Chapter 3 v1 DFP6033

DFP6033 Secure Mobile Computing Version 1 :2018
TABLE OF CONTENTS
CHAPTER 3
3.0 MOBILE COMPUTING SECURITY
3.1 Understand CIA Triad in mobile computing
3.1.1 Describe the Global System for Mobile Communication (GSM)

a. GSM Architecture
b. GSM Entities
3.1.2 Explain the security problem with GSM

3.1.3 Identify the treats:
a. Confidentiality
b. Integrity
c. Availability
3.1.4 Describe Malicious Software in mobile computing
3.2 Understand mobile risk ecosystem
3.2.1 Identify mobile ecosystem:

a. Scale
b. Perceived Insecurity
3.2.2 Describe Mobile Risk Model
3.2.3 Explain Simplified Risk Model
a. Physical risks
b. Service risks
c. App risks
3.2.4 Illustrate attack surface specific to mobile device
3.3 Understand Mobile Hacking
3.3.1 Identify basic cellular network functionality

3.3.2 Explain attacks and countermeasure in mobile hacking:
a. Voice mail
b. Rogue mobile device attack
c. Rogue station attack
d. Rogue Femtocell attack
3.4 Understand mobile phone security and forensics
3.4.1 Identify mobile phone security

3.4.2 Identify mobile device and security risk
3.4.3 Describe Google Android security model
3.4.4 Describe iOS security model
3.4.5 Describe relevant device security model
Copyright @2018 JUSRORIZAL FADLY JUSOH 1|Page

3.1 Understand CIA Triad in mobile computing
3.1.1 Describe the Global System for Mobile Communication (GSM)
a. GSM Architecture
 Launched in the early 1990s

 A second generation cellular standard developed to provide voice services and
data delivery using digital modulation.
 The security architecture of GSM was originally intended to provide security
services such as anonymity, authentication, and confidentiality of user data
and signalling information [5].
 The security goals of GSM are as follows:
o Authentication of mobile users for the network,
o Confidentiality of user data and signalling information,
o Anonymity of subscriber's identity,
o Using Subscriber Identity Module (SIM) as a security module.
 The GSM network architecture as defined can be grouped into four
components:
a. Mobile station (MS)
b. Base-Station Subsystem (BSS)
c. Network and Switching Subsystem (NSS)
d. Operation and Support Subsystem (OSS)
 A basic diagram of the GSM system architecture is shown below:
Figure 3-1: GSM Network Architecture Basic Diagram

Figure 3-2: GSM Network Architecture Overall Diagram
 The additional components of the GSM architecture comprise of databases and

messaging systems functions:
 Home Location Register (HLR)
 Visitor Location Register (VLR)
 Equipment Identity Register (EIR)
 Authentication Centre (AuC)
 SMS Serving Centre (SMS SC)
 Gateway MSC (GMSC)
 Chargeback Centre (CBC)
 Transcoder and Adaptation Unit (TRAU)
 The following diagram shows the GSM network along with the added
components:
Figure 3-3: GSM network along with the added components
 The MS and the BSS communicate across the Um interface.

 It is also known as the air interface or the radio link.
 The BSS communicates with the Network Service Switching (NSS) centre
across the A interface.
 GSM network areas
o In a GSM network, the following areas are defined:

 Cell
 Cell is the basic service area; one BTS covers one cell
 Each cell is given a Cell Global Identity (CGI)
 A number that uniquely identifies the cell
 Location Area
 A group of cells form a Location Area (LA)
 This is paged when a subscriber gets an incoming call
 Each LA is assigned a Location Area Identity (LAI)
 Each LA is served by one or more BSCs.
 MSC/VLR Service Area
 Covered by one MSC is called the MSC/VLR service area.
 PLMN
 Called the Public Land Mobile Network
 The area covered by one network operator
 It is can contain one or more MSCs.
 Subscriber Identity Module (SIM)
o Contains the information that provides the identity of the user to the
network.
o Provides personal mobility for user can have access to all subscribed
services irrespective of both the location of the terminal and the use of a
specific terminal.
o You need to insert the SIM card into another GSM cellular phone to
receive calls at that phone, make calls from that phone, or receive other
subscribed services.
 Mobile Station (MS)
o It is a GSM terminal that has a SIM card

o It's used by subscribers to originate and receive calls
o Also called mobile equipment (ME) or cell or mobile phones.
o The two main components are the main hardware and the SIM.
o Provide the mobile facilitates access to voice messaging systems.
o Provides the receptor for SMS messages, enabling the user to toggle
between the voice and data use.
o Provides access to the various data services available in a GSM network.
o These data services include:
 X.25 packet switching through a synchronous or asynchronous dial-up
connection to the PAD at speeds typically at 9.6 Kbps.
 General Packet Radio Services (GPRSs) using either an X.25 or IP
based data transfer method at speeds up to 115 Kbps.
 High speed, circuit switched data at speeds up to 64 Kbps.
o International Mobile Equipment Identity (IMEI)
 It is installed in the phone at manufacture and cannot be changed.
 It is accessed by the network during registration to check the
equipment has been reported as stolen.

o It contains are variety of information including a number known as the

International Mobile Subscriber Identity (IMSI).
o Consists of the hardware or physical equipment such as
 Digital signal processors
 Radio transceiver
 SIM card.
 Display
 Battery
 Case
o It provides the air interface to the user in GSM networks.
o Other services are also provided include:
 Voice teleservices
 Data bearer services
 The features' supplementary services
Figure 3-4: GSM Mobile Station and SIM
 Base Station Subsystem (BSS)
o Fundamentally associated with communicating with the mobiles on the

network.
o It consists of two components:
a. The Base Transceiver Station (BTS)
b. The Base Station Controller (BSC)
o The BTS and the BSC communicate across the specified Abis interface.
 Enabling operations between components that are made by different
suppliers.
o The radio components of a BSS may consist of four to seven or nine cells.
o A BSS may have one or more base stations.
o Uses the Abis interface between the BTS and the BSC.
o A separate high-speed line (T1 or E1) is then connected from the BSS to
the Mobile MSC.
Figure 3-5: GSM BSS

 Network Switching Subsystem (NSS)
o Core network NSS is the Mobile Switching Centre (MSC).

o It provides the main control and interfacing for the whole mobile network.
o Performs the switching of calls between the mobile and other fixed or
mobile network users.
o The major components within the core network include:
a. Mobile Services Switching Centre (MSC)
b. Home Location Register (HLR)
c. Equipment Identity Register (EIR)
d. Visitor Location Register (VLR)
e. Authentication Centre (AUC)
 Operation and Support Subsystem (OSS)
o It is connected to components of the NSS and the BSC.

o It is used to control and monitor the overall GSM network
o It is also used to control the traffic load of the BSS.
o Provide a network overview and support the maintenance activities of
different operation and maintenance organizations.
o Offer the customer cost effective support for centralized, regional and
local operational and maintenance activities.
 The operations and maintenance centre (OMC)
o Connected to all equipment in the switching system and to the BSC.

