Mobile Security Threats and Issues -- A Broad Overview of Mobile Device Security

Transcription

1 Mobile Security Threats and Issues -- A Broad Overview of Mobile Device Security Lei Zhang Tian Jin University, Tian Jin, China Abstract Mobile security draws more attention when mobile devices gain its popularity. Malware such as viruses, botnets, worms become a concern of using mobile devices since they leak sensitive information stored at or transmitted by mobile devices. This paper investigates malware in different platforms of mobile devices including Bluetooth, iphone OS, and Blackberry. Countermeasures of vulnerability and attacks in mobile devices are also discussed to protect security and privacy of mobile devices. Keywords: mobile security, Bluetooth, blackberry, iphone An overview of mobile device security In today s world, mobile devices are becoming more and more popular. As these devices have begun to spread, the demand for more and better functionality has come with them. However, more functionality leads to more complexity of the operating systems in various mobile devices. However, when involving in an operating system, the mobile devices are much more vulnerable to bugs, crashes, and security holes. When a system adapts to different functions, these functions might mess up with each other unexpectedly and cause it work strangely or improperly. With the plain fact that mobile devices are completely integrated into almost every aspect of our live, they leave a question, is security an issue? This question was answered by the first virus for a mobile computer, the cabir worm. Viruses, worms, and other malwares are always concerns since they can steal information and render devices useless. Since the mobile devices always access to the websites, wirelessly connected to different devices, many severe security issues have been raised. To tackle the security issues, we have to understand different concepts of security. As defined by [], malware is software designed to infiltrate a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean various forms of hostile, intrusive, or annoying software or program codes. When applying this term to mobile devices, it is in essence the same thing, but is even harder to tackle the serious problems caused by it. There are many different operating systems, and even more diverse functionality of each one, it is hard to have a powerful antivirus software that will run on all of the different operating systems and kill all kinds of viruses. It has been thought by the companies that the complexity a virus has to achieve makes it difficult to create a big number of viruses. This misleading security ignorance creates fundamental security risks for the software systems. Just like people said If we don t know a back door exist means we will not look for it. This idea is the foundation of many the problems in mobile security. History of mobile malware As mentioned in [3], Cabir, a computer worm developed in 004 is designed to infect mobile phones running Symbian OS [], which is an operating system designed for mobile devices and smartphones. It is believed to be the first worm that infected mobile phones. When a phone is infected by Cabir, the message "Caribe" is shown on the phone's display, and is appeared every time when the phone is turned on. The worm then attempts to spread out to other phones in the area using Bluetooth technology. The worm was not sent out into the wild, but sent directly to anti-virus firms, who believed Cabir in its current state is harmless. However, it does prove that mobile phones are also vulnerable to the viruses. Experts also believe that the worm was developed by a group who call themselves 9A, a group of international hackers. They created a "proof of concept" worm in order to catch world s attention. The worm can attack and replicate on Bluetooth enabled Series 60 phones. It tried to send itself to all Bluetooth enabled devices that support the "Object Push Profile". It can also infect non-symbian phones, desktop computers and even printers. Cabir does not spread if the user does not accept the file-transfer or does not agree with the installation. Some older phones would keep on displaying popups. Cabir persistently re-sends itself and renders the User Interface until yes is clicked. Even though the Cabir virus is credited as the first mobile device virus, it was only regarded as a concept virus. All the virus did was to show that a virus could be created based on the Symbian operating system. The codes were written to spur the development of operating system s creator, so that the security level of the operating system can be improved. However the source codes were leaked into the internet and modified, which made the virus more malicious than originally intended. About a month after the cabir worm struck, the next mobile virus, called Duts appeared. Duts was the first virus for the windows CE platform, and the first file infector for mobile devices. The duts virus would infect the executables in the root directory of the device if user permitted. Soon after duts, the brador virus came out. The Brador virus was the first backdoor virus for mobile devices. Backdoor is an open port

