1 / 25

Radmilo Racic Denys Ma Hao Chen University of California, Davis

Exploiting MMS Vulnerabilities to Stealthily Exhaust Mobile Phone’s Battery. Radmilo Racic Denys Ma Hao Chen University of California, Davis. Is it only the network?. Assume the network is perfect…. Why target the cell phone?. Batteries are bottlenecks Cellular phones are poorly protected

austin-cummings
Download Presentation

Radmilo Racic Denys Ma Hao Chen University of California, Davis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Exploiting MMS Vulnerabilities to Stealthily Exhaust Mobile Phone’s Battery Radmilo Racic Denys Ma Hao Chen University of California, Davis

  2. Is it only the network?

  3. Assume the network is perfect…

  4. Why target the cell phone? • Batteries are bottlenecks • Cellular phones are poorly protected • Cell phones attackable from the Internet

  5. Why exploit a cellular network? • Part of our critical infrastructure • Eggshell security • Connected to the Internet

  6. Goals • Exhaust a cell phone’s battery • Attack cell phones stealthily

  7. “Sleep deprivation” attack • Approach: • Prevent a cell phone from sleeping • Procedure: • Identify victims (utilizing MMS) • Deliver attack (utilizing GPRS)

  8. Bill MMS R/S MMS R/S SMTP Wireless Net SMTP Internet George Sr. Wireless Net SMTP George Jr. MMS architecture

  9. MMS vulnerabilities • Messages unencrypted • Notifications unauthenticated • Relay server unauthenticated • Cell phone information disclosure • IP address, platform, OS, etc. • Exploited to build a hit list

  10. GPRS Overview • Overlay over GSM • Connected to the Internet through a gateway (GGSN) • Each phone establishes a packet data protocol (PDP) context before each Internet connection. • PDP context is a mapping between GPRS and IP addresses.

  11. GPRS cell phone state machine

  12. Prevent a cell phone from sleeping • Activate a PDP context • By utilizing MMS notifications • Send UDP packets to cell phone • Just after the READY timer expires • To tax its transceiver

  13. HTTP Request MMS Notification Victim (410) 555-1980 Attack Server Attacker Attack UDP Packets

  14. Attack details • Surreptitious to both the user and network • Works on various phones • Works on multiple providers • Requires few resources • Internet connection • Less than a 100 lines of python attack code

  15. Battery life under attack 156 60 36 7 7 2 Reduction: 22.3:1 8.5:1 18:1

  16. Attack scale • Send a UDP packet to • a GSM phone every 3.75s, or • a CDMA phone every 5s • Using a home DSL line (384 kbps upload) can attack simultaneously • 5625 GSM phones, or • 7000 CDMA phones

  17. Attack improvements • TCP ACK attack: force the phone to send as well as receive data • Receiver will reply with RST or empty packet • Packets with maximum sized payload • Attack effective through NATs and Firewalls • Because the victim’s cell phone initiates the connection to the attack server

  18. Sources of vulnerabilities • MMS allows hit list creation • MMS allows initiation of a PDP context • GPRS retains the PDP context

  19. MMS hardening • Authenticate messages and servers • Hide information at WAP gateway • Filter MMS messages

  20. PDP Context Management • Implement a defense strategy at GGSN • GGSN stateful • PDP context modification message is already present • Transparent to the end user • NAT-like behavior

  21. Related works • SMS analysis [Enck et al, CCS05] • Focuses on SMS • Attacks the network • Mobile viruses [Bose et al, yesterday] • Propagation of worms on cellular networks • Control channels [Agarwal, NCC04] • Capacity analysis of shared control channels

  22. Conclusion • Demonstrated an attack that drains a phone’s battery up to 22 times faster • Can attack 5625-7000 phones using a home DSL line • Attack is surreptitious • Attack effective on multiple phones and networks • Suggested mitigation strategies

  23. Future work • Worm deployment strategies targeting MMS vulnerabilities • Battery attacks initiated from cell phones

  24. http://zeus.cs.ucdavis.edu/cellSecurity Thank you

  25. Results Battery Life Normal (Hr) Phone Under Attack (Hr) Reduction Rate Nokia 6620 156 7 22.3:1 Sony-E T610 60 7 8.5:1 Motorola V710 36 2 18:1

More Related