o The implementation of OMC is called OSS.
o Here are some of the OMC functions:
 Administration and commercial operation
 subscription
 end terminals
 charging
 statistics
 Security Management.
 Network configuration, Operation and Performance Management.
 Maintenance Tasks.
o It functions referred to the concepts of the Telecommunication
Management Network (TMN)
 This is standardized in the ITU-T series M.30.
o Following is the figure, which shows how OMC system covers all the
GSM components.
Figure 3-6: OMC System Covers All the GSM Components

b. GSM Entities
 Base Transceiver Station (BTS):
o It's composed of a set of radio channel transmitters and receivers.

o It's the interface between the BSC and the Mobile Station.
o The BTS houses the radio transceivers that define a cell and handles the
radio link protocols with the MS.
o The BTS corresponds to the transceivers and antennas used in each cell of
the network.
o The BTS is the defining element for each cell.
o The BTS communicates with the mobiles and the interface between the
two is known as the Um interface with its associated protocols.
o In a large urban area, a large number of BTSs may be deployed.
Figure 3-7: GSM BTS
o A BTS is usually placed in the centre of a cell.

o Its transmitting power defines the size of a cell.
o Each BTS has between 1 and 16 transceivers, depending on the density
of users in the cell.
o Each BTS serves as a single cell.
o It also includes the following functions:
 Encoding, encrypting, multiplexing, modulating, and feeding the RF
signals to the antenna
 Decoding, decrypting, and equalizing received signals
 Voice through full- or half-rate services
 Time and frequency synchronizing
 Transcoding and rate adaptation
 Uplink channel measurements
 Random access detection
 Timing advances
 Base Station Controller (BSC):
o The BSC is the connection between the mobile and the MSC.
o The function is to allocate the necessary time slots between the BTS and
the MSC.
o It controls a group of BTSs and is often co-located with one of the BTSs in
its group.
o It manages one or several BTS and the radio channel resources.
o It controls items such as handover within the group of BTSs, allocates

channels and radio channel setup.
o The BSC also translates the 13 Kbps voice channel used over the radio
link to the standard 64 Kbps channel used by the Public Switched
Telephone Network (PSDN) or ISDN.
o It assigns and releases frequencies and time slots for the MS.
o It controls the power transmission of the BSS and MS in its area.
o It communicates with the BTSs over what is termed the Abis interface.
o Additional functions include:
 Power management
 Control of frequency hopping
 Time and frequency synchronization
 Reallocation of frequencies among BTSs
 Providing an interface to the OMC for the BSS
 Time-delay measurements of received signals from the MS Performing
traffic concentration to reduce the number of lines from the MSC
 Mobile Services Switching Centre (MSC)
o It is a router of originated and received calls in the GSM network.

o The central component of the Network Subsystem is the MSC.
o The MSC performs the switching of calls between the mobile and other
fixed or mobile network users,
o The MSC acts like a normal switching node within a PSTN or ISDN.
o Provides additional functionality to enable the requirements of a mobile
user to be supported such as
 Registration, authentication, location updating, inter-MSC handovers
and call routing to a mobile subscriber.
o It also performs such functions as toll ticketing, network interfacing,
common channel signalling, and others.
o It also provides an interface to the PSTN so that calls can be routed from
the mobile network to a phone connected to a landline.
o Interfaces to other MSCs are provided to enable calls to be made to
mobiles on different networks.
o Every MSC is identified by a unique ID.
 Home Location Register (HLR)
o A database that contains the subscriber (MS) identities, profile and

approximate location.
o It’s used for storage and management of subscriptions.
o it stores permanent data about subscribers including:
 A subscriber's service profile
 Location information
 Activity status
o When an individual buys a subscription in the form of SIM
o All the information about this subscription is registered in the HLR of that
operator.
o All the administrative information about each subscriber along with their
last known location.
o It’s able to route calls to the relevant base station for the MS.
o When a user switches on their phone, the phone registers with the network
and from this it is possible to determine which BTS it communicates with
so that incoming calls can be routed appropriately.
o Even when the phone is not active (but switched on) it re-registers
periodically to ensure that the network (HLR) is aware of its latest
position.
o There is one HLR per network, although it may be distributed across
various sub-centres to for operational reasons.
 Visitor Location Register (VLR)
o It’s a database is associated to a MSC.

o It contains the identities and location of all the subscribers located in the
area managed by the MSC.
o It’s contains selected information from the HLR that enables the selected
services for the individual subscriber to be provided
o It’s contains temporary information about subscribers that is needed by
the MSC in order to service visiting subscribers.
o When a mobile station roams into a new MSC area
 VLR connected to that MSC will request data about the mobile station
from the HLR.
o If the mobile station makes a call,
 VLR will have the information needed for call setup without having to
interrogate the HLR each time.
o The VLR can be implemented as a separate entity
o The VLR is always integrated with the MSC.
o In this way access is made faster and more convenient.
 Equipment Identity Register (EIR)
o The EIR is the entity that decides whether given mobile equipment may be
allowed onto the network.
o EIR is a database that contains a list of all valid mobile equipment on the
network.
o Mobile equipment has a number known as the International Mobile
Equipment Identity (IMEI).
o An IMEI is marked as invalid if it has been reported stolen or is not type
approved.
o An IMEI is installed in the equipment and is checked by the network
during registration.
o Dependent upon the information held in the EIR, the mobile may be
allocated one of three states:
 Allowed onto the network
 Barred access
 Monitored in case its problems.

 Authentication Centre (AuC)
o it's the subscribers’ authentication centre for GSM network

o It is used for authentication and for ciphering on the radio channel.
o it’s a protected database that stores a copy of the secret key stored in each
subscriber's SIM card
o It’s protects network operators from different types of fraud found in
today's cellular world.
 Gateway Mobile Switching Centre (GMSC)
o The GMSC is the point to which a ME terminating call is initially routed,

without any knowledge of the MS's location.
o The GMSC is thus in charge of obtaining the MSRN (Mobile Station
Roaming Number) from the HLR based on the MSISDN (Mobile Station
ISDN number, the "directory number" of a MS) and routing the call to the
correct visited MSC.
o The "MSC" part of the term GMSC is misleading, since the gateway
operation does not require any linking to an MSC.
 SMS Gateway (SMS-G)
o The SMS-G or SMS gateway is the term that is used to collectively

describe the two Short Message Services Gateways defined in the GSM
standards.
o The two gateways handle messages directed in different directions. The
SMS-GMSC (Short Message Service Gateway Mobile Switching Centre)
is for short messages being sent to an ME.
o The SMS-IWMSC (Short Message Service Inter-Working Mobile
Switching Centre) is used for short messages originated with a mobile on
that network.
o The SMS-GMSC role is similar to that of the GMSC, whereas the SMS-
IWMSC provides a fixed access point to the Short Message Service
Centre.
3.1.2 Explain the security problem with GSM
 Unilateral authentication and vulnerability to the man-in-the-middle attack
o User does not authenticate network so the attacker can use a false BTS with
the same mobile network code as subscriber’s legitimate network to
impersonate himself and perform a man-in-the-middle attack.
o Attacker performs several scenarios to modify or fabricate the exchanged data.
Copyright @2018 JUSRORIZAL FADLY JUSOH 10 | P a g e