2 that waits for a remote host to connect to it. The viruses get into the system through the backdoor without being discovered [9]. After the brador virus, there were a large number of viruses for the Symbian Operating System, most of them are Trojans. The reason these kinds of virus accomplished is because the operating system allowed games and other programs downloading. During the time, the codes were altered to include the virus that changes customizations on the phone and render it useless. Table Summary of Mobile Device Malware [9] Name Date detected Operating system Functionality Worm.SymbOS.Cabir Jwune 004 Symbian Propogation via Bluetooth Infection Number of Variants Vector Bluetooth Virus.WinCE.Duts July 004 Windows CE File infector (File API) Backdoor.WinCE.Brador August 004 Windows CE Provides remote access via network (Network API) Trojan.SymbOS.Mosquit August 004 Symbian Sends SMS SMS Trojan.SymbOS.Skuller November Symbian Replaces icon file OS 004 Worm.SymbOS.Lasco January 005 Symbian Propagates via Bluetooth, File Bluetooth, file infector API Trojan.SymbOS.Locknut February Symbian Installs corrupted OS 005 applications Trojan.SymbOS.Dampig March 005 Symbian Replaces system OS applications Worm.SymbOS.Comwar March 005 Symbian Propagates via Bluetooth, MMS Bluetooth, MMS Trojan.SymbOS.Drever March 005 Symbian Replaces antivirus applications boot function OS Trojan.SymbOS.Fontal April 005 Symbian Replaces font files OS Trojan.SymbOS.Hobble April 005 Symbian Replaces system OS applications Trojan.SymbOS.Appdisabler May 005 Symbian Replaces system OS applications Trojan.SymbOS.Doombot June 005 Symbian Replaces system OS applications, installs Comwar Trojan.SymbOS.Blankfont July 005 Symbian Replaces font files OS 3 3 Vulnerabilities and threats of mobile ile devices Mobile devices security is a relatively new technology because there is still not a large focus on it. Sadly enough, the only way that the security is going to develop is by the appearance of a large amount of mobile devices malwares which need to be dealt with immediately without further avoidance. This is not to say that the current devices do not have any form of security, sometimes users are uneducated and render these measures ineffective [9]. Until people are properly taught what to do or what not to do, they will be more aware of security issues. Certain things like Bluetooth or Wi-Fi often time enabled by default on new mobile devices which are huge security risks. There are simple solutions for these problems; installing the newest firmware on devices, turning Bluetooth off when not in use, not connecting to unsecured wireless networks, not opening strange s, and not running programs that you don t know what they do. These are the simple precautions people can take that will

3 eliminate the great majority of the mobile device vulnerabilities. This should be regarded as an extreme concern because of the nature of mobile devices. Often time triggered viruses are designed to make money off the ads or the other schemes. It is almost impossible to completely avoid the time triggered viruses if they are put onto a mobile device. This makes the mobile devices very attractive targets to the hackers. Most threats to mobile devices are in the form of worms, a self-replicating virus. This is the biggest issue since mobile devices are designed to communicate with other devices. For this reason, the virus on the compromised mobile device spreads out, is now in leads to a possibly very devastating virus [9]. 4 Security threats and countermeasures While mobile phones are becoming more and more ubiquitous, they also have involved in more than just phones. They can be treated as a personal computer, video camera, portable media player, GPS, and more. This results in each mobile phone storing a lot of private information, which lead to the more frequent occurrence of the security issues. 4. How Bluetooth works Today mobile phones usually come with an advanced built-in technology known as Bluetooth. Bluetooth is a wireless communication standard that allows up to eight Bluetooth enabled devices to communicate with each other within a range of 0 meters, creating a Personal Area Network (PAN). The Bluetooth protocol works at.4ghz frequency spectrum and uses low power mode. Bluetooth can handle device interferences, by using a frequency hopping technology where the transmitters change frequencies,600 times every second (). Bluetooth technology can connect various devices such as a laptop computer, PDA, smart phone, not only two similar devices. Whatever the devices are, their connection setup can always be placed into two categories, a master-master connection and a master-slave connection. In master-master connections, both devices have input devices and can dynamically communicate with each other. In master-slave connections, one device does not have an input device while the other does. An example of this kind of connection would be a mobile phone and a wireless Bluetooth headset. The headset relies on preprogrammed instructions to complete setup and communication [3]. 