Beruflich Dokumente
Kultur Dokumente
TABLE OF CONTENTS
CHAPTER 3
a. GSM Architecture
The following diagram shows the GSM network along with the added
components:
o Contains the information that provides the identity of the user to the
network.
o Provides personal mobility for user can have access to all subscribed
services irrespective of both the location of the terminal and the use of a
specific terminal.
o You need to insert the SIM card into another GSM cellular phone to
receive calls at that phone, make calls from that phone, or receive other
subscribed services.
b. GSM Entities
o The BSC is the connection between the mobile and the MSC.
o The function is to allocate the necessary time slots between the BTS and
the MSC.
o It controls a group of BTSs and is often co-located with one of the BTSs in
its group.
o It manages one or several BTS and the radio channel resources.
Copyright @2018 JUSRORIZAL FADLY JUSOH 7|Page
DFP6033 Secure Mobile Computing Version 1 :2018
o When a user switches on their phone, the phone registers with the network
and from this it is possible to determine which BTS it communicates with
so that incoming calls can be routed appropriately.
o Even when the phone is not active (but switched on) it re-registers
periodically to ensure that the network (HLR) is aware of its latest
position.
o There is one HLR per network, although it may be distributed across
various sub-centres to for operational reasons.
o The EIR is the entity that decides whether given mobile equipment may be
allowed onto the network.
o EIR is a database that contains a list of all valid mobile equipment on the
network.
o Mobile equipment has a number known as the International Mobile
Equipment Identity (IMEI).
o An IMEI is marked as invalid if it has been reported stolen or is not type
approved.
o An IMEI is installed in the equipment and is checked by the network
during registration.
o Dependent upon the information held in the EIR, the mobile may be
allocated one of three states:
Allowed onto the network
Barred access
Monitored in case its problems.
o User does not authenticate network so the attacker can use a false BTS with
the same mobile network code as subscriber’s legitimate network to
impersonate himself and perform a man-in-the-middle attack.
o Attacker performs several scenarios to modify or fabricate the exchanged data.
o The attacker can then clone the SIM and use it for his fraudulent purposes.
o In April 1998, the Smartcard Developer Association (SDA) and the ISAAC
research group could find an important vulnerability in the COMP128
algorithm that helped them to extract Ki in eight hours by sending many
challenges to the SIM.
o Partitioning attack proposed by IBM researchers found capable of extracting
Ki just for one minute [9].
Over-the-air cracking
o There is not any protection over other parts of network and the information is
clearly sent over the fixed parts because the encryption is only accomplished
over the airway path between MS and BTS.
o Encryption facility of the air interface is not activated at all in some countries.
o Remote management of the GSM backbone Components that can be
conducted by connecting them to the IP networks can also introduce additional
vulnerabilities
o The user is not alerted when the ciphering mode is deactivated because the
ciphering is controlled by the BTS.
o A false BTS can also deactivate the ciphering mode and force MS to send data
in an unencrypted manner.
o This can be misused to fail the user's anonymity and can be accomplished by
sending an IDENTITY REQUEST command from a false BTS to the MS of
the target user to find the corresponding IMSI.
o The attacker can misuse the previously exchanged messages between the
subscriber and network in order to perform the replay attacks.
a. Confidentiality
Human Espionage
Impersonation
Improper Disposal of Sensitive Media
Inadvertent Acts or Carelessness
Omissions
Scavenging
Shoulder Surfing
Theft, Sabotage, Vandalism, or Physical Intrusion
User Abuse or Fraud
Technical Compromising Emanations
Corruption by System, System Errors, or Failures
Data/System Contamination
Eavesdropping
Insertion of Malicious Code, Software, or Database
Modification
Installation Errors
Intrusion or Unauthorized Access to System Resources
Misrepresentation of Identity / Impersonation
Misuse of Known Software Weaknesses
Takeover of Authorized Session
Environmental None
Natural None
b. Integrity
Human Data Entry Errors or Omissions
Inadvertent Acts or Carelessness
Omissions
Terrorism
Theft, Sabotage, Vandalism, or Physical Intrusions
User Abuse or Fraud
Technical Corruption by System, System Errors, or Failures
Data / System Contamination
Insertion of Malicious Code, Software, or Database
Modification
Installation Errors
Intrusion or Unauthorized Access to System Resources
Hardware / Equipment Failure
Misuse of Known Software Weaknesses
Misrepresentation of Identity / Impersonation
Saturation of Communications or Resources
System and Application Errors, Failures, and Intrusions not
Properly Audited and Logged
Tampering
Environmental Electromagnetic Interference
Environmental Conditions
Copyright @2018 JUSRORIZAL FADLY JUSOH 13 | P a g e
DFP6033 Secure Mobile Computing Version 1 :2018
Natural None
c. Availability
Human Arson
Espionage
Inadvertent Acts or Carelessness
Labour Unrest
Omissions
Procedural Violation
Riot / Civil Disorder
Terrorism
Theft, Sabotage, Vandalism, or Physical Intrusions
User Abuse or Fraud
Technical Corruption by System, System Errors, or Failures
Data / System Contamination
Hardware / Equipment Failure
Insertion of Malicious Code, Software, or Database
Modification
Installation Errors
Intrusion or Unauthorized Access to System Resources
Jamming (telecom)
Misrepresentation of Identity / Impersonation
Misuse of Known Software Weaknesses
Saturation of Communications or Resources
System and Application Errors, Failures, and Intrusions not
Properly Audited and Logged
Tampering
Environmental Electromagnetic Interference
Environmental Conditions
Hazardous Material Accident
Physical Cable Cuts
Power Fluctuation
Natural Natural Disaster
Secondary Disaster
o Adware
Bug
o Bugs can be prevented with developer education, quality control and code
analysis tools.
