Mobile devices are transient. They are always moving around.
Detecting suspicious activity becomes difficult.
Ease of use - As wireless is easy to use, people become familiar
with it and become comfortable and careless with security.
It’s easier to attack.
Wireless Technologies in Use
PAN (Personal Area Network)
WPANs are used in short distances, <10 m.
Connect computers and peripherals
High speed
Bluetooth
Infrared
Line of sight
Short range (0-2m)
LoS makes it easy to think it’s secure, but attackers can detect
reflected light and filter out ambient noise, and gain access to the
data.
Ultrawideband (UWB)
Superfast, wireless.
Doesn’t use any carrier wave.
Superfast pulses in timed sequences over a large continuous
spectrum
ZigBee
Home Area Network
Designed to replace remote controls
Cost effective, low power
Wireless USB
10m range
480 Mbps, upto 1 Gbps in future.
LAN
Wireless Local Area Networks
802.11
AKA Wifi
1-2 Mbps, 2.4 GHz
900 MHz Packet Radio
Cordless, pagers, medical equipment.
Interference sometimes happens
Transports IP based data.
MAN
A Metropolitan Area Network is designed to provide broadband
connectivity to a densely populated area. Could be cities, counties,
campuses. AKA Last Mile Solutions.
Microwave
P2P,LoS
AM Radio
Less cost, Easy to Deploy
High frequency
Free Space Optics
Uses lasers instead of radio frequency
High data rates
Incorporates security of Fiber optic cables
Transmits a LoS laser btw two points.
Ricochet
Wireless ISP network solution for a particular geographic
location
Allows portable clients to move through an area and access
Internet
WiMax
Worldwide Interoperability for Microwave Access, 802.16
2-11 GHz
Long range
High throughput ~70 Mbps
WANs
WANs are intended for communications between mobile and fixed devices
worldwide.
Satellite
Use radio waves just like other wireless technologies. TElevision,
GPS< ISPs, etc.
Cellular
Cellular Digital Packet Data (CDPD)
Uses unused cellular channels to transmit data packets.
Global System for Mobile Comm. (GSM)
Uses narrow band TDMA method to allow 8 simultaneous calls on the
same radio frequency.
3GSM
Will support multimedia, video, and Internet
TDMA
Each cellular channel is divided into 3 time slots to increase amount
of data.
Blackberry
Email, File sharing, Voice and SMS, Calendar, Internet, Attachments,
etc. btw Blackberry users.
Paging
SMS
Wireless Network Security
Threats
Eavesdropping
Someone else can read the transmitted information, even from outside
the building.
Traffic Analysis
Patterns of communication and data flow can be monitored and may
yield information.
Data Tampering
Information can be deleted, or modified via MITM attack.
Masquerading
Attacker can impersonate an authorized user and gain access to
information.
Denial of Service (DoS)
Attacker can jam frequency channels, using hardware blockers or by
sending large amount of requests.
Wireless Client Attacks
Attacker can trick clients into connecting to an unsecured network
and gain access to the data present on the client machine. The
compromised client can now also be used to access the internal network
and the data stored on it.
Other Issues with Wireless
Spread Spectrum isn’t Secure
Spread Spectrum is a modulation technique used to prevent radio
jamming.
In general, spread spectrum has spreading codes,
that can be changed. Without knowing the correct code, it is impossible
to decipher data sent through the spread spectrum.
However, the 802.11 standard publicly describes the spreading codes
so that interoperable 802.11 components can be created. An attacker with
a radio compliant with 802.11 would be able to connect.
SSIDs are not designed as
passwords
SSID - Service Set Identifier.
Were initially used to prevent people from connecting to the access
point (AP) without knowing the SSID.
However, they should not be relied upon as passwords.
Hacker runs Kismet to discover WLANs in the area. He gets its
SSID, channel number and its BSSID (Basic SSID - the Ethernet
Address).
APs can hide their SSIDs, using an option called SSID
Cloaking/SSID Broadcast Disable.
If this is the case, the attacker has to wait for a client to connect
to the AP (the client and the AP will both disclose the SSID). The
attacker can also force an already connected client to reconnect. This
is done by sending a packet to the client, pretending to be from the AP.
The packet tells the client that they have lost their connection with
the AP (You are no longer connected). The
client attempts to reconnect, and exposes the SSID.