4. Discovery, pairing and binding In order for two Bluetooth devices begin communicating, they first need to locate each other. This can be done through a process known as discovery. During the discovery process, one Bluetooth device scans for the other within its transmission range. Once the Bluetooth devices discover each other, the two devices will complete the next process known as pairing. Pairing is similar to networking TCP/IP handshaking. The devices exchange messages such as address, version, and pairing code. The pairing code can be thought as a password. In a master-master connection, both device users have to enter the pairing code. In a master-slave connection, the slave device will automatically read the pairing code from its preprogrammed code. Once identical pairing codes are entered, a link key is generated. The link key is used for authentication. Based on the link key the two devices dynamically generate and share an encryption key. The encryption key is used in the final process known as binding. The key binding connection means no other device can interfere or snoop on the connection. Although these three processes can keep Bluetooth connections safer, not all Bluetooth communication channels require them [3]. 4.3 Bluetooth security modes Every Bluetooth device has three major security modes in which it can operate on. The first mode is known as nonsecure security mode. In this mode, the features such as authentication, encryption, and pairing are not enforced. The second mode is known as the service-level security mode. In this mode, a central security manager restricts access to the device by performing authentication. The last mode is called the link-level security mode. In this mode, authorization and security procedures are enforced and implemented before an establishment of a communication channel. This mode typically involves in using the previously described processes of pairing and binding. Overall, Bluetooth has transformed wireless communication as it is widely implemented and supported. Unfortunately, like many protocols, it suffers from security threats and vulnerabilities [8]. 4.4 Bluetooth attacks One of the least serious and harmless Bluetooth attacks is called BlueJacking. This attack takes advantage of a small loophole in the messaging protocol and allows a Bluetooth device to send an anonymous message to a target Bluetooth device. When two Bluetooth devices wish to communicate with each other they must first perform an initial handshake process in which the initiating Bluetooth device must display its name on the target Bluetooth device. Instead, an attacker can send a user-defined field to the target device. BlueJacking takes advantage of this field in order to send the anonymous message [3]. A much more dangerous case, and one of the best known Bluetooth attacks, is BlueSnarfing. BlueSnarfing is the process in which the attacker connects to the victim s mobile phone through Bluetooth without the victim s attention. This attack is dangerous because the attacker can gain access to private information such as the address book, messages, personal photographs, etc. Furthermore, the attacker can initiate as well as forward phone calls. The attacker can complete this BlueSnarfing easily within 0 meters of the victim by using software tools such as Blooover, Redsnarf, and BlueSnarf [3].

4 4.5 Countermeasures Even though mobile phones face security threats from Bluetooth attacks, there are still effective countermeasures that can be used for protection. The simplest action can be taken is to disable Bluetooth completely on the mobile phone. Alternately, the mobile phone s Bluetooth settings can be switched to an undiscoverable or hidden mode. It is important to be aware of Bluetooth attacks and take countermeasures, as Bluetooth attacks are one of the primary ways mobile phone data is compromised [8]. 4.6 Mobile denial-of-service Compared with Bluetooth attack, Mobile Denial-of- Service (MDoS) attacks can be the worst attacks on a mobile phone. One of the major ways the attack is completed is through a Bluetooth enabled device. An MDoS attack can render a mobile phone useless. MDoS attacks can congest available bandwidth causing all data transfers stop, leading the phone to freeze, crash, or even restart. While there are different types of MDoS attacks, they all usually follow a similar pattern on how the attack is implemented. The attacker first uses some sort of packet-generation software in order to create infinite and sometimes malicious packets. These packets can then be sent to the victim s mobile phone using a specified protocol. One reason these attacks are considered dangerous is that they are easy to be executed. MDoS ready-to-go tools can easily be found on the Internet and downloaded. These attacks are possible if there is a loophole found in Bluetooth communication. Bluetooth technology does not have a way to handle incoming packets, and therefore does not inspect them at all. Compared with a normal mobile phone user, the problem seems to be more serious to a business mobile phone user, since he or she who depends on the phone for work can be devastated during an MDoS attack. The attack could limit their ability to access important data, significantly slow down their connection speed, and could even cause entire disconnection. Mobile phone users need to be aware that MDoS attacks can and do happen [3]. 