o Ransomware
Rootkit
Spyware
o It’s spying on user activity without their knowledge.
o These spying capabilities can include activity monitoring, collecting
keystrokes, data harvesting like account information, logins, financial data and
more.
o Often has additional capabilities as well, ranging from modifying security
settings of software or browsers to interfering with network connections.
o Spreads by exploiting software vulnerabilities, bundling itself with legitimate
software or in Trojans.
Trojan horse
o Virus
Worm
o Spam
o Malware Symptoms
o Computers that are infected with malware can exhibit any of the following
symptoms:
Increased CPU usage
Slow computer or web browser speeds
Problems connecting to networks
Freezing or crashing
Modified or deleted files
Strange computer behaviour
Appearance of strange files, programs, or desktop icons
Programs running, turning off, or reconfiguring themselves
Emails/messages being sent automatically and without user’s knowledge
o Scale
o Perceived Insecurity
o Identify stakeholders
o Enumerate assets
o Find relevant risks
Identify stakeholders
Mobile network operators (MNOs, aka carriers, Telco’s and the #$%&*
companies who drop our calls all the time)
Device manufacturers (aka OEMs , hardware manufacturers and so on)
Mobile operating system (OS) vendors like Apple and Google
Application Store curators ( for example, Apple, Google, Amazon and so on)
Organizational IT (for example, corporate security’s mobile device management
software
Mobile application developers
End users
Enumerate assets
What risks are relevant to these assets from each stakeholder’s perspective?
Special Risks
o Mobile devices are connected to many networks
Often insecure or unknown ones
o Mobile devices are used for personal, private purposes
Banking, selfies, SMS messages, phone calls
Figure 3-9: A simplified mobile risk model, highlighting key areas of risk, each
containing discrete mobile risks.
a. Physical risks
b. Service risks
Risk Area #2 in Figure 3-9
More problems on the server side.
o For example, On a recent long-term consulting engagement
65 percent of bugs were service-side.
25 percent on the mobile client.
o Most of the code or logic is on the server side.
o Generic service-side risk as #8 in Figure 1-3.
Other Service risk is customer support.
o Hackers use support services vulnerabilities to get valuable stuff
o Customer self-help password reset vulnerabilities
If you make a mistake here the consequences can have a huge impact.
Imagine a flaw that allowed anonymous attackers to reset account
passwords via the self-help web portal
o About 12 percent of bugs were in support-related components.
o We’ve numbered this risk #9 in Figure 1-3, customer support agent.
c. App risks
Fragmentation
o Updates are essential for security
o Very big problem for Android
Weak Authentication
BYOD
o Bring Your Own Device to work
o Recommendation
Keep sensitive data on servers
Only put non-sensitive data on mobile devices
Physical theft
App publication
a. Interoperability
b. Voice Calls
c. The Control Channels
d. Location Update
e. Voice Mailboxes
f. Short Message Service
a. Interoperability
a. Voice Calls
b. Voice Mail (VM)
c. Short Message Service (SMS)
d. Location-based Services (LBS)
e. Internet Access (IP Connectivity)
b. Voice Calls
Traffic channels
Control channels
The mobile device then knows how to access the Random Access Channel
(RACH)
o The first step in a GSM handshake between a mobile device and a BTS
o How the mobile asks for information associated a particular cell
o Mobile sends a cannel request via the RACH
o BTS tries to service the request
o If the BTS has slots available, it assigns a control channel, called the
Standalone Dedicated Control Channel (SDDCH) to the mobile device
o The BTS tells the mobile about this assignment via the Access Granted
Channel (AGCH)
o Once the mobile has received a SDCCH, it's a member of the network and
can request a location update
Copyright @2018 JUSRORIZAL FADLY JUSOH 28 | P a g e
DFP6033 Secure Mobile Computing Version 1 :2018
d. Location Update
Voice Mailboxes
SMS Channels
o SMSCs carry most of the SMS messages when SMS message storm
happens
o It's the hardest working piece of equipment in modern cellular provider
networks
o iOS displays the number in the "reply-to" field in the SMS header as the
origin of an SMS message
Instead of the actual origin number
o So it's easy to send SMS messages that appear to come from someone else
o On Android, a malicious app can fool your device into displaying a fake
SMS message
a. Voice mail
An evil phone could attack the mobile network (theoretical attack only)
Phone OS is not hard to understand, basically
o iOS is BSD
o Android is Linux
A modified phone could jam or modify broadcast signals from a BTS
o But it would only affect a small area
Rogue Mobile Device Countermeasures
The cellular network is carved up into many small parts
Radio earshot is only a few hundred yards in a city, or a few miles on flat
terrain
Just a normal radio jammer would be more effective
Until recently, carriers assumed that attackers lacked the skill to build a base
station, so
Network required authentication from the phone, but
Phone didn't require authentication from the network
So it was simple to emulate a cellular network
A cellular phone can simply “join up” with another cellular provider’s
network.