 Flaws in implementation of A3/A8 algorithms
o GSM architecture allows operator to choose any algorithm for A3 and A8

consequences many operators used COMP128 or COMP128-1 that was
secretly developed by the GSM association.
o Comp128 structure by reverse engineering finds some revealed
documentations and many security flaws.
o COMP128-2 is new algorithm for the A3/A8 was also secretly designed and
inherited the problem of decreased keyspace.
o COM128-3 is proposed that generates 64 bits of session key and resolves the
problem of decreased keys pace.
 SIM card cloning
o The attacker can then clone the SIM and use it for his fraudulent purposes.
o In April 1998, the Smartcard Developer Association (SDA) and the ISAAC
research group could find an important vulnerability in the COMP128
algorithm that helped them to extract Ki in eight hours by sending many
challenges to the SIM.
o Partitioning attack proposed by IBM researchers found capable of extracting
Ki just for one minute [9].
 Over-the-air cracking
o It is feasible to misuse the vulnerability of COMP128 for extracting the Ki of

the target user without any physical access to the SIM.
o The GSM network allows only one SIM to access to the network at any given
time.
o If the attacker and the victim subscriber try to access from different locations,
the network will realize existence of duplicated cards and disables the affected
account.
 Flaws in cryptographic algorithms
o Both A5/1 and A5/2 algorithms were developed in secret.

o An efficient attack to A5/1 can be used for a real-time cryptanalysis on a
PC.[10]
o An efficient attack to A5/2 requires less than one second of encrypted
conversation to extract the ciphering key in less than one second on a PC [11].

 Short range of protection
o There is not any protection over other parts of network and the information is
clearly sent over the fixed parts because the encryption is only accomplished
over the airway path between MS and BTS.
o Encryption facility of the air interface is not activated at all in some countries.
o Remote management of the GSM backbone Components that can be
conducted by connecting them to the IP networks can also introduce additional
vulnerabilities
 Lack of user visibility
o The user is not alerted when the ciphering mode is deactivated because the
ciphering is controlled by the BTS.
o A false BTS can also deactivate the ciphering mode and force MS to send data
in an unencrypted manner.
 Leaking the user anonymity
o This can be misused to fail the user's anonymity and can be accomplished by
sending an IDENTITY REQUEST command from a false BTS to the MS of
the target user to find the corresponding IMSI.
 Vulnerability to the DoS attack
o A single attacker is capable of disabling an entire GSM cell via a Denial of

Service (DoS) attack.
o The attacker can send the CHANNEL REQUEST message to the BSC for
several times but he/she does not complete the protocol and requests another
signalling channel.
 Absence of integrity protection
o The GSM security architecture considers authentication and confidentiality

o There is no provision for any integrity protection of information [2].
o The recipient cannot verify that a certain message was not tampered with.
 Vulnerability to replay attacks
o The attacker can misuse the previously exchanged messages between the
subscriber and network in order to perform the replay attacks.
 Increased redundancy due to the coding preference
o The Forward Error Correcting (FEC) is performed prior to the ciphering so

there is a redundancy that increases the security vulnerabilities of deployed
cryptographic algorithms.

3.1.3 Identify the treats:

a. Confidentiality
b. Integrity
c. Availability
a. Confidentiality
Human Espionage
Impersonation
Improper Disposal of Sensitive Media
Inadvertent Acts or Carelessness
Omissions
Scavenging
Shoulder Surfing
Theft, Sabotage, Vandalism, or Physical Intrusion
User Abuse or Fraud
Technical Compromising Emanations
Corruption by System, System Errors, or Failures
Data/System Contamination
Eavesdropping
Insertion of Malicious Code, Software, or Database
Modification
Installation Errors
Intrusion or Unauthorized Access to System Resources
Misrepresentation of Identity / Impersonation
Misuse of Known Software Weaknesses
Takeover of Authorized Session
Environmental None
Natural None
b. Integrity
Human Data Entry Errors or Omissions
Omissions
Terrorism
Theft, Sabotage, Vandalism, or Physical Intrusions
User Abuse or Fraud
Technical Corruption by System, System Errors, or Failures
Data / System Contamination
Modification
Installation Errors
Hardware / Equipment Failure
Saturation of Communications or Resources
System and Application Errors, Failures, and Intrusions not
Properly Audited and Logged
Tampering
Environmental Electromagnetic Interference
Environmental Conditions
Natural None
c. Availability
Human Arson
Espionage
Labour Unrest
Omissions
Procedural Violation
Riot / Civil Disorder
Terrorism
Theft, Sabotage, Vandalism, or Physical Intrusions
User Abuse or Fraud
Technical Corruption by System, System Errors, or Failures
Data / System Contamination
Hardware / Equipment Failure
Modification
Installation Errors
Jamming (telecom)
Saturation of Communications or Resources
System and Application Errors, Failures, and Intrusions not
Properly Audited and Logged
Tampering
Environmental Electromagnetic Interference
Environmental Conditions
Hazardous Material Accident
Physical Cable Cuts
Power Fluctuation
Natural Natural Disaster
Secondary Disaster

Correlation of Threats to Categories

C = confidentiality I = integrity A = availability
Threat Area Environmental Human Natural Technical
/ Physical
Arson A
Compromising Emanations C
Corruption by System, System CIA
Errors, or Failures
Data / System Contamination CIA
Data Entry Errors or Omissions I
Eavesdropping C
Electromagnetic Interference IA
Environmental Conditions IA
Espionage CA
Hardware / Equipment Failure IA
Hazardous Material Accident A
Impersonation C
Improper Disposal of Sensitive C
Media
Inadvertent Acts or Carelessness CIA
Insertion of Malicious Code, CIA
Software, or Database Modification
Installation Errors CIA
Intrusion or Unauthorized Access to CIA
System Resources
Jamming (telecomm) A
Labour Unrest A
Misrepresentation of Identity CIA
Misuse of Known Software CIA
Weaknesses
Natural Disaster A
Omissions CIA
Physical Cable Cuts A
Power Fluctuation A
Procedural Violation A
Riot / Civil Disorder A
Saturation of Communications or IA
Resources
Scavenging C
Secondary Disasters A
Shoulder Surfing C
System and Application Errors, IA
Failures, and Intrusions not Properly
Audited and Logged
Takeover of Authorized Session C
Tampering IA
Terrorism IA
Theft, Sabotage, Vandalism, or CIA
Physical Intrusions
User Abuse or Fraud CIA
Table 3-1: Correlation of Threats to Categories

