Radmilo Racic

1
Exploiting MMS Vulnerabilities to Stealthily
Exhaust Mobile Phones Battery

• Radmilo Racic
• Denys Ma
• Hao Chen
• University of California, Davis

2
Is it only the network?
3
Assume the network is perfect
4
Why target the cell phone?

• Batteries are bottlenecks
• Cellular phones are poorly protected
• Cell phones attackable from the Internet

5
Why exploit a cellular network?

• Part of our critical infrastructure
• Eggshell security
• Connected to the Internet

6
Goals

• Exhaust a cell phones battery
• Attack cell phones stealthily

7
Sleep deprivation attack

• Approach
• Prevent a cell phone from sleeping
• Procedure
• Identify victims (utilizing MMS)
• Deliver attack (utilizing GPRS)

8
MMS architecture
9
MMS vulnerabilities

• Messages unencrypted
• Notifications unauthenticated
• Relay server unauthenticated
• Cell phone information disclosure
• IP address, platform, OS, etc.
• Exploited to build a hit list

10
GPRS Overview

• Overlay over GSM
• Connected to the Internet through a gateway
  (GGSN)
• Each phone establishes a packet data protocol
  (PDP) context before each Internet connection.
• PDP context is a mapping between GPRS and IP
  addresses.

11
GPRS cell phone state machine
12
Prevent a cell phone from sleeping

• Activate a PDP context
• By utilizing MMS notifications
• Send UDP packets to cell phone
• Just after the READY timer expires
• To tax its transceiver

13
Attack
UDP Packets
14
Attack details

• Surreptitious to both the user and network
• Works on various phones
• Works on multiple providers
• Requires few resources
• Internet connection
• Less than a 100 lines of python attack code

15
Battery life under attack
156
60
36
7
7
2
Reduction 22.31 8.51 181
16
Attack scale

• Send a UDP packet to
• a GSM phone every 3.75s, or
• a CDMA phone every 5s
• Using a home DSL line (384 kbps upload) can
  attack simultaneously
• 5625 GSM phones, or
• 7000 CDMA phones

17
Attack improvements

• TCP ACK attack force the phone to send as well
  as receive data
• Receiver will reply with RST or empty packet
• Packets with maximum sized payload
• Attack effective through NATs and Firewalls
• Because the victims cell phone initiates the
  connection to the attack server

18
Sources of vulnerabilities

• MMS allows hit list creation
• MMS allows initiation of a PDP context
• GPRS retains the PDP context

19
MMS hardening

• Authenticate messages and servers
• Hide information at WAP gateway
• Filter MMS messages

20
PDP Context Management

• Implement a defense strategy at GGSN
• GGSN stateful
• PDP context modification message is already
  present
• Transparent to the end user
• NAT-like behavior

21
Related works

• SMS analysis Enck et al, CCS05
• Focuses on SMS
• Attacks the network
• Mobile viruses Bose et al, yesterday
• Propagation of worms on cellular networks
• Control channels Agarwal, NCC04
• Capacity analysis of shared control channels

22
Conclusion

• Demonstrated an attack that drains a phones
  battery up to 22 times faster
• Can attack 5625-7000 phones using a home DSL line
• Attack is surreptitious
• Attack effective on multiple phones and networks
• Suggested mitigation strategies

23
Future work

• Worm deployment strategies targeting MMS
  vulnerabilities
• Battery attacks initiated from cell phones

24
Thank you

• http//zeus.cs.ucdavis.edu/cellSecurity

25
Results
Battery Life
Normal (Hr)
Reduction Rate
Under Attack (Hr)
Phone
22.31
7
156
Nokia 6620
8.51
7
60
Sony-E T610
181
2
36
Motorola V710