The attacker puts his wireless card into Monitor mode. The card
will eavesdrop on the WLAN (even without connecting to it.) He makes the
card monitor the channel on which the target AP is. All the traffic
monitored is saved in a capture file.
WEP uses Initialization Vectors (IVs), which are values used to
start a cryptographic process. When a certain number of weak IVs have
been captured, we can determine the WEP key. 125k packets are needed to
crack 40-bit WEP keys. 200-250k packets for 128-bit WEP keys.
If the WLAN is slow, the hacker will need to accelerate the
attack to capture the right amount of weak IVs. The attacker will inject
already captured WEP frame back into the network. WEP has no replay
protection mechanism.
512 packets injected per second - 10 mins for 40-bit keys, 30 mins
for 128-bit keys.
After sufficient amount of IVs are captured, the attacker runs
AirCrack, which will attempt to crack and return the WEP key. Once the
key is known, the attacker can connect to the AP in the same way a
legitimate client would.
War Driving
People driving around in a car equipped with wireless gear, looking
for unsecured wireless network. Generally they try to look for APs that
are running a certain kind of server behind them, such as important
security servers or financial servers, etc.
Sometimes people just do it harmlessly, for e.g, just checking the
radio environment.
War Chalking
War driving + marking the places with chalk. Different symbols are
used for open, closed, and WEP APs.
War Flying
War driving, but using airplanes,helicopters, etc. instead of cars.
Due to increased range of wireless networks, hundreds of APs can be
found in a short trip.
Security Recommendations vs
Reality
Recommendation
Reality
Turn SSID Broadcasting off
SSIDs can be easily discovered as
described above.
Use static IP Addresses
Static IP addresses can be found easily
using traffic analysis
Turn 128-bit WEP on
WEP can be easily cracked
Change WEP keys
New keys can be cracked easily
Enable MAC Address Filtering
Traffic analysis will yield the
authorized MAC Addresses. WLAN cards can specify their own MAC Address,
so hackers can just claim to be using an authorized one
Utilize shared key auth
WEP keys can be cracked
Use personal firewalls
Hackers may be able to fool you that
they are a trusted system
Use SSH/HTTPs
May be vulnerable to MITM sometimes
PDA (Personal Digital
Assistants)
Common attacks:
Copying/Stealing information from the device
Loading malicious code onto the device
Destroying key files or applications on the device
Trojans
A program disguised as another program.
Worms
Programs that duplicate themselves over and over, and steal system
resources in doing so.
Logic Bombs
Programs within programs that perform certain actions based on a
trigger event. PDAs can also be carriers of such programs instead of the
target.
Theft of the Device
Data Theft
Data can be easily copied from a PDA/Blackberry to a flash card
within minutes.
Mobile Code
S/w transmitted from server to a local device, and then executed.
This code may give the attacker access to the data on the PDA.
Auth Theft
Stealing a PDA may lead to auth information being stolen.
DoS Attacks
Any attack in which an organization is denied access to a resource
can be termed DoS. For PDAs, anything from mobile code to device theft
can be considered DoS.
Session Hijacking
A TCP session can be taken over by an attacker. TCP auth only occurs
during the start, so an attacker can find ways to do this.
Providing Security to PDAs
Use AntiVirus - Norton, Symantec, F-Secure, Kaspersky
DB Security and Auth
Faraday Bag - Block all wireless signals to the device
SMS is a store and forward service. The SMS is stored in a server
first, before being forwarded to the receiver. This is necessary in case
the receiver’s mobile phone is out of coverage or switched off when the
SMS is sent.
SMC - Short Message Center. This is where the SMSes
are sent to be stored, before they are forwarded.
SME - Short Message Entity. This is an application
or program that generates an SMS message. It can be a mobile phone, a
computer, or a service network.
GMSC - Gateway Short Message Service (Actual full
form is Gateway Mobile Switching Center)- acts as an interface between
different networks. It uses the HLR (Home location register) to
determine the recipient’s network, and forwards the message there.
Availability Issues
Many attacks try to create a DoS scenario.
They may send thousands of messages to a particular user, using
software or the Internet. If it is an older device, it’s memory will
fill up and it will be unable to accept more messages.
With modern devices, the recipient will have difficulty identifying
which SMSes are real and meant for him, and which are fake.
The attacker may trick the OS/device into blocking actions until the
SMSes are deleted. These messages usually contain special characters or
symbols, long names, or do not follow standard structure for an SMS
message.