Cellular networks are defined by a simple three- digit number and a three-digit
country code as show in table 3-2.
o A normal cell phone could act as a base station with only a software
change
o A phone in "engineering mode" could sniff radio traffic on all bands at the
same time
o Packets can be logged via RS232
o You get voice and SMS traffic
o Flash phone via USB cable
Legal Warning
Hacking in 2002
o Rhode & Schwartz sold test gear for SMS networks, including BTS
emulation
o Cost was six figures
o OpenBTS: free software that can be used to make a fake base station for about
$1500 in 2009
o Femtocells are even simpler
Copyright @2018 JUSRORIZAL FADLY JUSOH 33 | P a g e
DFP6033 Secure Mobile Computing Version 1 :2018
Femtocell
Femtocell Functions
o Control signaling
o Call setup and teardown and SMS messaging
o Converting normal voice calls into real-time protocol streams
o Associated SIP setup
o Backhaul link uses IPsec connections to special security gateways on the
mobile network operator side
Information Disclosure
Femtocell Membership
o Carriers could limit membership to a few cell phones for a single femtocell
o But why not let everyone in? That expands their coverage for free!
o But it also means customers are using untrustworthy devices and they have
no way to know that
i. Mobile as USB
When a mobile phone is connected to a personal computer, scan the external
phone memory and memory card using an updated antivirus.
Take regular backup of your phone and external memory card because if an
event like a system crash or malware penetration occurs, at least your data is
safe.
Before transferring the data to Mobile from computer, the data should be
scanned with latest Antivirus with all updates.
j. Wi-Fi
Connect only to the trusted networks.
Use Wi-Fi only when required. It is advisable to switch off the service when not
in use.
Beware while connecting to public networks, as they may not be secure.
k. Application and Mobile Operating System
Update the mobile operating system regularly.
Upgrade the operating system to its latest version.
Always install applications from trusted sources.
Consider installing security software from a reputable provider and update them
regularly.
It’s always helpful to check the features before downloading an application.
Some applications may use your personal data.
If you’re downloading an app from a third party, do a little research to make sure
the app is reputable.
1. Physical access
2. Malicious Code
3. Device Attacks
Attacks targeted at the device itself are similar to the PC attacks of the past.
Browser-based attacks, buffer overflow exploitations and other attacks are
possible.
The short message service (SMS) and multimedia message service (MMS)
offered on mobile devices afford additional avenues to hackers.
Copyright @2018 JUSRORIZAL FADLY JUSOH 37 | P a g e
DFP6033 Secure Mobile Computing Version 1 :2018
Device attacks are typically designed to either gain control of the device and
access data, or to attempt a distributed denial of service (DDoS).
4. Communication Interception
5. Insider Threats
Mobile devices can also facilitate threats from employees and other insiders.
Humans are the weakest link in any security strategy, and many employees
have neither the knowledge, nor the time to track whether or not their devices
have updated security software installed.
The downloading of applications can also lead to unintentional threats.
Most people download applications from app stores and use mobile
applications that can access enterprise assets without any idea of who
developed the application, how good it is, or whether there is a threat vector
through the application right back to the corporate network.
The misuse of personal cloud services through mobile applications is another
issue
o When used to convey enterprise data, these applications can lead to data
leaks that the organization remains entirely unaware of.
o Not all insider threats are inadvertent; malicious insiders can use a
smartphone to misuse or misappropriate data by downloading large
amounts of corporate information to the device’s secure digital (SD) flash
memory card, or by using the device to transmit data via email services to
external accounts, circumventing even robust monitoring technologies
such as data loss prevention (DLP).
References
GSM Network Architecture
https://www.radio-
electronics.com/info/cellulartelecomms/gsm_technical/gsm_architecture.php
Gsm Mobile station
https://www.tutorialspoint.com/gsm/gsm_mobile_station.htm
GSM entities
http://www.invocom.et.put.poznan.pl/~invocom/C/TELEP20/en/content/lesson1/summary/su
mmary.html
What is Malicious Software (Malware)? - Definition from Techopedia
https://www.techopedia.com/definition/4015/malicious-software-malware
Common Malware Types: Cybersecurity 101 | Veracode
https://www.veracode.com/blog/2012/10/common-malware-types-cybersecurity-101