3.1.4 Describe Malicious Software in mobile computing
o Commonly known as malware

o Malware is refers to a variety of malicious programs.
o The most common types of malware; adware, bots, bugs, rootkits, spyware, trojan
horses, viruses, and worms.
o It’s can be used to compromise computer functions, steal data, bypass access
controls, delete documents or add software not approved by a user, or otherwise
cause harm to the host computer.
o Adware
o Short for advertising-supported software

o A type of malware that automatically delivers advertisements.
o Common examples of adware include pop-up ads on websites and
advertisements that are displayed by software.
o Frequently the software and applications offer “free” versions that come
bundled with adware.
o Most adware is sponsored or authored by advertisers and serves as a revenue
generating tool.
o While some adware is solely designed to deliver advertisements,
 It is not uncommon for adware to come bundled with spyware that is
capable of tracking user activity and stealing information.
 Due to the added capabilities of spyware, adware/spyware bundles are
significantly more dangerous than adware on its own.
 Bot
o Software programs created to automatically perform specific operations.

o While some bots are created for relatively harmless purposes such as video
gaming, internet auctions, online contests, etc.
o It is becoming increasingly common to see bots being used maliciously.
o It can be used in botnets (collections of computers to be controlled by third
parties) for DDoS attacks,
 as spambots that render advertisements on websites,
 as web spiders that scrape server data,
 for distributing malware disguised as popular search items on download
sites.
o Websites can guard against bots with CAPTCHA tests that verify users as
human.
 Bug
o A flaw produces an undesired outcome in software’s.

o A flaw is the result of human error and typically exists in the source code or
compilers of a program.
o Minor bugs only slightly affect a program’s behaviour and as a result can go
for long periods of time before being discovered.
o More significant bugs can cause crashing or freezing.
o Security bugs are the most severe type of bugs and can allow attackers to
bypass user authentication, override access privileges, or steal data.

o Bugs can be prevented with developer education, quality control and code
analysis tools.
o Ransomware
o A form of malware that essentially holds a computer system captive while

demanding a ransom.
o The malware restricts user access to the computer either by encrypting files on
the hard drive or locking down the system.
o Displaying messages that are intended to force the user to pay the malware
creator to remove the restrictions and regain access to their computer.
o Typically spreads like a normal computer worm ending up on a computer via a
downloaded file or through some other vulnerability in a network service.
 Rootkit
o A type of malicious software designed to remotely access or controls a

computer without being detected by users or security programs.
o Once a rootkit has been installed it is possible for the malicious party behind
the rootkit to
 Remotely execute files,
 Access or steal information,
 Modify system configurations,
 Alter software especially any security software that could detect the
rootkit,
 Install concealed malware, or control the computer as part of a botnet.
o Rootkit prevention, detection, and removal can be difficult due to their
stealthy operation.
o Because a rootkit continually hides its presence, typical security products are
not effective in detecting and removing rootkits.
o As a result, rootkit detection relies on manual methods such as monitoring
computer behaviour for irregular activity, signature scanning, and storage
dump analysis.
o Organizations and users can protect themselves from rootkits by regularly
patching vulnerabilities in software, applications, and operating systems,
updating virus definitions, avoiding suspicious downloads, and performing
static analysis scans.
 Spyware
o It’s spying on user activity without their knowledge.
o These spying capabilities can include activity monitoring, collecting
keystrokes, data harvesting like account information, logins, financial data and
more.
o Often has additional capabilities as well, ranging from modifying security
settings of software or browsers to interfering with network connections.
o Spreads by exploiting software vulnerabilities, bundling itself with legitimate
software or in Trojans.

 Trojan horse
o Commonly known as a “Trojan”

o A type of malware that disguises itself as a normal file or program to trick
users into downloading and installing malware.
o A Trojan can give a malicious party remote access to an infected computer.
o It is possible for the attacker to steal data, install more malware, modify files,
monitor user activity, use the computer in botnets, and anonymous internet
activity by the attacker.
o Virus
o It’s capable of copying itself and spreading to other computers.

o Spread to other computers by attaching themselves to various programs and
executing code when a user launches one of those infected programs.
o Viruses rely on human activity to spread such as running a program, opening a
file, etc.
o Also spread through script files, documents, and cross-site scripting
vulnerabilities in web apps.
o Can be used to steal information, harm host computers and networks, create
botnets, steal money, render advertisements, and more.
 Worm
o Can be classified as a type of computer virus

o It’s ability to self-replicate and spread independently
o Spread over computer networks by exploiting operating system
vulnerabilities.
o Often spread by sending mass emails with infected attachments to users’
contacts.
o Cause harm to their host networks by consuming bandwidth and overloading
web servers.
o Also contain “payloads” that damage host computers.
o Payloads are pieces of code written to perform actions on affected
computers beyond simply spreading the worm.
o Payloads are commonly designed to steal data, delete files, or create
botnets.
o Spam
o The electronic sending of mass unsolicited messages.

 The most common medium for spam is email
 The uncommon medium are use instant messages, texting, blogs, web
forums, search engines, and social media.
o While spam is not actually a type of malware,
 It is very common for malware to spread through spamming.
 When computers that are infected with viruses, worms, or other malware
are used to distribute spam messages containing more malware.
 Users can prevent getting spammed by avoiding unfamiliar emails and
keeping their email addresses as private as possible.

o Malware Symptoms
o Computers that are infected with malware can exhibit any of the following
symptoms:
 Increased CPU usage
 Slow computer or web browser speeds
 Problems connecting to networks
 Freezing or crashing
 Modified or deleted files
 Strange computer behaviour
 Appearance of strange files, programs, or desktop icons
 Programs running, turning off, or reconfiguring themselves
 Emails/messages being sent automatically and without user’s knowledge
 Malware Prevention and Removal
o These recommendations will greatly increase a user’s protection from a wide

range of malware:
o Install and run anti-malware and firewall software.
 When selecting software, choose a program that offers tools for
detecting, quarantining, and removing multiple types of malware.
 At the minimum, anti-malware software should protect against viruses,
spyware, adware, Trojans, and worms.
 The combination of anti-malware software and a firewall will ensure
that all incoming and existing data gets scanned for malware and that
malware can be safely removed once detected.
o Keep software and operating systems up to date with current vulnerability

patches.
 These patches are often released to patch bugs or other security flaws
that could be exploited by attackers.
 Be aware when downloading files, programs, attachments, etc.
 Downloads that seem strange or are from an unfamiliar source often
contain malware.
o Some malware cases require special prevention and treatment methods

3.2 Understand mobile risk ecosystem
3.2.1 Identify mobile ecosystem:

o Scale
o Perceived Insecurity
o Scale
o Statistics about the scale of the mobile phenomenon.

