Internet has been permeating into every corner of the world and every aspect of our lives, empowering us with anywhere, anytime remote access and control over information, personal communications (e.g., through smart-phones), and our environment (e.g., through the use of sensors, actuators,and RFIDs). While enabling interoperation with the Internet brings tremendous opportunities in service creation and information access, the security threat of the Internet also dauntingly extends its reach. In this paper, we wish to alarm the community that the long-realized risk of interoperationwith the Internet is becoming a reality: Smart-phones, interoperable between the telecom networks and the Internet,are dangerous conduits for Internet security threats toreach the telecom infrastructure. The damage caused bysubverted smart-phones could range from privacy violationand identity theft to emergency call center DDoS attacksand national crises. We also describe defense solution spaceincluding smart-phone ardening approaches, Internet-sidedefense, telecom-side defense, and coordination mechanismsthat may be needed between the Internet and telecom networks.Much of this space is yet to be explored.
INTRODUCTION
The first proof-of-concept smart-phone worm,
Cabir [12],has recently appeared. This is among the first signs of theexpansion of the Internet security threats into other networkslike telecom networks by the means of int operatingdevices, e.g., smart-phones that are endpoints to both networks.
These threats are especially alarming because assmart-phones become prevalent (according to market forecast[23], 30 millions smart-phones will be shipped in 2004,and more than 100 millions in 2007), and as their powerfulnessand functionality reaches that of PCs [21], a fast- andwide-spreading smart-phone worm or virus could cause thelarge cohort of compromised smart-phones to cripple thetelecom infrastructure and jeopardize critical call centers,such as 911, resulting in national crises.In fact, telecom networks are not the only reach of the Internetsecurity threats. Many have long realized that as webridge home networks, sensor networks, and RFID-based inventorysystems to the Internet for more flexible service creation and integration, we also give opportunities to Internetbasedintruions into those networks. Sometimes these intrusionscould even be transformed into physical attacks —∗This work was performed while Wenwu Zhu was affiliatedwith Microsoft Research Asia.for example, actuators could be maliciously instructed toturn on the oven and cause a fire accident.In this paper, we want to bring attention to the imminentdangers that Internet-compromised smart-phones canbring to telecom networks. We first give some backgroundon smart-phones and discuss their trend of having commondevelopment platforms for the ease of service creation anddeployment in Section 2. In Section 3, we describe variousattack vectors for compromising smart-phones; thenenumerate attacks launched by compromised smart-phonesagainst the telecom networks, including radio channel consumptionattacks, DDoS attacks against call centers, spamming,identity theft, and wiretapping. We give guidelinesand potential strategies on protecting the telecom infrastructureas well as smart-phones in Section 4 and discussother interoperating devices and the causes for such attacks
2. SMART-PHONES
Smart-phone is the trend of unified communications whichintegrate telecom and Internet services onto a single devicebecause it has combined the portability of cell-phones withthe computing and networking power of PCs
As illustratedin Figure 1, smart-phones, as endpoints of both networks, have connected the Internet and telecom networks together.
Figure 1: Smart-phones become end-points of both the Internet and telecom networks.
Another key reason for this trend is the ease and low costof introducing new integrated Internet and telecom services.Easy service creation demands common operating systems(OSes). Because smart-phones are typically as powerful as afew year-old PCs, their operating systems have evolved to berather full-fledged. Smart-phone OSes today include SymbianOS [23], Microsoft Smart-phone OS [5], Palm OS [10],and embedded Linux. Although the detailed design andfunctionality vary among these OS vendors, all share thefollowing features [21]:• Access to cellular network with various cellular standardssuch as GSM /CDMA and UMTS.
• Access to the Internet with various network interfacessuch as infrared, Bluetooth, GPRS/CDMA1X, and 802.11;and use standard TCP/IP protocol stack to connect tothe Internet.
• Multi-tasking for running multiple applications simultaneously.• Data synchronization with desktop PCs.• Open APIs for application development.
