Bruce Schneier picked up on some work by a group at Penn State entitled Exploiting Open Functionality in SMS-Capable Cellular Networks. And Martin Geddes comments that this provides further proof that building intelligence into networks is harmful.
While I agree with Martin's views on intelligence in networks, this article is not a good reference. The authors studied the GSM specifications and provide a nice description of how SMS (and GSM call set-up) works. From this they thought of a possible method of attack. But to verify it, they did only some extremely limited gray-box testing and a news story search. They end up suggesting there's a major security issue where none exists.
While I have never worked at a mobile operator, I have been involved in SS7 and mobile network signaling for more than a decade. We have a message switch (not a standard product but available OEM) which interfaces with SMSCs and, through the detailed traffic logs of our AccessGate product produces, I've seen minute by minute signaling traffic (SMS & call setup) at cell sites during normal operation and periods of traffic overload in real GSM networks in diverse countries.
It is certainly true that you can overload a cellular network with more calls than it was designed for, and it's true a cellular operator can misconfigure their network so parts of it saturate before all resources are in use. I can even envision a way you might misconfigure a network so what the Penn State group proposes could happen, but it's not a venerability in networks I'm familiar with.
Evidently the Penn State group didn't want to get their university in trouble so they were careful to abide by all service agreements. Their gray-box testing was limited to sending SMS messages to three specific handsets. What they established were the limits in the cellular operator's Internet messaging interface and the per-user message limits configured in the operator's Short Message Service Centers (SMSCs). They determined nothing about the rate at which the SMSC pushes messages into the mobile network's SS7 signaling system.
Their full paper also cites six news articles which they assert represent occasions when SMS traffic impacted voice traffic. The articles they cite are about cellular traffic overloads -- either SMS or voice -- and efforts to prevent traffic overloads, however none of the stories actually shows a case where SMS traffic impacted voice traffic.
If they weren't prepared to actually try their proposed attack, they might at least of discussed their ideas with signaling experts within a real mobile operator.
Comments