Exploiting MMS vulnerabilities to stealthily exhaust mobile phone's battery

As cellular data services and applications are being widely deployed, they become attractive targets for attackers. 
This paper presents an attack method to drain mobile devices’ battery, some variants, and solutions of these vulnerabilities. 

They mentioned three kinds of vulnerabilities. 
First, Unencrypted and unauthenticated MMS messages which means that MS is sending MMS messages in plain text without any authentication feature. 
Second, Unauthenticated MMS R/S. Cellular providers hide their own MMS R/S’s IP addresses in the phones. And we can change it and use our own MMS R/S. Because there is no authentication, MS will accept any MMS messages if the format is correct.
Third, Phone information disclosure. When MSs are connecting to HTTP server, they are providing their critical information like model number or hardware platform description.

The authors used third vulnerability to select targets and prepare attacks. After they built a target list, they sent UDP packets periodically. Then, MS would be always READY state and it will consume much battery for location updates.

And the authors present variants of this attack like using TCP ACK packets so that attacker can get replay packets from victims, and how to overcome NAT and firewall.

As solutions of these problems, authors suggest message and server authentication, Information hiding, message filtering at SGSN or GGSN, and improved PDP context management.

Pros:
Good experiment results show that it actually works.

Cons:
They didn’t explain about the detail of experiments
The attack of billing is more important.
There are cell-phone worms already
There are many other vulnerabilities already.


overall
Weak Accept 11
Weak Reject 3
Strong Reject 1