o Example stats from the mobile marketing site mobithinking.com:
 >300,000 Mobile apps developed in three years (2007–2010)
 $1 billion Mobile startup Instagram’s value within 18 months
 1.1 billion Mobile banking (m-banking) customers by 2015
 1.2 billion Mobile broadband users in 2011
 1.7 billion Devices shipped in 2012 (an increase of 1.2 percent over 2011)
 6 billion Mobile subscriptions worldwide (China and India account for 30
per cent)
 $35 billion Estimated value of app downloads in 2014
 76.9 billion Estimated number of app downloads in 2014
 $1 trillion Mobile payments (m-payments) estimated in 2015
 8 trillion Estimated number of SMS messages sent in 2011
o Perceived Insecurity
o As with the Internet, security seems to have been an afterthought.

o Every day you are probably bombarded with information that overwhelms and
frightens you.
o Here are some examples Insecurity of Mobile Devices
 McAfee’s quarterly Threats Report indicated that mobile malware
exploded 1,200 per cent in the first quarter of 2012 over the last, or fourth,
quarter of 2011.
 Trend Micro predicted 60 per cent month-on-month malware growth on
Android in 2012.
 IBM X-Force predicted that in 2011 “exploits targeting vulnerabilities that
affect mobile operating systems will more than double from 2010.
 Apple’s iOS had a greater than six fold increase in “Code Execution”
vulnerabilities, as tracked by CVE number, from 2011 to September 2012
( nearly 85 per cent of the 2012 vulnerabilities were related to the Web Kit
open source web browser engine used by Apple Safari browser)

3.2.2 Describe Mobile Risk Model
 Understanding the risk model means asking the question about:
o Identify stakeholders
o Enumerate assets
o Find relevant risks
Figure 3- 8: Security in Development Lifecycle
Identify stakeholders
 Mobile network operators (MNOs, aka carriers, Telco’s and the #$%&*
companies who drop our calls all the time)
 Device manufacturers (aka OEMs , hardware manufacturers and so on)
 Mobile operating system (OS) vendors like Apple and Google
 Application Store curators ( for example, Apple, Google, Amazon and so on)
 Organizational IT (for example, corporate security’s mobile device management
software
 Mobile application developers
 End users
Enumerate assets
 OS manufacturer values phone as a source of revenue

o Threats include
 Apps that may crash the OS
 Users who may jailbreak the phone
 Users value their privacy
o Threats include
 The OS which may send data back to the carrier for "statistical
purposes"
 Apps preloaded by the MNO which might send data out
Find relevant risks
 What risks are relevant to these assets from each stakeholder’s perspective?
 Special Risks
o Mobile devices are connected to many networks
 Often insecure or unknown ones
o Mobile devices are used for personal, private purposes
 Banking, selfies, SMS messages, phone calls
3.2.3 Explain Simplified Risk Model
Figure 3-9: A simplified mobile risk model, highlighting key areas of risk, each
containing discrete mobile risks.
a. Physical risks
 Risk Area #1 in Figure 3-9

 Attacker with physical access to the device can overcome almost any security
barrier
 Rooting/Jail breaking continues to be popular
 Neither Apple nor Google can’t stop it
 No information stored physically is secure from physical attack
 In Figure 1-3, we represent this risk as #4, next to the “Baseband” stack of
radio chip hardware and firmware, driving everything from cellular network
connectivity to Wi-Fi to Bluetooth, GPS, Near Field Communication (NFC),
and so on.

b. Service risks
 More problems on the server side.
o For example, On a recent long-term consulting engagement
 65 percent of bugs were service-side.
 25 percent on the mobile client.
o Most of the code or logic is on the server side.
o Generic service-side risk as #8 in Figure 1-3.
 Other Service risk is customer support.
o Hackers use support services vulnerabilities to get valuable stuff
o Customer self-help password reset vulnerabilities
 If you make a mistake here the consequences can have a huge impact.
 Imagine a flaw that allowed anonymous attackers to reset account
passwords via the self-help web portal
o About 12 percent of bugs were in support-related components.
o We’ve numbered this risk #9 in Figure 1-3, customer support agent.
c. App risks

 Apps are the primary attack surface for mobile client or devices
 Mirrors the evolutions of security on other platforms like desktop PC
 Attackers focus on the network and migrated to the OS (Microsoft windows)
 Larger numbers of published exploits in desktop applications, like web
browsers, Adobe Acrobat, and Microsoft Office
 Major security issues:
a. Fragmentation
b. Sensitive information leakage
c. Secure on-device storage
d. Weak authentication
e. Failure to properly implement specs
f. BYOD
 Should you allow Google Maps to track your location?
 Do you want Cisco’s WebEx mobile app to load when you click a link in a
calendar invite?
 Should you click the link in that SMS from AT&T telling you your mobile bill
is ready?

 Fragmentation
o Updates are essential for security
o Very big problem for Android
Figure 3-10: Fragmentation
 Sensitive Information Leakage
o Real issues found in mobile devices

o Authentication Pins to Google system logs in debug builds
o Session identifiers and credentials cached in Web View
o Inappropriate data stored in local SQLite databases
o iOS application snapshots recording screens with sensitive data when the app
is suspended
o Sensitive credentials like application PINs being logged to the iOS keyboard
cache
 Secure On-Device Storage
o All data on a mobile device is at risk

o Balance value of data with the risk
o Poor software has stored
 Hard-coded passwords
 AES encryption keys
 Weak Authentication
o Falsely assume that tokens on the mobile device are secret

 Mobile Device Number (MDN)
 Allowed password resets without a security question
o Popular authentication standards – OAuth – SAML
 Failure to Properly Implement Specs
o Using clear text username and password in a "WS-Security" header.

o Leaving debug mode on in production systems
 SSL certificate validation disabled
o Fast development leads to insecure code

o Speed to market is valued more highly than security
 BYOD
o Bring Your Own Device to work
o Recommendation
 Keep sensitive data on servers
 Only put non-sensitive data on mobile devices
3.2.4 Illustrate attack surface specific to mobile device
Figure 3-11 Surface Attack specific to mobile device
 Physical theft
o Access to the user interface, physical storage,

o IO Bus, and radios
 App publication
o Trojan horse or other malware

o Access to OS resources
o Interprocess communication
o Phone may be jail broken/rooted
o App permissions may be weak
o User may allow excessive permissions

3.3 Understand Mobile Hacking
3.3.1 Identify basic cellular network functionality
a. Interoperability
b. Voice Calls
c. The Control Channels
d. Location Update
e. Voice Mailboxes
f. Short Message Service
a. Interoperability
 Different carriers and connection methods can connect to one another

smoothly
 A GSM phone can text or call a CDMA phone
 Don’t have to waste time decoding radio transmissions
 All technical details are abstracted by the mobile network operators (MNOs).
 Security types focus mainly on the endpoints to be attacked and defended
 Attackers don’t have to worry about the technology in use to connect the cell
phones, or “mobile terminals,” to the cell towers.
 Originally cellular networks support
a. Voice communication services

b. Short Text Messages Services
 All major cellular networks support
a. Voice Calls
b. Voice Mail (VM)
c. Short Message Service (SMS)
d. Location-based Services (LBS)
e. Internet Access (IP Connectivity)
 Most also support
a. Binary configuration messages

b. Multimedia messages (MMS)
c. Multimedia Application (video Call)
d. Faxing (FAX)