While common OSes, open APIs, and sophisticated capabilitiesenable powerful services, they also create commonground and opportunities for security breaches and increaseworm or virus spreading potentials. Given the PC-like natureof smart-phones and the trend of full-fledged OSes, software vulnerabilities seem inevitable for their OSes andapplications. Moreover, with the Internet exposure, smartphonesbecome ideal targets for Internet worms or virusessince smart-phones are always on, and their user populationwill likely exceed that of PCs, observing from the prevalence of cell phone usage today.
3. THE SMART-PHONE ATTACKS
In this section, we first describe various ways that smartphonescould be compromised, then we illustrate how compromisedsmart-phones may attack telecom networks.
3.1 Compromising Smart-Phones
There are three venues for a smart-phone to be compromised:
1.Attacks from the Internet:
Since smart-phones arealso Internet endpoints, they can be compromised thesame way as the PCs by worms, viruses, or Trojanhorses. The first Symbian based Trojan [17] has recentlybeen discovered in a popular game software.
2. Infection from compromised PC during data
synchronization:
Smart-phone users typically synchronizetheir e-mails, calendar, or other data withtheir desktop PCs through synchronization softwarelike ActiveSync [5]. There exists trust relationshipsbetween smart-phones and their respective synchronizationPCs. Therefore, to ultimately infect a smartphone,attackers can first infect its synchronizationPC, and then the smart-phone will be infected at thenext synchronization time.
3. Peer smart-phone attack or infection:
A compromisedsmart-phone can actively scan and infect peersmart-phones through its Wireless Personal Area Networks(WPAN) interface such as Bluetooth or UWB(ultra wideband). Since smart-phones are mobile devices,they can infect new victims at different locations.The first smart-phone worm, Cabir [12], usesthis method.It is also possible that a cellular phone can be crashedby a malformed SMS text message [?]. Nonetheless, due tothe limited services provided by the telecom networks, theattack surface at the telecom side is much smaller than thatof the Internet side. Therefore, we believe that the risk thata smart-phone to be compromised on the telecom side isminimal.
3.2 Smart-Phone Attacks against the Telecom Networks
Once a smart-phone is compromised from the Internet,it also becomes a source of malice to the telecom networksthat it has access to. Before we describe the attacks, we firstgive a brief description of the GSM cellular network [18],as an example of telecom networks against which smartphone attacks can be launched. Nevertheless, the attackswe describe here can be applied to other cellular networks,such as CDMA, as well.
3.2.1 Background: GSM
GSM consists of three sub-systems: the Mobile Equipment(ME), the Base Station Subsystem (BSS), and theNetwork Switching Subsystem (NSS).
ME has a Subscriber Identity Module (SIM) for storing identities, such as theInternational Mobile Subscriber Identity (IMSI). BSS consistsof two elements: the Base Transceiver Station (BTS)which handles radio interfaces between BTS and MEs andthe Base Station Controller (BSC) which manages radio resourcesand handovers. NSS uses mobile switching center(MSC) for routing phone calls and connecting the GSM systemto other public networks such as PSTN.Besides voice communications, GSMalso offers ShortMessageService (SMS) [16], Multimedia Message Service [6],and GPRS general packet radio service [3] for Internet access.The radio spectrum is limited resource in any cellular systems.GSM uses a combination of Time and Frequency DivisionMultiple Access (TDMA/FDMA) to time-share orspace-share the radio resources. FDMA divides the (maximum) 25 MHz bandwidth into 124 carrier frequencies of 200KHz bandwidth each. One or more carrier frequencies areassigned to a base station. Each of the carrier frequenciesis then divided into 8 time slots, with the TDMA scheme.Suppose a base station has n carrier frequencies, then the maximum number of voice users it can support is at mostC = 8n. The value of n depends on the traffic volume ofa base station. Typically, n = 3 or 4. In CDMA-based ornext generation cellular networks [2, 9], logical “channels”are used for voice and data traffic, which, at a high level,are similar to time slots.Telecom networks operate under the following two assumptions:1Its traffic is highly predictable.
.
