SIMULATION MODEL OF CELLULAR NETWORK BANDWIDTH CONGESTION DUE TO MMS ATTACKS ON MOBILE PHONES Julius O. Paler Journal of Science, Engineering and Technology Abstract This paper attempts to develop a simulation model that would predict the bandwidth congestion of mobile networks due to multimedia message service (MMS) attacks on mobile phones. The study used an experimental design using simulation modeling. Assumptions were formulated to measure different variables. Findings revealed that the MMS attacks on mobile phones do not cause congestion on the cellular network due to the relatively small data size of the UDP packet. Keywords: simulation model, bandwidth congestion, mobile network, MMS attacks 1.0 Introduction An MMS attack is a form of an attack wherein an attacker sends user datagram protocol (UDP) packets to a mobile phone primarily to drain the phone s battery. This paper intends to develop a simulation model of its effect on the bandwidth of cellular networks. Cellular networks are very important information infrastructure. As mobile devices become more dominant, cellular companies are quickly installing broadband data services, like the High-Speed Downlink Packet Access (HSDPA) and Evolution-Data Optimized (EVDO). New applications, like Multimedia Messaging Service (MMS) are also being deployed. Whereas these new services and applications improve mobile computing knowledge, they also bring in severe security concerns (Racic et al.). Multimedia messaging is becoming more and more popular among users of mobile phone. Most mobile phones nowadays carry multimedia messaging, excluding some low-cost phones. Mobile phone service providers also greatly support multimedia messagingenabled phones, since service fees represent an extra source of income. Sadly, the Multimedia Messaging Service (MMS) is prone to abuse, A study on the vulnerability of MMS has already been conducted (Mulliner et al.). But it s effect on cellular network s bandwidth has not been fully explored; hence this study. The simulation model intends to provide analysis of the severity of the impact on cellular network congestion. Analyzing mobile phone applications is
18 difficult for several reasons. First of all, these applications lack decent documentation. Also, operating systems of mobile phone often do not present refined improvement kits or support for repair. Additionally, investigating MMS needs access to an infrastructure, namely the phone service network. As a result, testing is quiet costly. 2.0 Conceptual Framework MMS is a normal way to send messages. It expands the foundation of SMS (Short Message Service) ability that allowed trade of text messages only up to 160 characters long. The most accepted use is to send pictures from handsets that are equipped with cameras. It is also used on a profitable basis by media companies as a way of bringing news and entertainment content. Also by retail brands as an instrument for sending scannable voucher codes, merchandise images, videos and other information. Commercial MMS can carry a range of media such as video, image, various images via slideshow or audio and infinite characters. The objective of MMS is to sustain the switch of messages between User Agent applications, which typically exist in mobile phones and controlled by the users. The MMS architecture is nearly IPbased. It depends in cooperation with the hypertext transfer protocol (HTTP) and the protocols clearly stated by the wireless application protocol (WAP) architecture. These set of rules rely on the transfer mechanisms given by the phone network to interrelate with the User Agent on the mobile phone. HTTP is the basis of data exchange for the World Wide Web (WWW). A WAP is a technical standard for accessing information over a mobile wireless network. Message delivery between User Agents is performed by four components: the MMS Server, the MMS Relay, the WAP Gateway/ Push Proxy, and the Short Message Service Center (SMSC). The MMS Server and MMS Relay are usually referred to as the Multimedia Message Service Center (MMSC). Figures 1 and 2 show the mechanism and their interactions and discussed hereinafter.
