International Telecommunication Union ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004 Threat Evolution in Wireless Telecommunications

International Telecommunication Union

ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004

Threat Evolution in Threat Evolution in Wireless Wireless

TelecommunicationsTelecommunications

Frank QuickSr. Vice President, Technology

QUALCOMM Incorporated

2dates

ITU-T


Industry Data (Worldwide)

o In 2002, there were• 570 million installed PCs (Gartner)• 1132 new viruses discovered

(Symantec)• 105 computer virus infections per

1000 PCs (ICSA labs)o In the same year there were

• 1.1 Billion cellular phone users (Yankee Group)

3dates

ITU-T


Today’s Mobile Phone

o 100+ MHz processoro 10+ Mbytes flash memoryo Medium-bandwidth IP connectivityo Downloadable applications

• Have access to user data• Can initiate data connections• Can send arbitrary IP packets, SMS

4dates

ITU-T


Tomorrow’s Mobile Phone

o 1000+ MHz processor(s)o 100+ Mbytes flash memory

• More if socket providedo High-bandwidth IP connectivityo Broadcast content reception

• Digital Rights Managemento Downloadable applications

• Wider range of functions

5dates

ITU-T


The Mobile as Computer

o Mobile phones can now do most things a PC can do, therefore:

o Mobile phones will likely become a target for malicious code, as have PCs.

o To date, only a few such attacks have been discovered for mobiles; however,

o It would be unwise to assume this is because mobiles are less susceptible than PCs.

6dates

ITU-T


Attacks on Computers

o Motivation• Peer prestige, revenge, profit, theft

o Objectives• Disruption, spyware, trojan software

o Methods• Self-propagating viruses and worms,

infected files and applications (e.g. games)

o Access• Internet, messaging, over the air

7dates

ITU-T


How Weaknesses Are Found

o An attack often begins by finding a repeatable way to crash a platform• Generally, attacks aren’t created by

analyzing source code – usually not available

• The binary code, on the other hand is accessible in the .exe file

• (For many phones, binary code is also available via diagnostic ports.)

8dates

ITU-T


How Attacks Develop

o The attackers share information about weaknesses

o A more sophisticated attacker looks at the binary code to see what causes the crash• E.g., if it’s a buffer overrun that

overwrites the stack, it may be possible to modify the input to execute arbitrary code

9dates

ITU-T


How Attacks Grow

o Once an exploit is developed, it is often made widely available on the Web• Documentation of the vulnerability• Attack scripts and source code

o This allows many variant attacks to be created, making prevention difficult• Virus-checking software updated often• (Bandwidth limits make this expensive

for mobiles)

10dates

ITU-T


Differences: Mobiles vs. PCs

PCs:o Many PCs use the same

brand Operating Systemo PCs can run both the

code under attack and the attack software

o Attacks are spread by IP, email or web access

o Denial of service affects IP services

Mobile phones:o Diverse OSs, but

convergingo Phones can’t directly run

attack software (special hardware often needed to extract binary code)

o Other channels are available for spread (e.g., SMS, false base stations)

o Denial of service can shut down a cellular system

11dates

ITU-T


The Changing Mobile User Environment

o In the past:• Attacks on mobile phones were

detrimental to both the user and operator (cloning)

• Attacks targeted individual phoneso In the future:

• Attacks may be initiated by the user (cloning, defeating security)

• Viral attacks may target a large population of mobiles

12dates

ITU-T


Why would a user hack his/her own phone?

o Upgrading• The user obtains a better phone

(perhaps stolen) and wants to clone the existing subscription without paying the carrier.

o Digital Rights Management• Users want to share files, games, etc.

without payingo Subscription lock

• The user wants to change operators

13dates

ITU-T


Consequences

o Users increasingly see the operator as an adversary

o Users may unwittingly become victims of secondary attacks• Defeating security features often

opens a path for attack• Cloning may be accompanied by trojan

installation

14dates

ITU-T


What should manufacturers do?

o Proactively address vulnerabilities• Automated code reviews

o Develop protocols to update software after sale• Preferably by broadcast

o Migrate to secure, trusted platforms• Prevent core software modification• Authenticate downloads• Protect security information

15dates

ITU-T


Can manufacturer efforts suffice?

o No.• The defender’s problem: any

vulnerability can open an attack• A perfectly secure platform may still be

vulnerable to insider attacks• Software updates may be impractical

given the large numbers of mobileso Conclusion: operators cannot rely on

manufacturers to prevent cyber attacks

16dates

ITU-T


What can operators do?

o Install firewalls• Isolate critical servers from mobile data• Block direct mobile-to-mobile packets• Perform ingress filtering: block mobile

packets with bad “from” IP addresseso Strengthen and automate responses

• Disable infected mobiles• Isolate infected subnets• Scan SMS and other network messaging• Consider using broadcast code updates

17dates

ITU-T


What won’t work

o Virus scans on phones• Updating definitions is too expensive

o Virus scans on incoming IP packets• Encrypted VPN connections prevent

examining the contents of IP packets

18dates

ITU-T


Will operators take action?

o Operators are reluctant to spend for a threat that has not yet materialized• Cloning fraud reached double-digit

percentages of revenues before authentication was deployed

o It is to be hoped that operators will at least make contingency plans• ITU-T recommendations could promote

planning

19dates

ITU-T


Conclusions

o Mobile phone computing power and connectivity is approaching that of PCs

o Self-propagating viruses and worms may be possible in mobiles in the near future

o Manufacturers should strive to minimize vulnerabilities to such attacks

o Operators should prepare to take defensive measures

o ITU-T recommendations may be useful

Documents

International Telecommunication Union ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004 Threat Evolution in Wireless Telecommunications