1 / 25

Radmilo Racic Denys Ma Hao Chen University of California, Davis

jayden
Download Presentation

Radmilo Racic Denys Ma Hao Chen University of California, Davis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Radmilo Racic Denys Ma Hao Chen University of California, Davis

    3. What if the network is perfect but the cell phone stops working like these laptops? As you may know, Dell and Apple have recalled more than a million of laptop batteries due to the above depicted problems. What we are going to do is in this talk is show you a way to render a cell phone battery inoperable in a SAFER MANNER.What if the network is perfect but the cell phone stops working like these laptops? As you may know, Dell and Apple have recalled more than a million of laptop batteries due to the above depicted problems. What we are going to do is in this talk is show you a way to render a cell phone battery inoperable in a SAFER MANNER.

    4. Battery industry is NOT keeping up with the Moore’s law. A battery attack is potentially more devastating than a typical DoS attack. According to our experience as well as the Murphy’s Law our phone’s batteries will die at the most inopportune time – when we need them the most. Not much security built into a phone. Bluetooth worms (Cabir) etc. Anonymity of attack from the Internet. Battery industry is NOT keeping up with the Moore’s law. A battery attack is potentially more devastating than a typical DoS attack. According to our experience as well as the Murphy’s Law our phone’s batteries will die at the most inopportune time – when we need them the most. Not much security built into a phone. Bluetooth worms (Cabir) etc. Anonymity of attack from the Internet.

    5. Part of our critical infrastructure Eggshell security Connected to the Internet People depend upon it. Military (drain general’s battery), Medical field (doctors depend upon it), disaster recovery, everyone… Tight on the outside, once inside an attacker can do a lot of damage. More phone applications require Internet connection. Opens up possibility for Internet based attacks. People depend upon it. Military (drain general’s battery), Medical field (doctors depend upon it), disaster recovery, everyone… Tight on the outside, once inside an attacker can do a lot of damage. More phone applications require Internet connection. Opens up possibility for Internet based attacks.

    6. Goals Exhaust a cell phone’s battery Attack cell phones stealthily

    7. But can be delivered using CDMA as well.But can be delivered using CDMA as well.

    8. MMS architecture Get rid of unnecessary components. Use an animation. Say the following Source user’s message is forwarded to its MMS R/S. MMS R/S transcodes the message to either an email or different MMS message formats. Message sent via SMTP to the destination MMS R/S. Destination user notified via SMS. Message delivered to destination user. Summary: Can send an MMS from the Internet as well as a phone MM not delivered until the cell phone initiates a connection to retrieve the MM content from the server Transition: Goals 2 are accomplished using a data service. We chose GPRS (GSM’s data service) as an example given its popularity.Get rid of unnecessary components. Use an animation. Say the following Source user’s message is forwarded to its MMS R/S. MMS R/S transcodes the message to either an email or different MMS message formats. Message sent via SMTP to the destination MMS R/S. Destination user notified via SMS. Message delivered to destination user.

    9. MMS vulnerabilities Messages unencrypted Notifications unauthenticated Relay server unauthenticated Cell phone information disclosure IP address, platform, OS, etc. Exploited to build a hit list

    10. GPRS Overview Overlay over GSM Connected to the Internet through a gateway (GGSN) Each phone establishes a packet data protocol (PDP) context before each Internet connection. PDP context is a mapping between GPRS and IP addresses. Transition: To accomplish goal 1 (make the phone inoperable) we investigated a phone’s battery saving features. Transition: To accomplish goal 1 (make the phone inoperable) we investigated a phone’s battery saving features.

    11. The key to maximizing a cell phone’s battery life is to use its transceiver sparingly. The key to maximizing a cell phone’s battery life is to use its transceiver sparingly.

    12. Prevent a cell phone from sleeping Activate a PDP context By utilizing MMS notifications Send UDP packets to cell phone Just after the READY timer expires To tax its transceiver

    13. Start with a cell phone number Send MMS notification message to a victim Attack server is the placeholder of the MMS message and is included as a link within the notification The victim’s phone automatically connects to the attack server Activates the PDP context Discloses phone information Approach Send a UDP packet just before the READY timer expires, or Send a UDP packet just after the READY timer expires, forcing the network subsystem to page the device for a future packet Start with a cell phone number Send MMS notification message to a victim Attack server is the placeholder of the MMS message and is included as a link within the notification The victim’s phone automatically connects to the attack server Activates the PDP context Discloses phone information Approach Send a UDP packet just before the READY timer expires, or Send a UDP packet just after the READY timer expires, forcing the network subsystem to page the device for a future packet

    14. Surreptitious to both the user and network Works on various phones Works on multiple providers Requires few resources Internet connection Less than a 100 lines of python attack code

    16. Attack scale Send a UDP packet to a GSM phone every 3.75s, or a CDMA phone every 5s Using a home DSL line (384 kbps upload) can attack simultaneously 5625 GSM phones, or 7000 CDMA phones

    17. TCP ACK attack: force the phone to send as well as receive data Receiver will reply with RST or empty packet Packets with maximum sized payload Attack effective through NATs and Firewalls Because the victim’s cell phone initiates the connection to the attack server

    18. MMS allows hit list creation MMS allows initiation of a PDP context GPRS retains the PDP context Here is why the attack works: Here is why the attack works:

    19. Authenticate messages and servers Hide information at WAP gateway Filter MMS messages

    20. Implement a defense strategy at GGSN GGSN stateful PDP context modification message is already present Transparent to the end user NAT-like behavior

    21. SMS analysis [Enck et al, CCS05] Focuses on SMS Attacks the network Mobile viruses [Bose et al, yesterday] Propagation of worms on cellular networks Control channels [Agarwal, NCC04] Capacity analysis of shared control channels

    22. Demonstrated an attack that drains a phone’s battery up to 22 times faster Can attack 5625-7000 phones using a home DSL line Attack is surreptitious Attack effective on multiple phones and networks Suggested mitigation strategies Have a backup slide about SMS.Have a backup slide about SMS.

    23. Worm deployment strategies targeting MMS vulnerabilities Battery attacks initiated from cell phones

    24. http://zeus.cs.ucdavis.edu/cellSecurity

More Related