication date: 29-May-2024
https://dl.acm.org/doi/10.1145/3636534.3649377
Wang SXie TChen MTu GLi CLei XChou PHsieh FHu YXiao LPeng C(2024)Dissecting Operational Cellular IoT Service Security: Attacks and DefensesIEEE/ACM Transactions on Networking10.1109/TNET.2023.331355732:2(1229-1244)Online publication date: Apr-2024
https://doi.org/10.1109/TNET.2023.3313557
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten