Exploiting MMS Vulnerabilities to Stealthily Exhaust Mobile

Phone’s Battery

Radmilo Racic

Denys Ma

Hao Chen

University of California, Davis

Is it only the network?

Assume the network is perfect…

Why target the cell phone?

• Batteries are bottlenecks

• Cellular phones are poorly protected

• Cell phones attackable from the Internet

Why exploit a cellular network?

• Part of our critical infrastructure

• Eggshell security

• Connected to the Internet

Goals

1. Exhaust a cell phone’s battery

2. Attack cell phones stealthily

“Sleep deprivation” attack

Approach:Prevent a cell phone from sleeping

Procedure:• Identify victims (utilizing MMS)• Deliver attack (utilizing GPRS)

MMS architecture

Wireless Net

Wireless Net

Internet

Bill

George Sr.

George Jr.

MMS R/S

MMS R/S

SMTP

SMTP

SMTP

MMS vulnerabilities

• Messages unencrypted

• Notifications unauthenticated

• Relay server unauthenticated

• Cell phone information disclosure– IP address, platform, OS, etc.– Exploited to build a hit list

GPRS Overview• Overlay over GSM• Connected to the Internet through a gateway

(GGSN)• Each phone establishes a packet data protocol

(PDP) context before each Internet connection.• PDP context is a mapping between GPRS and

IP addresses.

GPRS cell phone state machine

Prevent a cell phone from sleeping

1. Activate a PDP context• By utilizing MMS notifications

2. Send UDP packets to cell phone• Just after the READY timer expires• To tax its transceiver

Attack

Attacker

Attack Server

MMS Notification

HTTP Request

UDP Packets

Victim(410) 555-1980

Attack details

• Surreptitious to both the user and network

• Works on various phones

• Works on multiple providers

• Requires few resources– Internet connection– Less than a 100 lines of python attack code

Battery life under attack

0

20

40

60

80

100

120

140

160

180

Nokia 6620 Sony T610 Motorola v710

Min

ute

sNormal Use Time

Under Attack Time

Reduction: 22.3:1 8.5:1 18:1

156

6036

7 7 2

Attack scale

• Send a UDP packet to– a GSM phone every 3.75s, or– a CDMA phone every 5s

• Using a home DSL line (384 kbps upload) can attack simultaneously– 5625 GSM phones, or– 7000 CDMA phones

Attack improvements

• TCP ACK attack: force the phone to send as well as receive data– Receiver will reply with RST or empty packet

• Packets with maximum sized payload

• Attack effective through NATs and Firewalls– Because the victim’s cell phone initiates the

connection to the attack server

Sources of vulnerabilities

• MMS allows hit list creation

• MMS allows initiation of a PDP context

• GPRS retains the PDP context

MMS hardening

• Authenticate messages and servers

• Hide information at WAP gateway

• Filter MMS messages

PDP Context Management

• Implement a defense strategy at GGSN– GGSN stateful

• PDP context modification message is already present– Transparent to the end user– NAT-like behavior

Related works

• SMS analysis [Enck et al, CCS05]– Focuses on SMS– Attacks the network

• Mobile viruses [Bose et al, yesterday]– Propagation of worms on cellular networks

• Control channels [Agarwal, NCC04]– Capacity analysis of shared control channels

Conclusion

• Demonstrated an attack that drains a phone’s battery up to 22 times faster

• Can attack 5625-7000 phones using a home DSL line

• Attack is surreptitious• Attack effective on multiple phones and

networks• Suggested mitigation strategies

Future work

• Worm deployment strategies targeting MMS vulnerabilities

• Battery attacks initiated from cell phones

Thank you

http://zeus.cs.ucdavis.edu/cellSecurity

Results

18:1236Motorola V710

8.5:1760Sony-E T610

22.3:17156Nokia 6620

Reduction Rate Under Attack (Hr)Normal (Hr)Phone

Battery Life