Published on January 30, 2008
Slide1: Exploiting MMS Vulnerabilities to Stealthily Exhaust Mobile Phone’s Battery Radmilo Racic Denys Ma Hao Chen University of California, Davis Slide2: Is it only the network? Slide3: Assume the network is perfect… Slide4: Why target the cell phone? Batteries are bottlenecks Cellular phones are poorly protected Cell phones attackable from the Internet Slide5: Why exploit a cellular network? Part of our critical infrastructure Eggshell security Connected to the Internet Goals: Goals Exhaust a cell phone’s battery Attack cell phones stealthily Slide7: “Sleep deprivation” attack Approach: Prevent a cell phone from sleeping Procedure: Identify victims (utilizing MMS) Deliver attack (utilizing GPRS) MMS architecture: MMS architecture MMS vulnerabilities: MMS vulnerabilities Messages unencrypted Notifications unauthenticated Relay server unauthenticated Cell phone information disclosure IP address, platform, OS, etc. Exploited to build a hit list GPRS Overview: GPRS Overview Overlay over GSM Connected to the Internet through a gateway (GGSN) Each phone establishes a packet data protocol (PDP) context before each Internet connection. PDP context is a mapping between GPRS and IP addresses. Slide11: GPRS cell phone state machine Prevent a cell phone from sleeping: Prevent a cell phone from sleeping Activate a PDP context By utilizing MMS notifications Send UDP packets to cell phone Just after the READY timer expires To tax its transceiver Slide13: Attack UDP Packets Slide14: Attack details Surreptitious to both the user and network Works on various phones Works on multiple providers Requires few resources Internet connection Less than a 100 lines of python attack code Slide15: Battery life under attack Reduction: 22.3:1 8.5:1 18:1 156 60 36 7 7 2 Attack scale: Attack scale Send a UDP packet to a GSM phone every 3.75s, or a CDMA phone every 5s Using a home DSL line (384 kbps upload) can attack simultaneously 5625 GSM phones, or 7000 CDMA phones Slide17: Attack improvements TCP ACK attack: force the phone to send as well as receive data Receiver will reply with RST or empty packet Packets with maximum sized payload Attack effective through NATs and Firewalls Because the victim’s cell phone initiates the connection to the attack server Slide18: Sources of vulnerabilities MMS allows hit list creation MMS allows initiation of a PDP context GPRS retains the PDP context Slide19: MMS hardening Authenticate messages and servers Hide information at WAP gateway Filter MMS messages Slide20: PDP Context Management Implement a defense strategy at GGSN GGSN stateful PDP context modification message is already present Transparent to the end user NAT-like behavior Slide21: Related works SMS analysis [Enck et al, CCS05] Focuses on SMS Attacks the network Mobile viruses [Bose et al, yesterday] Propagation of worms on cellular networks Control channels [Agarwal, NCC04] Capacity analysis of shared control channels Slide22: Conclusion Demonstrated an attack that drains a phone’s battery up to 22 times faster Can attack 5625-7000 phones using a home DSL line Attack is surreptitious Attack effective on multiple phones and networks Suggested mitigation strategies Slide23: Future work Worm deployment strategies targeting MMS vulnerabilities Battery attacks initiated from cell phones Slide24: Thank you http://zeus.cs.ucdavis.edu/cellSecurity Slide25: Results 18:1 2 36 Motorola V710 8.5:1 7 60 Sony-E T610 22.3:1 7 156 Nokia 6620 Reduction Rate Under Attack (Hr) Normal (Hr) Phone Battery Life
Example: forward ... – A free PowerPoint PPT presentation (displayed as a Flash slide show) on PowerShow.com - id: 1030ae-ZDc1Z. Home. Advanced.
... paper presented by Radmilo Racic ,University of California www.cs.ucdavis.edu/~hchen/paper/securecomm06 ... (slider on the ...
Read the paper presented by Radmilo Racic ,University of California www.cs.ucdavis.edu/~hchen/paper/securecomm06.pdf . 1 comments. ... (slider on the left