Silent DoS is also possible, where the phone works normally but
doesn’t receive any SMS.
Continuous messaging can also drain the battery.
DoS can be done by installing a fake base station, or a jamming
device that makes the user unable to send or receive SMSes.
Sometimes DoS can happen without any attack on the system, for e.g,
on holidays when millions of SMSes are sent together which causes delay
and overload in the system.
Confidentiality Issues
Encryption for SMS/Voice calls are usually done between the phone
and the provider network (if done at all). Once in the network, the data
is unencrypted. Employees of the provider may have access to
it.
An attacker can hack an employee’s mobile phone to gain access to
the network and view other people’s SMSes.
Fake base stations can also be used by attackers to intercept and
read SMSes. The attacker can also forward the SMS to the actual
recipient to avoid any suspicion, using various techniques to hide his
identity (SMS Masquerading)
Even without knowing the content of SMS we can learn about the
user’s habits, such as when they switch their phone off and when they
switch it on. A switched off phone will not receive an SMS, and the SMS
will be marked as delivered only after the phone is switched
on.
Attackers usually send invisible messages for this purpose,
which do not show anything on the screen and don’t show any notification
either.
Mobile operators are sometimes required to share details of SMSes
viewed and sent by a person for law enforcement. Even without operator’s
help, there are ways to view deleted messages from a device.
Integrity Issues
Integrity issues are those relating to an SMS’s content being
changed, or the sender is pretending to be someone else.
SMS Spoofing is when a sender masquerades as
another sender. Using the internet we can send messages in bulk using a
number of our choice. Since this can be abused, operators now ask for
some alphabets to be added in the ID along with digits. To combat this,
fraudsters are using O instead of 0 and I instead of 1. The catalog’s
functionality can also be exploited, as the catalog only matches the
last 4 digits. So, an attacker sending a message using AA5483 will be
matched by a catalog containing an entry for 88885483
Attackers can also connect directly to a messaging center and use
spoofing techniques to hide their identity, and pretend to be someone
else. We can check if the number of the SMS, and the country of the
message center match. For e.g, if the number is from Greece, but the
message center is from Japan, we can figure out something is wrong.
Timestamps can also be used, since message centers timestamp using their
local time. If a message arrives from an Indian number , to an Indian
receiver, with a timestamp of 2 hours before, we can guess that
something is wrong (since it should have the same timestamp as the
current time)
Cipher can be used to change phone settings, such as turning
ciphering indicator on or off.
Special binary messages can also be sent using SMS. They don’t
appear to the user, but go directly to the phone or SIM card. OTA
updates of software were done using this method, but this can also be
exploited by hackers.
Other Security Issues
SMSes that can be modified/deleted later, but stay in the same
memory location. Their initial use was for stuff like news, stocks,
weather, where the SMS’s content would change daily and the user
wouldn’t have to wait for a new SMS to arrive. They can obviously be
misused.
SMSes that show on the screen directly without any warning (flash
SMS), without the user going into messages. These make the user think
these are from the provider and hackers can trick users into calling
certain numbers or paying money, etc.
SMSes can be used to influence outcome of contests or voting
procedures that allow SMS. Bulk messages can be sent for a particular
participant.
SMS Spamming
Spam is unsolicited commercial messages from unknown senders.
Spam is profitable and can be completely anonymous.
Internet sites allowing users to download free ringtones ask for
their phone number, then sell that phone number to spammers.
SMS spam filtering is more difficult than email spam filtering
because SMSes are short so we have less information. ML algorithms such
as Bayesian networks have proven effective.
Techniques of protecting SMSC from spam sometimes use blacklisted
words, which ends up blocking legitimate messages containing those
words. Challenge/response protocols have been suggested.
Many providers allow users to report spam, or stop SMS service
altogether. Some also allow SMS aliases. Only messages sent to the alias
are delivered, those sent to the number aren’t.
A promising scheme is shown below.
Originator’s phone number and the SMSC used are compared. If the
originator sent a message earlier using a different SMSC, the message is
marked as suspicious.
SMSC and originator country is checked and compared.
SenderId is checked. Non-numerical IDs have a greater chance of
being spam.
Timezone is checked. If the sender and receiver country are same,
but the timestamp from SMSC is more than 1 minute ahead, the message is
suspicoius.
Keyword blacklist.
HTTP links are checked.
SMS Protocol is checked (TP-PID). Some SMSes, such as silent SMSes,
which get deleted upon reception. The application notifies the user of
such SMSes, even though it has been deleted.
Mobile Phone Forensics
Crime in Mobile Phones
Communication method for criminal activity
Device theft
Harassment calls
Mobile phones can be used as a detonation mechanism
Telecommunication fraud
Identity theft
Industrial espionage (using data stored on the device, or using the
device as a bug)
Sources of Evidence
We can find evidence on a mobile device in the following places
Phone catalog/contacts
Call history
SMS/MMS
Photographs and videos
Emails
Calendar
Reminders
Browser history
Documents
GPS information
Memos/Reminders/To-do-lists
Data can remain in places even after it has been deleted.
Forensic Procedures
When dealing with digital evidence,
All general forensic principles must be applied.
Actions taken on digital evidence should not change it
Only trained people should be able to access the evidence in its
original form
All activity done on a device, such as seizure,storage, transfer
must be documented.
All processes performed on the device must also be recorded. A third
party must be able to examine these processes.
General Principles
Maintain data integrity
Document and photograph everything on the scene
All actions done on the device or to the device must be documented
and must be available for audit.
The mobile phone’s screen should be photographed as it was
found.
Evidence should not be altered.
Analysts should be trained.
Each evidence holder is responsible for anything that happens to
it.
Procedures should be completed as quickly as possible.
Training and Competence
All involved people should be trained to perform and document
actions.
Different people will need different training. E.g, police officer
needs to know how to properly secure and seize the phone. Analyst needs
to know how to get the data from the phone without changing it.
Involved people should keep themselves updated with latest
technology and research.
Practice with the same kind of device and software first.
Head office must maintain constant communication with analysts and
provide guidance.
Analysis Procedure
We want to know the who, when, where,why. Data is examined,
including application files, timeline is established for events, and
hidden data is also looked for.
We try to avoid any data loss.
First thing to do is to ensure the phone is isolated from the
network.
If the phone is on, memory and SIM card is examined first.
If the phone is off and the owner doesn’t reveal the pincode, we
need to ask for help from the provider.
Each step should be photographed or videoed, even in the case of
automatic data analysis.
If the phone was deactivated, SIM analysis takes place first.
Activating the phone may cause change in data, such as in Location Area
Information file. If we place a different SIM, we may lose data such as
call history.
Preserving data and
isolating from network
Only qualified software should be used.
If the phone is not compatible with specialized software, test the
methods on a test phone first before executing it on the real
device.
New data from the network, such as phone calls, emails, SMSes, etc.
must be avoided. They an also be used to delete or modify the data on
the device. Therefore, we need to isolate the device from the
network.
Best solution is to use a Faraday cage.
Phone should be charged constantly to avoid it turning off. We need
to avoid any signal entering the phone using the charging cable. This is
done by placing a power source inside the Faraday cage
Jammers can also be used instead of Faraday cages.
In modern phones we can also use flight mode.
We can collaborate with the network to disable network access to the
phone. We can also use a special SIM that activates the device but
doesn’t allow network access. This may lead to loss of data such as call
logs.
Identify the phone
Try to identify it visually
Look up different mobile phones’ photographs online
Take out the battery and see the IMEI and MAC address, and identify
using those.
Typing *#06## also reveals the IMEI
User manuals and characteristics of the phone must be studied, so we
know what kind of data loss is possible. Test device is still
recommended,
Use manufacturer’s cables instead of local ones. Connecting via WiFi
and Bluetooth should be avoided as it will write data to the phone’s
memory.
Examine SIM Card and Memory
Get PIN for phone and sim from user. If user doesn’t cooperate,
contact provider.
User should not be allowed to touch the phone
SIM provides access to its data through its own microcontroller,
therefore it cannot be cloned. The analysis has to take place on the
original SIM card.
Hashes are used to check if two sets of files are identical or
not.
The process must be filmed.
Extracting the sim generally involved removing the battery, which
may lead to loss in data. In these cases, the data in the mobile must be
analyzed before the SIM card.
After extraction of data with automated tools, manual extraction
must also be done to find data that the software missed.
Extracted evidence must be verified, such as with the network
operator.