Figure 3-12: Service overview of a GSM cellular network
b. Voice Calls
 Time Division Multiplexing (TDM)

o Tried-and-true method for dividing radio capacity among many devices
 Time Division Multiple Access (TDMA)
o Each device gets time slots
o Very successful for slow and medium bit rates
o Devices 1, 2, and 3 might get these time slots
D1 D2 D3 D1 D2 D3
S1 S2 S3 S1 S2 S3
o A slot is more or less a time which a device is allowed to broadcast.
o Example if all devices start at the same time
 See radio traffic from device 1 for a certain amount of time, then
radio traffic from device 2, then radio traffic from device 3, and so
on.
 This ordering allows for an orderly sharing of the available radio
capacity among all participating devices.
 TDMA systems have been around for quite some time and have
been hugely successful at slow and medium bit rates.
 Each device has a particular timeslot in which it is allowed to
“speak.”
 This timeslot is essentially handed down from a controller
 Let’s call that controller the BSC
 Then listens for each device’s broadcast in each device’s
assigned timeslot.

c. The Control Channels
 Channels can be broken into two main categories:
o Mobile signalling and control,

o Traffic channels.
 Traffic channels
o Carry voice data
 Control channels
o Manage mobile device’s association, usage, handoff, and disconnection

from cellular network
 Cell phone jammer
o A loud, badly tuned transmitter

o Easy to build
o Illegal
 The Broadcast Control Channel
o When a device first turns on, it listens on standard frequencies

o These various frequencies generally correspond to channels
o Allocated to the device based on its radio capabilities and geographic
origin.
o First thing it hears will be BCCH (Broadcast Control Channel)
 Allows the device to synchronize and understand which network it is
attaching to
 Along with features of the network the BTS (Base Transceiver Station)
is serving such as neighbouring cell identities and channel information.
 The mobile device then knows how to access the Random Access Channel
(RACH)
o The first step in a GSM handshake between a mobile device and a BTS
o How the mobile asks for information associated a particular cell
o Mobile sends a cannel request via the RACH
o BTS tries to service the request
 Standalone Dedicated Control Channel (SDDCH) & Access Granted

Channel (AGCH)
o If the BTS has slots available, it assigns a control channel, called the
Standalone Dedicated Control Channel (SDDCH) to the mobile device
o The BTS tells the mobile about this assignment via the Access Granted
Channel (AGCH)
o Once the mobile has received a SDCCH, it's a member of the network and
can request a location update
Figure 3.13: GSM logical control channel layout
d. Location Update
 Mobile device is telling the GSM network which area it's in

 Requires mobile device authentication with the network
 Complete process about a second or more depending on load the cell and radio
quality
 Informs the Home Location Register (HLR)
o Database of subscriber information

o Of the mobile's geographic area
 Hence, which Mobile Switching Centre (MSC) a device is located
within
 Sleep
o Once a mobile device has performed a location update

o The BSC tells the mobile to go to sleep
 By deallocating the SDCCH
 It assigned only a few short seconds ago
o This maximizes reuse and capacity in dense cells
 Ensure everyone gets a decent quality of service.
 Voice Mailboxes
o Trivial hack: default password

 Enough to make a world of trouble for Rupert Murdoch
o Many carriers use IP-based voicemail
 Using IMAP servers (originally designed for email)

 Short Message Service
o Sent via control channel

o An SMS flood could DoS voice service for a whole city from a single
attacking device
Figure 3-14: SMS
 SMS Channels
o SMS messages are delivered over either

o SDCCH when a user is not on a call
o or the Slow Associated Control Channel (SACCH) if the user is talking at
the time
o Reasonably achievable SMS floods wouldn't stop voice calls in practice
 SMS Service Center (SMSC)
o SMSCs carry most of the SMS messages when SMS message storm
happens
o It's the hardest working piece of equipment in modern cellular provider
networks
 Other Uses for SMS Messages
o Java implemented per-application messaging using

o Java Mobile Information Device Profile (MIDP) and Connected Limited
Device Configuration (CLDC), which use a
o User Data Header (UDH) specifying a port to send the message to
o Ports are not UDP or TCP ports, but similar
o SMS is used not just between users
 Other SMS Messages
o But between network Components, like configuration servers

o For peer-to-peer Java apps
o UDH features
 Changing reply to phone number (UDH 22)
 Message concatenation (UDH 08)
 Message indicator settings – video, voice, text, email fax (UDH 01)
 Ported SMS message (UDH 05)

 SMS Lacks Security Controls
o SMS messages have

 No authentication
 No integrity checking
 No confidentiality
o So apps shouldn't trust what they get too much
 SMS Origin Spoofing
o iOS displays the number in the "reply-to" field in the SMS header as the
origin of an SMS message
 Instead of the actual origin number
o So it's easy to send SMS messages that appear to come from someone else
 Fake SMS Messages
o On Android, a malicious app can fool your device into displaying a fake
SMS message
3.3.2 Explain attacks and countermeasure in mobile hacking:
a. Voice mail
 Mobile Network Operators (MNOs) often configure voicemail accounts

insecurely
o No authentication required if the user's own phone is used to fetch the
messages
 With a PBX sever like Asterisk, anyone can easily spoof any caller ID value
 All they need is your phone number
 Internet Spoofing Services
Figure 3- 15: internet spoofing services
 Countermeasures for Mobile Voicemail Hacks
o Set a voicemail password

o Configure access so that entering the password is required from all phones,
including yours

b. Rogue mobile device attack
 An evil phone could attack the mobile network (theoretical attack only)
 Phone OS is not hard to understand, basically
o iOS is BSD
o Android is Linux
 A modified phone could jam or modify broadcast signals from a BTS
o But it would only affect a small area
 Rogue Mobile Device Countermeasures
 The cellular network is carved up into many small parts
 Radio earshot is only a few hundred yards in a city, or a few miles on flat
terrain
 Just a normal radio jammer would be more effective
c. Rogue station attack
 Until recently, carriers assumed that attackers lacked the skill to build a base
station, so
 Network required authentication from the phone, but
 Phone didn't require authentication from the network
 So it was simple to emulate a cellular network
 Attacking in the 1990s
 A cellular phone can simply “join up” with another cellular provider’s
network.
 Cellular phone are generally promiscuous when it comes to joining networks

(how else would roaming be so easy?)
 Cellular networks are defined by a simple three- digit number and a three-digit
country code as show in table 3-2.
Table 3-2 GSM Network MCC/MNC Chart