19 Figure 2. The MMS architecture and the message retrieval process (Source: Vulnerability Analysis of MMS User Agent) MMS Server. The MMS Server is in charge for keeping the messages sent from the users and for deciding when the messages should be transported to the recipients. MMS Relay. The MMS Relay takes care of transporting the actual message using a variety of methods, depending on the characteristics of the recipient. Specifically, it will utilize the WAP Gateway/Push Proxy if the message is for a mobile phone user in the same network. Otherwise SMTP server will be used if the message is for an email account. MMS Relay will also be used of another provider if the message is for a user from a different network. WAP Gateway/Push Proxy. The WAP Gateway/Push-Proxy serves two purposes. Firstly, it acts as a doorway between the user s mobile phone and the HTTP-based communication. Secondly, it acts as a WAP Push Proxy and transports alerts (via WAP Push messages) that are used to inform the user that an MMS is set to be retrieved. SMSC. The WAP Push Pr oxy altogether with the MMS Relay transport WAP Push alerts to the user phones through the SMSC (Short Message Service Center) (Mulliner et al). An analysis on MMS security discovered several vulnerabilities that an attacker could exploit. These includes unencrypted and unauthenticated MMS messages, unauthenticated MMS receiver/ sender and critical phone information disclosure.
20 The probable MMS attack could be implemented by building a target hit-list, then bombard them with UDP packets in order to drain its batteries (Racic et al.). When these packets flow into the network, these have the tendency to congest the channels with unwanted data traffic. Figure 3. MMS Attack Architecture (Source: Attacking SMS) To attack a phone effectively, an attacker must send a UDP packet 256 bits in size every 3.75 seconds for GSM-based network and every 5 seconds for CDMA-based network. Using an ADSL line with an average uplink speed of 384Kbps, an attacker can attack 5625 phones for GSM-based networks and 7000 for CDMA-based network (Racic et al.). A GSM-based network fall under 2G with bandwidth capacity ranging from 9.6Kbps to 14.4Kbps, while CDMA is 3G (Howie et al.). Existing 2G networks are integrated into the 3G network s. With this kind of attack, most cellphones will be totally drained between 2 to 7 hours. According to Globe Telecom, a leading cellular network in the Philippines, it has already established 100% 3G network coverage nationwide. With about 6,500 cell sites serving about 43 million subscribers. So that s about 6615 subscribers per cell or base
21 transceiver station. On a global scale, there are about 700 million 3G+ data subscriptions and 7.6 million base stations worldwide in 2014 (Feshke et al. 2011). A BTS is a piece of equipment that facilitates wireless communication between user equipment be(ue) and a network. UEs are devices like mobile phones, wireless local loop (WLL) phones and computers with wireless internet connectivity. A network can be of any wireless communication technologies like GSM, CDMA, WLL, Wi-Fi, WiMAX or other wide area network (WAN). The cellular network has a bandwidth ranging from 2.4Kbps to 5Mbps, that is from 1G to 3G networks, with 3G alone ranging from 2Mbps to 5Mbps (Sauvola et al. 2001). If 4G network is to be considered, it has a theoretical bandwidth up to 80Mbps (Zahariadis 2003). Figure 3. Conceptual framework 3.0 Research Design and Methods The study made use of an experimental design using simulation modeling. The experimental criterion measure is the bandwidth congestion of a cellular network. At the start of the simulation, it is assumed that an attacker attacks mobile phones from a single network, Globe Telecom. According to their data, it is assumed that there are 6,615 active mobile phones in a BTS, all of which have internet connectivity. Then, the state of the mobile phone is a random number assuming only two values, 0 and 1. A 1 indicate s a mobile phone experiencing an MMS attack while a 0 indicate s not experiencing an MMS attack. The consumed bandwidth is the product of the state of the mobile phone and 256. That is where 256 represents the size of the UDP packet, in bit, sent through the network by the attacker on the average per 4.375 seconds. The usable bandwidth Bu is the difference between the
22 bandwidth of the cellular network BW and the consumed bandwidth Where BW is a random number between 9.6 to 5000 Kbps. Assumptions The simulation model is based on the following assumptions: 1. An MMS attack will come only from one attacker; 2. Mobile phones will come from a single network, Globe Telecom; 3. All mobile phones that will be attacked will come from a single BTS; 4. The bandwidth of the cellular network is a random number between 9.6 to 5000Kbps; 5. The state of the mobile phone is a random number either 0 or 1; 6. Each simulation corresponds to 6615 mobile phones being attacked with a probability of success equal to 4.0 Results and Discussion The data in Table 1 reveal that during the first simulation, which represents a single-bts with 6615 active mobile phones, the mean usable bandwidth of the BTS is 2512.5Kbps with the MMS attack already occurring. The standard deviation of 1435.9 refers to the deviation of the usable bandwidth which is dependent on the random values assigned to the bandwidth of the network which is from 9.6Kbps to 5000Kbps. The mean usable bandwidth of 2512.5Kbps of the single BTS indicate s that the MMS attack on the mobile phones does not have a severe impact on the network bandwidth. This is due to the fact that the size of the UDP packet sent from the attacker to the mobile phones is so small to cause data congestion on a relatively wide network bandwidth. Even if this simulation model will consider multiple MMS attackers, it will be unlikely that the MMS attacks will occur at the same time. It should be noted that once the MMS message has already been received by the mobile phone, it is no longer in the network. The simulation was repeated 1000 times. The 1000 repetitions would imitate 1000 BTS of the cellular network. Table 2 revealed that the mean usable bandwidth of the 1000 BTS is 2496.7Kbps. The standard deviation of the mean usable bandwidth is 129.1 Table 1 shows the first simulation.