4.7 Mobile denial-of-service attacks BlueSmacking is a common type of MDoS attack. The basic idea behind the attack is to send oversized data packets to the mobile device. Mobile devices using Bluetooth have a size limit on the packets that they can receive. This size difference depends on the manufacturer and model of the phone. This means that the devices cannot handle packets that are greater than the size limit. The attacker takes advantage of this weakness and sends oversized data packets to the target device. The device will not be able to handle numerous, constant, oversized packets thus resulting in a denial-ofservice [3]. The second MDoS attack, although not very popular, is called Jamming. As described earlier, Bluetooth works in the.4ghz frequency range and it handles interferences by frequency hopping. In a Jamming attack, the entire frequency band has to be jammed so that the Bluetooth device has no available frequency to use. The amount of work the attacker has to put in for a Jamming attack is not feasible resulting in the attack s unpopularity [3]. The third common MDoS attack is called a failed authentication attack. This attack prevents two Bluetooth devices from establishing a connection with each other. In order for the attacker to be successful, the hacker must flood the target device with spoofed packets while the target device is trying to connect with a desired device. In doing so, the target device s resource becomes congested and the target device is unable to make the connection with the desired device [3]. 4.8 Countermeasures Mobile phone users should be aware of MDoS attacks and also realize that there are countermeasures that are available in order to protect themselves from these attacks. One of the simplest things a user can do is to keep their phone up to date by downloading and installing the latest patches and upgrading their mobile phone. Another countermeasure is simply not to accept an unknown incoming message via Bluetooth. Users should only pair their mobile phone with known devices []. 5 Mobile operating system 5. iphone OS The iphone operating system has had several documented vulnerabilities so far; however they are generally fixed very quickly. The app review process is the main reason why there are not many documented cases of malware for the iphone. All of the applications that have permission to run on the iphone are very carefully inspected by apple and insured not have any viruses hidden inside or security risks. This is a double edged blade. With the very strict process, there is a much more limited base on what could be brought out for the phone if any application could be used on it [4]. The main security risk in the iphone is when the system has its root password cracked by jail breaking. The reason this is a problem as it gives the users root access to the phone with a username and password, but if people forget to change the username and password then it is easy to log in. With root access, it enables programs or processes to access any part of the system and modify them [4]. The world s first iphone worm was found in early November 009. The worm would replace the background on the iphone with a picture of Rick Astley and the words ikee is never gonna give you up. Once installed, the malware will

5 search the phone network for other vulnerable iphones and infect them []. The worm is a breakthrough purely because it is the first worm for one of the world s most prominent cell phone, iphone. Hopefully, it will force people to take more care of their phone and remember to change their passwords. The second worm infecting iphone takes advantage of the same security hole as the previous one. This worm will redirect customers Dutch online bank to a phishing site that will capture their information [0]. 