(Source: Wikipedia, en.wikipedia.org/wiki/Mobile_Country_Code_(MCC))

 Base Station Hardware
o A normal cell phone could act as a base station with only a software
change
o A phone in "engineering mode" could sniff radio traffic on all bands at the
same time
o Packets can be logged via RS232
o You get voice and SMS traffic
o Flash phone via USB cable
 Legal Warning
o This was all fantastically illegal, of course

o Wiretapping laws are scary
o We will be careful in this class only to capture our own phone signals
 Hacking in 2002
o Rhode & Schwartz sold test gear for SMS networks, including BTS
emulation
o Cost was six figures
Figure 3-16: A simple GSM spoofing setup
 Rogue Base Station Countermeasures
o It's up to the carriers to authenticate their networks

o There's nothing an end-user can do
d. Rogue Femtocell attack
o OpenBTS: free software that can be used to make a fake base station for about
$1500 in 2009
o Femtocells are even simpler
Figure 3-17: Rogue femtocell spoofi ng setup
 Femtocell
o A tiny box with connectors for antenna, power, and Ethernet

o Generic Linux distribution running several specialized apps
o Loads a couple of drivers
o Includes some simple radios
 Femtocell Functions
o Control signaling
o Call setup and teardown and SMS messaging
o Converting normal voice calls into real-time protocol streams
o Associated SIP setup
o Backhaul link uses IPsec connections to special security gateways on the
mobile network operator side
 Information Disclosure
o Femtocells receive raw secrets used to authenticate devices from carriers

o They are encrypted in transit with IPsec, but they are present in the
femtocell's software and hardware
o Hacking AT&T Femtocell
o Hacking a Vodaphone Femtocell

 Femtocell Membership
o Carriers could limit membership to a few cell phones for a single femtocell
o But why not let everyone in? That expands their coverage for free!
o But it also means customers are using untrustworthy devices and they have
no way to know that
 Countermeasures for Rogue Femtocells
o Femtocells should be more limited in function

o Networks need to authenticate themselves to the handsets reliably
o SIP and IPsec allow for strong authentication
o We just need new standards that use them
3.4 Understand mobile phone security and forensics
3.4.1 Identify mobile phone security

Mobile Phone security
a. Record IMEI number
 Record the unique 15 digit IMEI number.
 If your mobile phone is stolen or lost,
 It is required for registering complaint at Police station
 It use track your mobile phone through service provider.
b. Enable Device locking
 Use auto lock to
 Automatically lock the phone
 Keypad lock protected
 Done by passcode or security patterns
 Restrict access to your mobile phone.
c. Use a PIN to lock SIM card

*PIN(Personal Identification Number)
*SIM (Subscriber Identity Module)
 Use a PIN for SIM card
 Prevent people from making use of it when stolen.
 Each time phone starts it will prompt to enter SIM PIN.
d. Report lost or stolen devices
 Report lost or stolen devices immediately to
o Nearest Police Station.
o Service provider.
e. Use mobile tracking feature.
 Use the feature of Mobile Tracking which could help if the mobile phone is lost
or stolen.
 Every time a new SIM card is inserted in the mobile phone,
 It would automatically send messages to two preselected phone numbers of
your choice
 Can track your mobile device.

f. Backup data regularly

 Backup data regularly and Set up your phone
 It will backs up your data when you sync it.
 Also back up data on a separate memory card.
 This can be done by using the Vendor’s document backup procedure.
g. Reset to factory settings

 Make sure to reset to factory settings
 When a phone is permanently given to another user
 Personal data in the phone is wiped out.
h. Bluetooth
 Use Bluetooth in hidden mode
 If the device is using Bluetooth it is not visible to others.
 Change the name of the device to a different name
 Avoid recognition of your Mobile phone model.
 Put a password while pairing with other devices
 The devices with the same password can connect to your computer
 Disable Bluetooth when it is not actively transmitting information.
 Use Bluetooth with temporary time limit after which it automatically disables so
that the device is not available continuously for others.
i. Mobile as USB
 When a mobile phone is connected to a personal computer, scan the external
phone memory and memory card using an updated antivirus.
 Take regular backup of your phone and external memory card because if an
event like a system crash or malware penetration occurs, at least your data is
safe.
 Before transferring the data to Mobile from computer, the data should be
scanned with latest Antivirus with all updates.
j. Wi-Fi
 Connect only to the trusted networks.
 Use Wi-Fi only when required. It is advisable to switch off the service when not
in use.
Beware while connecting to public networks, as they may not be secure.
k.  Application and Mobile Operating System
 Update the mobile operating system regularly.
 Upgrade the operating system to its latest version.
 Always install applications from trusted sources.
 Consider installing security software from a reputable provider and update them
regularly.
 It’s always helpful to check the features before downloading an application.
Some applications may use your personal data.
 If you’re downloading an app from a third party, do a little research to make sure
the app is reputable.

3.4.2 Identify mobile device and security risk
1. Physical access
 Mobile devices are small, easily portable and extremely lightweight.

 While their diminutive size makes them ideal travel companions,
 it also makes them easy to steal
 It is leaving behind in airports, airplanes or taxicabs.
 Password or lock is a trivial task for a seasoned attacker
 Encrypted data can be accessed.
 Corporate data found in the device
 Passwords residing in places like the iPhone Keychain,
 Grant access to corporate services such as email and VPN.
 Full removal of data is not possible using
 a device’s built-in factory reset
 Re-flashing the operating system.
 Forensic data retrieval software
 It is available to the general public
 Allows data to be recovered from phones and other mobile devices
 Even after it has been manually deleted or undergone a reset.
2. Malicious Code
 Mobile malware threats are typically socially engineered

 Focus on tricking the user into accepting what the hacker is selling.
 The most prolific include
 Spam,
 Suspicious links on social networking sites
 Rogue applications.
 While mobile users are not yet subject to the same drive-by downloads that PC
users face, mobile ads are increasingly being used as part of many attacks — a
concept known as “malvertising."
 Android devices are the biggest targets, as they are widely used and easy to
develop software for.
 Mobile malware Trojans designed to steal data can operate over either the
mobile phone network or any connected Wi-Fi network.
 They are often sent via SMS (text message); once the user clicks on a link in
the message, the Trojan is delivered by way of an application, where it is then
free to spread to other devices.
 When these applications transmit their information over mobile phone
networks, they present a large information gap that is difficult to overcome in a
corporate environment.
3. Device Attacks
 Attacks targeted at the device itself are similar to the PC attacks of the past.
 Browser-based attacks, buffer overflow exploitations and other attacks are
possible.
 The short message service (SMS) and multimedia message service (MMS)
offered on mobile devices afford additional avenues to hackers.
 Device attacks are typically designed to either gain control of the device and
access data, or to attempt a distributed denial of service (DDoS).
4. Communication Interception
 Wi-Fi-enabled smartphones are susceptible to the same attacks that affect