23 Table 1. A Single BTS simulation. Table 2. A Multiple BTS Simulation. The mean usable bandwidth of the 1000 BTS which is 2496.7Kbps provide s the same indication as of the single-bts simulation. The MMS attacks on the mobile phones do not cause congestion on the network bandwidth of the cellular network. The standard deviation of 129.4 is very small compared to the single- BTS simulation. This is because the 129.4 standard deviation refers to the mean usable bandwidth of the 1000 BTS which is not directly dependent on the random values of the bandwidth per simulation. 5.0 Conclusion MMS attacks primarily target mobile phones specifically by draining its battery. It shows vulnerability issues of the network when it comes to security. However, it does not really pose any threat as to its effect on the cellular network bandwidth. The size of the multimedia message is so small compared to the rapidly increasing bandwidth of the cellular network. Even if multiple attackers are to be considered in this simulation, the likelihood of the MMS messages to be in the network at the same time is very slim. MMS messages will be out of the network in a very short period of time because its final destination is in the designated receiver phones. Also, such MMS messages do not have any replicating ability like worms or virus wherein the receiver phone, in turn, will send the same MMS messages to other phones. 6.0 References Cited Feshke A, Fettweis G, Malmodin J, Biczok G.2011. The global footprint of global communications: the ecological and economic perspective. IEEE Communications Magazine. [accessed2014 Jun]. http:// www.researchgate.net/
24 profile/gergely_biczok/ publication/235932638_the _Global_Carbon_Footprint_ of_mobile_communications The_Ecological_and_Eco nomic_perspective/ links/0912f50eaf3fb665ff00 0000 Lackey Z,Miras L. 2009. Attacking SMS.[accessed 2014 Jun]. http://lib.liquidmatrix.org/ historical/2009/blackhat- 2009-usa-video/BHUSA09- Lackey-AttackingSMS- SLIDES.pdf Communications Conference; San Antonio, Texas.[accessed 2014 Jun]. http:www.mediateam.oulu.fi /publications/pdf/86.p Zahariadis T.2003. Trends in the path to 4G.IEE Communications Engineer. [accessed 2014 Jun]. http:www.ee.teihal. gr/professors/zahariad/ Journals-Magazines/IEE% 20Comm%20Eng%20% 20February% 202003.pdf Mulliner V. 2006.Vulnerability analysis of MMS user agent.proceedings of the 23 rd Chaos Communications Congress; Berlin, Germany. http://sites.google.com/site/ nabilelkadhipublicationsover view/conferences/ PID854157.pdf Racic R, Ma D, Chen H. 2006.ExploitingMMS vulnerabilities to stealthily exhaust mobile phone s battery. [accessed 2014 Jun]. ftp://ool-ad02c0ce.dyn.opt online.net/mynetdocs_ Utilities_/BackTrack4/ mmaexploit.pdf Sun J, Sauvola J, Howie D. 1999. Features in future: 4G visions from a technical perspective. Proceedings of the IEEE Global