5. Blackberry Architecture Overview The Blackberry smart phone was developed by Research in Motion (RIM) and introduced to the public as a two-way pager in 999. In 00, RIM released the blackberry with updated feature like push , mobile telephone, text messaging, internet faxing, web browsing and other wireless information services. RIM developed a proprietary software platform named BlackBerry OS for its BlackBerry line of handhelds. BlackBerry OS provides multi-tasking and makes heavy use of the devices specialized input devices, particularly the trackball or touch screen []. BlackBerry OS uses the Java to provide an open platform for third-party wireless enterprise application development. Using BlackBerry MDS Studio and the BlackBerry Java Development Environment (JDE), the BlackBerry Enterprise Solution lets software developers create third-party Java applications for BlackBerry devices. After the application is written in Java, it is compiled into Blackberry proprietary.cod files. The Java byte code is "pre-verified" as valid on the PC side (in accordance with JME standards) before being compiled into a.cod file. It can then be transmitted to the BlackBerry for execution []. By default, unsigned applications have very limited access to this enhanced functionality. Applications must be signed by RIM in order to perform actions, which are deemed sensitive such as enumerating the Personal Information Manager or reading s. Even signed applications may require user permission to carry out sensitive actions such as initiating phone calls. RIM provides a way for third party applications to gain full access to the Blackberry API by signing it with a hash function. For developers to obtain signatures for their applications they must first fill out an online form and pay a 00 USD fee to receive a developer key. RIM provides a signing tool that sends the SHA hash of the application to RIM. Once this hash is received by RIM they will in turn generate a signature. This signature is then sent back to the developer and appended to the application []. 5.3 Blackberry Vulnerabilities Since 007, there were known vulnerabilities that affected the blackberry Smartphone. Five of the vulnerabilities were cause by an error within the PDF distiller (KB78, KB79, KB5770, KB5766 and KB837). Three were caused by an error within ActiveX (KB648, KB6469, KB34). One vulnerability was caused by the Microsoft GDI component that BlackBerry products use (KB5506). Two Vulnerabilities exist in the Session Initiation Protocol (SIP) implemented on a BlackBerry 770 Smartphone running BlackBerry Device Software 4.0 Service Pack Bundle 83 and earlier (KB700, KB707). KB78, KB5770, KB5766 and KB79: the PDF distiller of some released versions of the BlackBerry Attachment Service. This vulnerability could enable a malicious individual to send an message containing a specially crafted PDF file, when opened on a BlackBerry Smartphone, could cause memory corruption and possibly lead to arbitrary code execution on the computer that the BlackBerry Attachment Service runs on. KB837: multiple security vulnerabilities exist in the PDF distiller of some released versions of the BlackBerry Attachment Service component of the BlackBerry Enterprise Server. These vulnerabilities could enable a malicious individual to send an message containing a specially crafted PDF file, when opened on a BlackBerry Smartphone associated with a user account on a BlackBerry Enterprise Server, could cause memory corruption and possibly lead to arbitrary code execution on the computer that hosts the BlackBerry Attachment Service component of that BlackBerry Enterprise Server. KB648: an exploitable buffer overflow exists in the BlackBerry Application Web Loader ActiveX control that Internet Explorer uses to install applications on BlackBerry devices. KB6469: A buffer overflow exists in the DWUpdateService ActiveX control that could potentially be exploited when a user visits a malicious web page that invokes this control. KB34: When using Internet Explorer to view the BlackBerry Internet Service or T-Mobile My web sites that use the TeamOn Import Object ActiveX control, and when trying to install and run the ActiveX control, the ActiveX control introduces the vulnerability to the system. KB5506: These vulnerabilities expose the BlackBerry Attachment Service and the BlackBerry Desktop Manager to attacks that could allow a malicious user to cause arbitrary code to run on the computer on which the BlackBerry Attachment Service or the BlackBerry Desktop Manager is running. o If a BlackBerry Smartphone user is on the BlackBerry Enterprise Server or BlackBerry Professional Software is with BlackBerry Attachment Service running, and the user tries to use the BlackBerry Smartphone to open and view a WMF or EMF image attachment in a received message sent by a user with malicious intent, the computer on which the

