radmilo racic denys ma hao chen university of california, davis
DESCRIPTION
Exploiting MMS Vulnerabilities to Stealthily Exhaust Mobile Phone’s Battery. Radmilo Racic Denys Ma Hao Chen University of California, Davis. Is it only the network?. Assume the network is perfect…. Why target the cell phone?. Batteries are bottlenecks Cellular phones are poorly protected - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Radmilo Racic Denys Ma Hao Chen University of California, Davis](https://reader035.vdocument.in/reader035/viewer/2022081514/56814e2d550346895dbb931b/html5/thumbnails/1.jpg)
Exploiting MMS Vulnerabilities to Stealthily Exhaust Mobile
Phone’s Battery
Radmilo Racic
Denys Ma
Hao Chen
University of California, Davis
![Page 2: Radmilo Racic Denys Ma Hao Chen University of California, Davis](https://reader035.vdocument.in/reader035/viewer/2022081514/56814e2d550346895dbb931b/html5/thumbnails/2.jpg)
Is it only the network?
![Page 3: Radmilo Racic Denys Ma Hao Chen University of California, Davis](https://reader035.vdocument.in/reader035/viewer/2022081514/56814e2d550346895dbb931b/html5/thumbnails/3.jpg)
Assume the network is perfect…
![Page 4: Radmilo Racic Denys Ma Hao Chen University of California, Davis](https://reader035.vdocument.in/reader035/viewer/2022081514/56814e2d550346895dbb931b/html5/thumbnails/4.jpg)
Why target the cell phone?
• Batteries are bottlenecks
• Cellular phones are poorly protected
• Cell phones attackable from the Internet
![Page 5: Radmilo Racic Denys Ma Hao Chen University of California, Davis](https://reader035.vdocument.in/reader035/viewer/2022081514/56814e2d550346895dbb931b/html5/thumbnails/5.jpg)
Why exploit a cellular network?
• Part of our critical infrastructure
• Eggshell security
• Connected to the Internet
![Page 6: Radmilo Racic Denys Ma Hao Chen University of California, Davis](https://reader035.vdocument.in/reader035/viewer/2022081514/56814e2d550346895dbb931b/html5/thumbnails/6.jpg)
Goals
1. Exhaust a cell phone’s battery
2. Attack cell phones stealthily
![Page 7: Radmilo Racic Denys Ma Hao Chen University of California, Davis](https://reader035.vdocument.in/reader035/viewer/2022081514/56814e2d550346895dbb931b/html5/thumbnails/7.jpg)
“Sleep deprivation” attack
Approach:Prevent a cell phone from sleeping
Procedure:• Identify victims (utilizing MMS)• Deliver attack (utilizing GPRS)
![Page 8: Radmilo Racic Denys Ma Hao Chen University of California, Davis](https://reader035.vdocument.in/reader035/viewer/2022081514/56814e2d550346895dbb931b/html5/thumbnails/8.jpg)
MMS architecture
Wireless Net
Wireless Net
Internet
Bill
George Sr.
George Jr.
MMS R/S
MMS R/S
SMTP
SMTP
SMTP
![Page 9: Radmilo Racic Denys Ma Hao Chen University of California, Davis](https://reader035.vdocument.in/reader035/viewer/2022081514/56814e2d550346895dbb931b/html5/thumbnails/9.jpg)
MMS vulnerabilities
• Messages unencrypted
• Notifications unauthenticated
• Relay server unauthenticated
• Cell phone information disclosure– IP address, platform, OS, etc.– Exploited to build a hit list
![Page 10: Radmilo Racic Denys Ma Hao Chen University of California, Davis](https://reader035.vdocument.in/reader035/viewer/2022081514/56814e2d550346895dbb931b/html5/thumbnails/10.jpg)
GPRS Overview• Overlay over GSM• Connected to the Internet through a gateway
(GGSN)• Each phone establishes a packet data protocol
(PDP) context before each Internet connection.• PDP context is a mapping between GPRS and
IP addresses.
