international telecommunication union itu-t cybersecurity symposium - florianópolis, brazil, 4...
TRANSCRIPT
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
Threat Evolution in Threat Evolution in Wireless Wireless
TelecommunicationsTelecommunications
Frank QuickSr. Vice President, Technology
QUALCOMM Incorporated
2dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
Industry Data (Worldwide)
o In 2002, there were• 570 million installed PCs (Gartner)• 1132 new viruses discovered
(Symantec)• 105 computer virus infections per
1000 PCs (ICSA labs)o In the same year there were
• 1.1 Billion cellular phone users (Yankee Group)
3dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
Today’s Mobile Phone
o 100+ MHz processoro 10+ Mbytes flash memoryo Medium-bandwidth IP connectivityo Downloadable applications
• Have access to user data• Can initiate data connections• Can send arbitrary IP packets, SMS
4dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
Tomorrow’s Mobile Phone
o 1000+ MHz processor(s)o 100+ Mbytes flash memory
• More if socket providedo High-bandwidth IP connectivityo Broadcast content reception
• Digital Rights Managemento Downloadable applications
• Wider range of functions
5dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
The Mobile as Computer
o Mobile phones can now do most things a PC can do, therefore:
o Mobile phones will likely become a target for malicious code, as have PCs.
o To date, only a few such attacks have been discovered for mobiles; however,
o It would be unwise to assume this is because mobiles are less susceptible than PCs.
6dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
Attacks on Computers
o Motivation• Peer prestige, revenge, profit, theft
o Objectives• Disruption, spyware, trojan software
o Methods• Self-propagating viruses and worms,
infected files and applications (e.g. games)
o Access• Internet, messaging, over the air
7dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
How Weaknesses Are Found
o An attack often begins by finding a repeatable way to crash a platform• Generally, attacks aren’t created by
analyzing source code – usually not available
• The binary code, on the other hand is accessible in the .exe file
• (For many phones, binary code is also available via diagnostic ports.)
8dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
How Attacks Develop
o The attackers share information about weaknesses
o A more sophisticated attacker looks at the binary code to see what causes the crash• E.g., if it’s a buffer overrun that
overwrites the stack, it may be possible to modify the input to execute arbitrary code
9dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
How Attacks Grow
o Once an exploit is developed, it is often made widely available on the Web• Documentation of the vulnerability• Attack scripts and source code
o This allows many variant attacks to be created, making prevention difficult• Virus-checking software updated often• (Bandwidth limits make this expensive
for mobiles)
10dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
Differences: Mobiles vs. PCs
PCs:o Many PCs use the same
brand Operating Systemo PCs can run both the
code under attack and the attack software
o Attacks are spread by IP, email or web access
o Denial of service affects IP services
Mobile phones:o Diverse OSs, but
convergingo Phones can’t directly run
attack software (special hardware often needed to extract binary code)
o Other channels are available for spread (e.g., SMS, false base stations)
o Denial of service can shut down a cellular system
11dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
The Changing Mobile User Environment
o In the past:• Attacks on mobile phones were
detrimental to both the user and operator (cloning)
• Attacks targeted individual phoneso In the future:
• Attacks may be initiated by the user (cloning, defeating security)
• Viral attacks may target a large population of mobiles
12dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
Why would a user hack his/her own phone?
o Upgrading• The user obtains a better phone
(perhaps stolen) and wants to clone the existing subscription without paying the carrier.
o Digital Rights Management• Users want to share files, games, etc.
without payingo Subscription lock
• The user wants to change operators
13dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
Consequences
o Users increasingly see the operator as an adversary
o Users may unwittingly become victims of secondary attacks• Defeating security features often
opens a path for attack• Cloning may be accompanied by trojan
installation
14dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
What should manufacturers do?
o Proactively address vulnerabilities• Automated code reviews
o Develop protocols to update software after sale• Preferably by broadcast
o Migrate to secure, trusted platforms• Prevent core software modification• Authenticate downloads• Protect security information
15dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
Can manufacturer efforts suffice?
o No.• The defender’s problem: any
vulnerability can open an attack• A perfectly secure platform may still be
vulnerable to insider attacks• Software updates may be impractical
given the large numbers of mobileso Conclusion: operators cannot rely on
manufacturers to prevent cyber attacks
16dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
What can operators do?
o Install firewalls• Isolate critical servers from mobile data• Block direct mobile-to-mobile packets• Perform ingress filtering: block mobile
packets with bad “from” IP addresseso Strengthen and automate responses
• Disable infected mobiles• Isolate infected subnets• Scan SMS and other network messaging• Consider using broadcast code updates
17dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
What won’t work
o Virus scans on phones• Updating definitions is too expensive
o Virus scans on incoming IP packets• Encrypted VPN connections prevent
examining the contents of IP packets
18dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
Will operators take action?
o Operators are reluctant to spend for a threat that has not yet materialized• Cloning fraud reached double-digit
percentages of revenues before authentication was deployed
o It is to be hoped that operators will at least make contingency plans• ITU-T recommendations could promote
planning
19dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
Conclusions
o Mobile phone computing power and connectivity is approaching that of PCs
o Self-propagating viruses and worms may be possible in mobiles in the near future
o Manufacturers should strive to minimize vulnerabilities to such attacks
o Operators should prepare to take defensive measures
o ITU-T recommendations may be useful