Threat Evolution in Wireless Telecommunications

1
Threat Evolution in Wireless Telecommunications

• Frank Quick
• Sr. Vice President, Technology
• QUALCOMM Incorporated

2
Industry Data (Worldwide)

• In 2002, there were
• 570 million installed PCs (Gartner)
• 1132 new viruses discovered (Symantec)
• 105 computer virus infections per 1000 PCs (ICSA
  labs)
• In the same year there were
• 1.1 Billion cellular phone users (Yankee Group)

3
Todays Mobile Phone

• 100 MHz processor
• 10 Mbytes flash memory
• Medium-bandwidth IP connectivity
• Downloadable applications
• Have access to user data
• Can initiate data connections
• Can send arbitrary IP packets, SMS

4
Tomorrows Mobile Phone

• 1000 MHz processor(s)
• 100 Mbytes flash memory
• More if socket provided
• High-bandwidth IP connectivity
• Broadcast content reception
• Digital Rights Management
• Downloadable applications
• Wider range of functions

5
The Mobile as Computer

• Mobile phones can now do most things a PC can do,
  therefore
• Mobile phones will likely become a target for
  malicious code, as have PCs.
• To date, only a few such attacks have been
  discovered for mobiles however,
• It would be unwise to assume this is because
  mobiles are less susceptible than PCs.

6
Attacks on Computers

• Motivation
• Peer prestige, revenge, profit, theft
• Objectives
• Disruption, spyware, trojan software
• Methods
• Self-propagating viruses and worms, infected
  files and applications (e.g. games)
• Access
• Internet, messaging, over the air

7
How Weaknesses Are Found

• An attack often begins by finding a repeatable
  way to crash a platform
• Generally, attacks arent created by analyzing
  source code usually not available
• The binary code, on the other hand is accessible
  in the .exe file
• (For many phones, binary code is also available
  via diagnostic ports.)

8
How Attacks Develop

• The attackers share information about weaknesses
• A more sophisticated attacker looks at the binary
  code to see what causes the crash
• E.g., if its a buffer overrun that overwrites
  the stack, it may be possible to modify the input
  to execute arbitrary code

9
How Attacks Grow

• Once an exploit is developed, it is often made
  widely available on the Web
• Documentation of the vulnerability
• Attack scripts and source code
• This allows many variant attacks to be created,
  making prevention difficult
• Virus-checking software updated often
• (Bandwidth limits make this expensive for mobiles)

10
Differences Mobiles vs. PCs

• PCs
• Many PCs use the same brand Operating System
• PCs can run both the code under attack and the
  attack software
• Attacks are spread by IP, email or web access
• Denial of service affects IP services

• Mobile phones
• Diverse OSs, but converging
• Phones cant directly run attack software
  (special hardware often needed to extract binary
  code)
• Other channels are available for spread (e.g.,
  SMS, false base stations)
• Denial of service can shut down a cellular system

11
The Changing Mobile User Environment

• In the past
• Attacks on mobile phones were detrimental to both
  the user and operator (cloning)
• Attacks targeted individual phones
• In the future
• Attacks may be initiated by the user (cloning,
  defeating security)
• Viral attacks may target a large population of
  mobiles

12
Why would a user hack his/her own phone?

• Upgrading
• The user obtains a better phone (perhaps stolen)
  and wants to clone the existing subscription
  without paying the carrier.
• Digital Rights Management
• Users want to share files, games, etc. without
  paying
• Subscription lock
• The user wants to change operators

13
Consequences

• Users increasingly see the operator as an
  adversary
• Users may unwittingly become victims of secondary
  attacks
• Defeating security features often opens a path
  for attack
• Cloning may be accompanied by trojan installation

14
What should manufacturers do?

• Proactively address vulnerabilities
• Automated code reviews
• Develop protocols to update software after sale
• Preferably by broadcast
• Migrate to secure, trusted platforms
• Prevent core software modification
• Authenticate downloads
• Protect security information

15
Can manufacturer efforts suffice?

• No.
• The defenders problem any vulnerability can
  open an attack
• A perfectly secure platform may still be
  vulnerable to insider attacks
• Software updates may be impractical given the
  large numbers of mobiles
• Conclusion operators cannot rely on
  manufacturers to prevent cyber attacks

16
What can operators do?

• Install firewalls
• Isolate critical servers from mobile data
• Block direct mobile-to-mobile packets
• Perform ingress filtering block mobile packets
  with bad from IP addresses
• Strengthen and automate responses
• Disable infected mobiles
• Isolate infected subnets
• Scan SMS and other network messaging
• Consider using broadcast code updates

17
What wont work

• Virus scans on phones
• Updating definitions is too expensive
• Virus scans on incoming IP packets
• Encrypted VPN connections prevent examining the
  contents of IP packets

18
Will operators take action?

• Operators are reluctant to spend for a threat
  that has not yet materialized
• Cloning fraud reached double-digit percentages of
  revenues before authentication was deployed
• It is to be hoped that operators will at least
  make contingency plans
• ITU-T recommendations could promote planning

19
Conclusions

• Mobile phone computing power and connectivity is
  approaching that of PCs
• Self-propagating viruses and worms may be
  possible in mobiles in the near future
• Manufacturers should strive to minimize
  vulnerabilities to such attacks
• Operators should prepare to take defensive
  measures
• ITU-T recommendations may be useful