![Page 11: Radmilo Racic Denys Ma Hao Chen University of California, Davis](https://reader035.vdocument.in/reader035/viewer/2022081514/56814e2d550346895dbb931b/html5/thumbnails/11.jpg)
GPRS cell phone state machine
![Page 12: Radmilo Racic Denys Ma Hao Chen University of California, Davis](https://reader035.vdocument.in/reader035/viewer/2022081514/56814e2d550346895dbb931b/html5/thumbnails/12.jpg)
Prevent a cell phone from sleeping
1. Activate a PDP context• By utilizing MMS notifications
2. Send UDP packets to cell phone• Just after the READY timer expires• To tax its transceiver
![Page 13: Radmilo Racic Denys Ma Hao Chen University of California, Davis](https://reader035.vdocument.in/reader035/viewer/2022081514/56814e2d550346895dbb931b/html5/thumbnails/13.jpg)
Attack
Attacker
Attack Server
MMS Notification
HTTP Request
UDP Packets
Victim(410) 555-1980
![Page 14: Radmilo Racic Denys Ma Hao Chen University of California, Davis](https://reader035.vdocument.in/reader035/viewer/2022081514/56814e2d550346895dbb931b/html5/thumbnails/14.jpg)
Attack details
• Surreptitious to both the user and network
• Works on various phones
• Works on multiple providers
• Requires few resources– Internet connection– Less than a 100 lines of python attack code
![Page 15: Radmilo Racic Denys Ma Hao Chen University of California, Davis](https://reader035.vdocument.in/reader035/viewer/2022081514/56814e2d550346895dbb931b/html5/thumbnails/15.jpg)
Battery life under attack
0
20
40
60
80
100
120
140
160
180
Nokia 6620 Sony T610 Motorola v710
Min
ute
sNormal Use Time
Under Attack Time
Reduction: 22.3:1 8.5:1 18:1
156
6036
7 7 2
![Page 16: Radmilo Racic Denys Ma Hao Chen University of California, Davis](https://reader035.vdocument.in/reader035/viewer/2022081514/56814e2d550346895dbb931b/html5/thumbnails/16.jpg)
Attack scale
• Send a UDP packet to– a GSM phone every 3.75s, or– a CDMA phone every 5s
• Using a home DSL line (384 kbps upload) can attack simultaneously– 5625 GSM phones, or– 7000 CDMA phones
![Page 17: Radmilo Racic Denys Ma Hao Chen University of California, Davis](https://reader035.vdocument.in/reader035/viewer/2022081514/56814e2d550346895dbb931b/html5/thumbnails/17.jpg)
Attack improvements
• TCP ACK attack: force the phone to send as well as receive data– Receiver will reply with RST or empty packet
• Packets with maximum sized payload
• Attack effective through NATs and Firewalls– Because the victim’s cell phone initiates the
connection to the attack server
![Page 18: Radmilo Racic Denys Ma Hao Chen University of California, Davis](https://reader035.vdocument.in/reader035/viewer/2022081514/56814e2d550346895dbb931b/html5/thumbnails/18.jpg)
Sources of vulnerabilities
• MMS allows hit list creation
• MMS allows initiation of a PDP context
• GPRS retains the PDP context
![Page 19: Radmilo Racic Denys Ma Hao Chen University of California, Davis](https://reader035.vdocument.in/reader035/viewer/2022081514/56814e2d550346895dbb931b/html5/thumbnails/19.jpg)
MMS hardening
• Authenticate messages and servers
• Hide information at WAP gateway
• Filter MMS messages
![Page 20: Radmilo Racic Denys Ma Hao Chen University of California, Davis](https://reader035.vdocument.in/reader035/viewer/2022081514/56814e2d550346895dbb931b/html5/thumbnails/20.jpg)
PDP Context Management
• Implement a defense strategy at GGSN– GGSN stateful
• PDP context modification message is already present– Transparent to the end user– NAT-like behavior
![Page 21: Radmilo Racic Denys Ma Hao Chen University of California, Davis](https://reader035.vdocument.in/reader035/viewer/2022081514/56814e2d550346895dbb931b/html5/thumbnails/21.jpg)
Related works
• SMS analysis [Enck et al, CCS05]– Focuses on SMS– Attacks the network
• Mobile viruses [Bose et al, yesterday]– Propagation of worms on cellular networks
• Control channels [Agarwal, NCC04]– Capacity analysis of shared control channels
![Page 22: Radmilo Racic Denys Ma Hao Chen University of California, Davis](https://reader035.vdocument.in/reader035/viewer/2022081514/56814e2d550346895dbb931b/html5/thumbnails/22.jpg)
Conclusion
• Demonstrated an attack that drains a phone’s battery up to 22 times faster
• Can attack 5625-7000 phones using a home DSL line
• Attack is surreptitious• Attack effective on multiple phones and
networks• Suggested mitigation strategies
![Page 23: Radmilo Racic Denys Ma Hao Chen University of California, Davis](https://reader035.vdocument.in/reader035/viewer/2022081514/56814e2d550346895dbb931b/html5/thumbnails/23.jpg)
Future work
• Worm deployment strategies targeting MMS vulnerabilities
• Battery attacks initiated from cell phones
![Page 24: Radmilo Racic Denys Ma Hao Chen University of California, Davis](https://reader035.vdocument.in/reader035/viewer/2022081514/56814e2d550346895dbb931b/html5/thumbnails/24.jpg)
Thank you
http://zeus.cs.ucdavis.edu/cellSecurity
![Page 25: Radmilo Racic Denys Ma Hao Chen University of California, Davis](https://reader035.vdocument.in/reader035/viewer/2022081514/56814e2d550346895dbb931b/html5/thumbnails/25.jpg)
Results
18:1236Motorola V710
8.5:1760Sony-E T610
22.3:17156Nokia 6620
Reduction Rate Under Attack (Hr)Normal (Hr)Phone
Battery Life