2. Useridentities are tightly coupled with their telephone numbersor SIM cards. With the first assumption, telecom carriersplan their network capacity according to the predicted traffic model. With the second assumption, telephone numbers orSIM cards are used for accounting purposes. These assumptionshave been held (mostly) up to now. However, withthe prevalence of smart-phones in the near future, these assumptionscould be easily violated by attackers through subvertingsmart-phones from the Internet, which we describein detail next.
3.2.2 Attack I: Base Station DoS
Compromised smart-phones can easily make phone calls,say using Microsoft Smart-phone SDK APIPhoneMake-Call [5], to call other phone numbers obtained from sourceslike yellow pages.The radio channel of a GSM base station with n carrierfrequencies can be completely exhausted by 8n wellcoordinatedsmart-phone zombies in the same cell initiatingcalls and using up all the time slots of a base station. Thezombies can hang up as soon as their call setups completeand then re-initiate new calls, and so on. In the case that acallee is also subverted, the callee smart-phone can be configureddeliberately not to answer the phone, occupying thetime slot at both the caller and the callee side for about oneminute in each call attempt. Since the callee does not acceptthe call, the caller would not even need to pay for thisunfinished call, despite the fact that valuable radio resource
has been allocated and wasted.The impact of this type of attacks on the availability ofthe cellular network can be significant.
In telecom networks call blocking rate is the metric for measuring the availabilityof the network. Typically, the availability requirement fortelecom network is a call blocking rate of less than 0.01%.Telecom carriers plan for the network capability accordingto call volume statistics and obey the call blocking rate requirement.
The call blocking probability is calculated withthe Erlang B formula [1]: B(C,α) = αc/C!_Ci=0 αi/i! where C isthe number of radio channels in our context, α representsthe planned call volume to support for, and B is the callblocking probability. Typically the planned call volume isan average of 15-16 simultaneous users (i.e., α = 15.63 Erlang)and since the call blocking rate is expected to be lessthan 0.01% (B < 0.01%), a base station typically needs 4carrier frequencies and a total of 32 voice channels (8 timeslots × 4), so C = 32. Erlang B formula assumes the commontelephone behaviors – they are idle most of the timeand the traffic aggregation from many phones is highly predictable.These assumptions, however, can be easily violatedby compromised smart-phones.
With 8 compromisedsmart-phones occupying 8 out of 32 channels, the blockingprobability rises to 1.2%; if 16 and 24 channels are occupied,the blocking rates will be as high as 16.4% and 53.6%, respectively;when all 32 channels are taken, the system will simply be out of service. This shows that even a handful ofsubverted smart-phones can jeopardize the availability of abase station.Similar attacks can be launched against GPRS. In GPRS,at most 8 time slots can be assigned to GPRS users in a basestation. The maximum data rate is at most 171 Kbps. Sucha small bandwidth capacity can be easily saturated. GPRSnetworks may assign private addresses to smart-phones dueto IPV4 address shortage and use NAT or NAPT to communicatewith the rest of the Internet. In this case, compromisedsmart-phones can actively initiate connections first,thereafter, both sides are free to send packets to each other.
3.2.3 Attack II: DDoS Attack to Call Centers
This attack is similar to the previous one, but the goal isnot to exhaust radio resources, but to put call centers to ahalt. This is in the same spirit as the Internet DDoS attacksto web servers.Such attacks are not possible in the past with traditionaltelephones because one would have to manually dial callcenter numbers. This requires attackers to be physically colocatedwith many phones. Consequently, the attackers canbe easily traced back, caught, then legally prosecuted.For the case of smart-phone zombies, their owners aremost likely the victims rather than the attackers themselves.
Therefore, tracing back to the true attackers becomes amuch more difficult task.Similar DDoS attacks can be launched against PSTN andcellular switches, which are designed for a limited Busy HourCall Attempts (BHCA). These switches may collapse oncethe BHCA value is out of the designed range. For example,right after terrorists’ attacks on September 11, 2001, thephone switches were under such a heavy load that it washard to call a New York resident. Similarly, a large cohortof smart-phone zombies could create the same flash-crowdeffect.Not only smart-phone DDoS attacks can cause service disruptionsand heavy financial losses, they can also jeopardizenational security by attacking the critical 911 service, leavingemergency patients not saved and accidents, crimes orterrorists’ acts not reported.
3.2.4 Attack III: Spamming
Attackers can manipulate smart-phone zombies to sendjunk or marketing messages through SMS. In the case thatthe charging model is flat, a compromised smart-phone canspam for “free”; and therefore its owner may not even noticeits bad behavior. Free SMS spamming gives attackers goodincentives to compromise smart-phones.
Can evenachieve impersonation. For example, an attacker can useVoice-Over-IP from the Internet and then use a smart-phonezombie as a relay point in pretending to be the smart-phoneowner for both incoming and outgoing phone calls.
3.2.6 Attack V: Remote Wiretapping
A smart-phone zombie can also passively record the conversations of its owner with others; and then stealthily report back to some spies. Such attacks could be hard to detect since recording and reporting can be two asynchronous steps; the report traffic can even be encrypted and tunneled along with other legal Internet traffic to further evade detection. It is even difficult for the smart-phone owner to notice the spying activity. Such easy and stealthy remote wiretapping could easily become means of blackmailing and espionage activities from insider-trading to classified information extraction.
4. DEFENSE
security and are unwilling to pay the price and inconvenience incurred by security schemes [13]. Functionality demands extensibility, and extensibility invites malicious extensions. Given the current trend, unless legislature can effectively mandate limited extensibility for smart-phones, we don’t see the hope of reducing the powerfulness and functions of a smart-phone.
Nevertheless, there are some strategies that we’d like to point out for hardening smart-phone which we discuss as follows:• Attack surface reduction:
One simple defense is to reduce the attack surface as much as possible. This defense mechanism has also been applied to PCs [4], but with limited success because it is disruptive to popular applications like file-sharing and network printer. Nevertheless, this mechanism may be more effective for smart-phones because the smart-phone usage model is different from that of PCs. Although a smart-phone is always on, most of its features need not be active. For example, when users make an outgoing phone call or compose a SMS message, the PC part of the smartphones can be turned off (unless instructed otherwise, say, when a user is downloading a movie).
• OS hardening:
Smart-phone OSes can enforce some security features, such as always displaying callee’s number and lighting up LCD display when dialing. This can be achieved by only exporting security enhanced APIs to applications. With hardened OSes, unless attackers can subvert the smart-phone Owithout being noticed, attacking actions from malicious user-level code can be more easily detected by the smart-phone user.
• Hardware hardening:
We believe one advantage we can leverage for smartphone hardening is that smart-phone already has an embedded smart-card, the SIM card. The SIM card has evolved to incorporate the use of the SIM Toolkit (STK) — an API for securely loading applications to the SIM. STK allows the mobile operator to create or provision services by loading them into the SIM card without changing anything to combine STK card and TCG’s Trusted Platform Module (TPM) [8] for smart-phone hardware hardingThis way, no additional security chips will be needed.
. 4.2 Internet Side Protection
The malware defense mechanisms that have been deployed or proposed for the Internet can be readily applied to smartphones. For example, more rigorous process in software patching or vulnerability-driven network traffic shielding [22] will certainly strengthen the defense for smart-phones for known vulnerabilities, though not unknown ones. It would be desirable for smart-phone Internet service providers to ensure that devices that access them are properly patched or shielded — unpatched or unshielded ones should not be exposed to the wild Internet. Currently, majority of smart phones access the Internet through telecom data networks such as GPRS or CDMA1X. In this scenario, base stations can first check whether smart-phones have been properly patched or shielded and they will be forced to patch or shield if not. Alternatively, base stations could even perform shielding on behalf of the smart-phones. This kind of strategy, however, faces challenges when smart-phones use 802.11 access points for Internet connectivity: many 802.11 access points have already been deployed, it would be very difficult, if possible at all, to upgrade all the access points to enforce patching or shielding. Further, such quarantining makes seamless handoff between access networks very challenging. This is an open research question. In any case, the weakest link points to smart-phone users, who may be fooled to download a piece of malicious code (masquerading as a pirated movie) that takes the advantage of the interoperability feature of smart-phones to attack telecommunication networks.