6 BlackBerry Attachment Service is running could be compromised. o If the BlackBerry Smartphone user uses BlackBerry Media Sync to synchronize an image created by a user with malicious intent, the computer on which BlackBerry Media Sync is running could be compromised. KB700: The BlackBerry 770 Smartphone user receives a malformed SIP INVITE message. When the BlackBerry Smartphone user tries to make a call using the Phone application, the following problems occur: o An uncaught exception error message is displayed. o When the BlackBerry Smartphone user tries to initiate a call, the following error message is displayed: Cannot connect. Call in progress o The BlackBerry Smartphone cannot receive incoming calls. The BlackBerry Smartphone does not ring or display any indication of incoming calls. KB707: A BlackBerry 770 Smartphone receives a malformed SIP INVITE message. The following problems occur on the BlackBerry Smartphone: o The BlackBerry Smartphone user cannot make a call using the Phone application o The BlackBerry Smartphone may ring when it initially receives the malformed message, but does not receive incoming calls afterward (i.e. the BlackBerry Smartphone does not ring or display any indication of incoming calls). Spoofing: A situation where there is the opportunity to spoof information upon which the user will make a decision which may impact the security of the device. Data Interception or Access: A situation where data can be intercepted or accessed by malicious code that is on the device. Data Theft: A situation where data can be sent out of the device by malicious code that is on the device. Backdoor: A situation where malicious code resident on the device is able to offer functionality that would allow an attacker to gain access at will. Service Abuse: A situation where malicious code resident on the device is able to perform actions that will cause the user higher service cost. Availability: A situation where malicious code resident on the device is able to impact the availability or integrity of either the device or the data upon it. Network Access: A situation where malicious code resident on the device is able to use the device for one or more unauthorized network activities. This may include port scanning or alternatively using the device as a proxy for network communications. Wormable: A technology can be utilized by malicious code on the device to further help in its propagation in a semiautonomous fashion [8]. The following table shows for each of the areas analyzed their susceptibility to these attacks, and how they may be mitigated: 6 Blackberry Attack Surface There are multiple attack surfaces an attacker can exploit to compromise the confidentiality, integrity and availability of the blackberry smart phone. Table Vulnerability surfaces and misuses []

7 The chart shows attacks requiring malicious code to be present on the device. The only way for malicious code to get into the device is through user interaction. Ignorant users may trigger action of malicious code through user interaction. These facts highlight the need for user education about safe computing practices when using all kinds of computing devices including mobile devices. 7 Future development The largest problem with mobile security is there is no enough time dedicated to it when designing a mobile device. For the most part, the malware can only access if the user does something to make the system vulnerable in some way or fashion. Be it running a program that has the malware hidden in it, or cracking the system so that the built in security is removed. Many experts argue that the only thing that will make users more aware is a large amount of malware forcing people to become educated or else leave them unable to use their devices. The reason for this is because in the early 000 there were a large number of viruses that completely debilitated networks. This in turn made people understand the importance of antivirus and their threats that they don t recognize. Since then, people have been much more careful with their computers. Due to this positive response, many people think this is the only way to make people pay attention to mobile devices security. In example, there have been many proofs of concept viruses that target phones just to show it can be done and explain it could have been even worse; however this generally is circulated through the technical world and never reaches the end users on a large scale. evices-article-facn_greenhills_apr009-html.aspx [7] O'Connor, J. Attack Surface Analysis of BlackBerry Devices. White Paper: Symantec Security Response, 007. [8] Sanpronov, K. Bluetooth, Bluetooth Security and New Year War-nibbling. Retrieved December, 009, from VirusList.com: [9] Shevchenko, A. An overview of mobile device security. September, 005. Retrieved December, 009, from Viruslist.com: [0] The Register. IPhone Worm Infects Devices and Redirects Duth Online Bank. Retrieved December, 009, from CyberInsecure.com: [] The Register, Sophos. World's First IPhone Worm Hits IPhone Ownders In Australia. Retrieved December, 009, from CyberInsecure.com: 8 References [] BlackBerry Internet Service. Feature and Technical Overview, 009. [] Fadia, A.. Hacking Mobile Phones. Course Technology PTR, 005. [3] Franklin, C., & Layton, J. (n.d.). How Bluetooth Works. Retrieved December, 009, from HowSuffWorks.com: [4] Kabay, M. E. iphone security, Part. Retrieved 009, from Network World: c.html?page= [5] Kabay, M. E. iphone Security, Part. Retrieved December, 009, from Network World: c.html?ry=gs [6] Kleidermacher, D. The future of mobile devces. Retrieved December, 009, from Hearst Electronic Products: