Exploiting MMS Vulnerabilities to
Stealthily Exhaust Mobile Phone’s
Battery
Radmilo Racic
Denys Ma
Hao Chen
University of California, Davis
Is it only the network?
Assume the network is perfect…
Why target the cell phone?
• Batteries are bottlenecks
• Cellular phones are poorly protected
• Cell phones attackable from the Internet
Why exploit a cellular network?
• Part of our critical infrastructure
• Eggshell security
• Connected to the Internet
Goals
1. Exhaust a cell phone’s battery
2. Attack cell phones stealthily
“Sleep deprivation” attack
Approach:
Prevent a cell phone from sleeping
Procedure:
•
•
Identify victims (utilizing MMS)
Deliver attack (utilizing GPRS)
MMS architecture
Bill
MMS R/S
Wireless Net
MMS R/S
Internet
Wireless Net
George Jr.
George Sr.
MMS vulnerabilities
•
•
•
•
Messages unencrypted
Notifications unauthenticated
Relay server unauthenticated
Cell phone information disclosure
– IP address, platform, OS, etc.
– Exploited to build a hit list
GPRS Overview
• Overlay over GSM
• Connected to the Internet through a gateway
(GGSN)
• Each phone establishes a packet data protocol
(PDP) context before each Internet connection.
• PDP context is a mapping between GPRS and
IP addresses.
GPRS cell phone state machine
Prevent a cell phone from sleeping
1. Activate a PDP context
•
By utilizing MMS notifications
2. Send UDP packets to cell phone
•
•
Just after the READY timer expires
To tax its transceiver
Attack
Attack Server
Victim
(410) 555-1980
Attacker
Attack details
•
•
•
•
Surreptitious to both the user and network
Works on various phones
Works on multiple providers
Requires few resources
– Internet connection
– Less than a 100 lines of python attack code
Minutes
Battery life under attack
180
160
140
120
100
80
60
40
20
0
Normal Use Time
Under Attack Time
156
60
36
7
Nokia 6620
Reduction:
22.3:1
7
Sony T610
8.5:1
2
Motorola v710
18:1
Attack scale
• Send a UDP packet to
– a GSM phone every 3.75s, or
– a CDMA phone every 5s
• Using a home DSL line (384 kbps upload)
can attack simultaneously
– 5625 GSM phones, or
– 7000 CDMA phones
Attack improvements
• TCP ACK attack: force the phone to send as
well as receive data
– Receiver will reply with RST or empty packet
• Packets with maximum sized payload
• Attack effective through NATs and Firewalls
– Because the victim’s cell phone initiates the
connection to the attack server
Sources of vulnerabilities
• MMS allows hit list creation
• MMS allows initiation of a PDP context
• GPRS retains the PDP context
MMS hardening
• Authenticate messages and servers
• Hide information at WAP gateway
• Filter MMS messages
PDP Context Management
• Implement a defense strategy at
GGSN
– GGSN stateful
• PDP context modification
message is
already present
– Transparent to the end user
– NAT-like behavior
Related works
• SMS analysis [Enck et al, CCS05]
– Focuses on SMS
– Attacks the network
• Mobile viruses [Bose et al, yesterday]
– Propagation of worms on cellular networks
• Control channels [Agarwal, NCC04]
– Capacity analysis of shared control channels
Conclusion
• Demonstrated an attack that drains a
phone’s battery up to 22 times faster
• Can attack 5625-7000 phones using a
home DSL line
• Attack is surreptitious
• Attack effective on multiple phones and
networks
• Suggested mitigation strategies
Future work
• Worm deployment strategies targeting
MMS vulnerabilities
• Battery attacks initiated from cell
phones
Thank you
http://zeus.cs.ucdavis.edu/cellSecurity
Results
Battery Life
Phone
Normal (Hr)
Under Attack (Hr)
Reduction Rate
Nokia 6620
156
7
22.3:1
Sony-E
T610
60
7
8.5:1
Motorola
V710
36
2
18:1