SIM Card
Cannot be cloned
Contains EEPROM memory
SIM is protected by 4 or 6-digit PIN that the user can set. After 3
wrong entries of PIN, the SIM will lock itself. To unlock it, we need a
PUK (Pin Unblocking Key), which is an 8-digit key. After 10 unsuccessful
entries of PUK, the SIM card will become unusable.
PUK and PIN are both initially set by the SIM manufacturer, but the
user can change them.
ADM code is known only to the manufacturer, and it provides complete
access to all data as well as their modification.
Files Present in SIM Card
Files are present in directories and subdirectories, similar to in
computers.
MF stands for Master File and represents the root directory. DF
(Dedicated File) are subdirectories. EF (Elementary File) are the actual
files.
Some files can be read without any authentication. Some need the SIM
PIN. The most important files need the ADM code which only the provider
has.
SIM contains many files such as:
Card’s serial number
List of providers and their names
Default network
Default language
Contacts
Messages
Settings for messages
List of last outgoing calls
Temporary identity (IMSI-TMSI) (International Mobile Subscriber
Identity - Temporary Mobile Subscriber Identity)
Coarse location (Location Area Identifier)
Control Channels (BCCH)
Current Encryption Key (\(K_c\))
Around 100 files are present, but each provider can also add their
own files. Users generally can’t access or delete these files, which
makes them important.
IMSI
International Mobile Subscriber Identity (15-digit number) is used to
uniquely identify the SIM internationally.
It consists of MCC + MNC + MSIN.
MCC - Mobile Country Code (3-digit). MNC - Mobile Network Code
(2-digit , 3-digit for USA and Canada). MSIN is 10 digit (9 in
USA/Canada)
ICCID
Integrated Circuit Card Identifier. It is a unique serial number that
is printed on the plastic wrapping of the card. It identifies the actual
printed circuit.
It consists of :
89 + MCC + MNC + Serial Number
89 is fixed and represents that this circuit (the SIM) is used for
telecommunication.
Location Information
File and BCCH File
LIF (Location Information File) stores the last TMSI and last LAI.
TMSI is a temporary identity that is used for security purposes, so we
don’t transmit the permanent identity of the user again and again.
LAI = MCC + MNC + LAC (Location Area Code)
LAC gives a wide area which can have many phones.
BCCH list stores the current BCCH and its six neighboring channels.
By combining BCCH and LAC information we can get a better idea of where
the phone was.
SMS Storage File
Modern SIMs can store SMS, usually upto 35. The first byte of each
SMS storage slot tells the message’s status.
00000000 - Empty Slot
00000001 - Read incoming message
00000011 - Unread incoming message
00000101 - Outgoing message that has been sent
00000111 - Outgoing message which hasn’t been sent.
If a message is deleted by the user, usually the first byte’s last
bit is changed to 0, which marks the slot as empty. But the actual
content of the slots aren’t changed. So, by reading data directly, we
can sometimes get old messages that the user thinks have been
deleted.
Another file stores SMS Settings, such as the default alphabet,
message center number, etc.
Contact List
SIM Cards can store contacts. Old SIMs stored upto 100, newer ones
offer 250. When a contact is deleted, the slot is filled with binary
“1”, so deleted contacts cannot be recovered. But slots are assigned in
order, so if we find an empty slot between slot 34 and 36, we can assume
there was a contact in slot 35 that has been deleted.
Outgoing Calls
SIMs can store the last 10 dialled numbers. Most manufacturers prefer
to use the phone’s memory of this. SIM doesn’t store incoming calls,
only outgoing.
Deleted information can be recovered from the depths of memory.
Data should be recovered without altering
Memory can be cloned, unlike with SIM
Official and unofficial tools exist for memory cloning.
Issues :
Hard to detect whether there have been changes in memory during our
procedures
During memory dumps, positions of files may change
Searching for information in large memory dumps is difficult and
time consuming
Phones may have encrypted memory
External memory dumps, that use hardware, can be used. In this, the
memory circuits are desoldered from the phone. This ensures no changes
occur while doing memory dump. This is less used because we may damage
the whole memory while performing desoldering.
External memory cards may be present in the device. Extracting data
from these is fairly easy.
Evidence in Operator’s
Network
The SIM card operator may also have evidence in their database.
Call logs
SMS exchanged
HLR keeps data about IMSI, SIM serial number, PIN and PUK code,
etc.
Call Detail Records (CDR) have all information about the numbers
called - date, duration,etc.