other Wi-Fi-capable devices.
 The technology to hack into wireless networks is readily available, and much
of it is accessible online, making Wi-Fi hacking and man-in-the-middle
(MITM) attacks easy to perform.
 Cellular data transmission can also be intercepted and decrypted. Hackers can
exploit weaknesses in these Wi-Fi and cellular data protocols to eavesdrop on
data transmission, or to hijack users’ sessions for online services, including
web-based email.
 For companies with workers who use free Wi-Fi hot spot services, the stakes
are high. While losing a personal social networking login may be
inconvenient, people logging on to enterprise systems may be giving hackers
access to an entire corporate database.
5. Insider Threats
 Mobile devices can also facilitate threats from employees and other insiders.
 Humans are the weakest link in any security strategy, and many employees
have neither the knowledge, nor the time to track whether or not their devices
have updated security software installed.
 The downloading of applications can also lead to unintentional threats.
 Most people download applications from app stores and use mobile
applications that can access enterprise assets without any idea of who
developed the application, how good it is, or whether there is a threat vector
through the application right back to the corporate network.
 The misuse of personal cloud services through mobile applications is another
issue
o When used to convey enterprise data, these applications can lead to data
leaks that the organization remains entirely unaware of.
o Not all insider threats are inadvertent; malicious insiders can use a
smartphone to misuse or misappropriate data by downloading large
amounts of corporate information to the device’s secure digital (SD) flash
memory card, or by using the device to transmit data via email services to
external accounts, circumventing even robust monitoring technologies
such as data loss prevention (DLP).
 Mobile security threats will continue to advance as corporate data is accessed

by a seemingly endless pool of devices, and hackers try to cash in on the trend.
 Making sure users fully understand the implications of faulty mobile security
practices and getting them to adhere to best practices can be difficult.
 Many device users remain unaware of threats, and the devices themselves tend
to lack basic tools that are readily available for other platforms, such as anti-
virus, anti-spam, and endpoint firewalls.

3.4.3 Describe Google Android security model
 Android is open security model

 It is open platform mean freeware
 It is less secure compare to close security model such as Apple.
 Custom OS versions for each device manufacturer
 Updates often blocked by MNOs
3.4.4 Describe iOS security model
 Apple is closed security model

 It is closed platform mean not freeware and costly
 It is more secure compare to open security model such as android.
 Code must be signed by Apple to run
 Has Address Space Layout Randomization (ASLR)
 Better code sandbox
 No shell
3.4.5 Describe relevant device security model
Mobile Device Management (MDM)

 Enterprise solutions to centrally administer mobile devices
 Important but immature field
Figure 3-18: Completeness of vission

References
GSM Network Architecture
https://www.radio-
electronics.com/info/cellulartelecomms/gsm_technical/gsm_architecture.php
Gsm Mobile station
https://www.tutorialspoint.com/gsm/gsm_mobile_station.htm
GSM entities
http://www.invocom.et.put.poznan.pl/~invocom/C/TELEP20/en/content/lesson1/summary/su
mmary.html
What is Malicious Software (Malware)? - Definition from Techopedia
https://www.techopedia.com/definition/4015/malicious-software-malware
Common Malware Types: Cybersecurity 101 | Veracode
https://www.veracode.com/blog/2012/10/common-malware-types-cybersecurity-101
Satyendra Kr PanditGSM And Its Security Weaknesses. January 20,

2016 -Business, development, education, governance, International, Opinion, Top Story.
https://www.wisdomblow.com/?p=6481

Chapter 3 v1 DFP6033

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Chapter 3 v1 DFP6033

Hochgeladen von

Copyright:

Verfügbare Formate

DFP6033 Secure Mobile Computing Version 1 :2018

3.0 MOBILE COMPUTING SECURITY

3.1 Understand CIA Triad in mobile computing

3.1.1 Describe the Global System for Mobile Communication (GSM)

3.1.2 Explain the security problem with GSM

3.1.4 Describe Malicious Software in mobile computing

3.2 Understand mobile risk ecosystem

3.2.1 Identify mobile ecosystem:

3.3 Understand Mobile Hacking

3.3.1 Identify basic cellular network functionality

3.4 Understand mobile phone security and forensics

3.4.1 Identify mobile phone security

Copyright @2018 JUSRORIZAL FADLY JUSOH 1|Page

3.1 Understand CIA Triad in mobile computing

3.1.1 Describe the Global System for Mobile Communication (GSM)

 Launched in the early 1990s

Figure 3-1: GSM Network Architecture Basic Diagram

Copyright @2018 JUSRORIZAL FADLY JUSOH 2|Page

Figure 3-2: GSM Network Architecture Overall Diagram

 The additional components of the GSM architecture comprise of databases and

Figure 3-3: GSM network along with the added components

 The MS and the BSS communicate across the Um interface.

 GSM network areas

o In a GSM network, the following areas are defined:

 Subscriber Identity Module (SIM)

 Mobile Station (MS)

o It is a GSM terminal that has a SIM card

Copyright @2018 JUSRORIZAL FADLY JUSOH 4|Page

o It contains are variety of information including a number known as the

Figure 3-4: GSM Mobile Station and SIM

 Base Station Subsystem (BSS)

o Fundamentally associated with communicating with the mobiles on the

Figure 3-5: GSM BSS

Copyright @2018 JUSRORIZAL FADLY JUSOH 5|Page

 Network Switching Subsystem (NSS)

o Core network NSS is the Mobile Switching Centre (MSC).

 Operation and Support Subsystem (OSS)

o It is connected to components of the NSS and the BSC.

 The operations and maintenance centre (OMC)

o Connected to all equipment in the switching system and to the BSC.

Figure 3-6: OMC System Covers All the GSM Components

Copyright @2018 JUSRORIZAL FADLY JUSOH 6|Page

 Base Transceiver Station (BTS):

o It's composed of a set of radio channel transmitters and receivers.

Figure 3-7: GSM BTS

o A BTS is usually placed in the centre of a cell.

 Base Station Controller (BSC):

o It controls items such as handover within the group of BTSs, allocates

 Mobile Services Switching Centre (MSC)

o It is a router of originated and received calls in the GSM network.

 Home Location Register (HLR)

o A database that contains the subscriber (MS) identities, profile and

 Visitor Location Register (VLR)

o It’s a database is associated to a MSC.

 Equipment Identity Register (EIR)

Copyright @2018 JUSRORIZAL FADLY JUSOH 9|Page

 Authentication Centre (AuC)

o it's the subscribers’ authentication centre for GSM network

 Gateway Mobile Switching Centre (GMSC)

o The GMSC is the point to which a ME terminating call is initially routed,

 SMS Gateway (SMS-G)

o The SMS-G or SMS gateway is the term that is used to collectively

3.1.2 Explain the security problem with GSM

 Unilateral authentication and vulnerability to the man-in-the-middle attack