The recently introduced 3G mobile services in India is a welcome news for all of us. But the question, which is on every security analyst is—does the 3G network offer a greater degree of security than its 2G predecessors? This article highlights the security challenges along with the existing risks and vulnerabilities in 3G mobile network system.
Smart mobile technology such as 3G (3rd Generation)—[Mobile communication system] is rapidly gaining in popularity and hackers and crackers are among its biggest fans! Very few business consumers know about the vulnerabilities of 3G technology, and only now is the industry waking up to the potential security nightmare.
Mobile operators need to recognize their newfound role as internet service providers (ISPs). No longer do they just provide cellular voice services; now they also provide high-speed Internet Protocol-based (IP) data services. So as to offer a wider array of services and content to their data subscribers, mobile operators are opening up their formerly closed networks to numerous other mobile operators, data networks and the public Internet.
As a result, mobile operator’s 3G networks are not only exposed to all the virtual pathogens already in circulation, but also to mobile-specific viruses and Trojans, as well as to direct attacks such as Denial of Service (DoS) on their networks from hackers and/or criminal organizations. These types of attacks employ methods which wired ISPs have been dealing with for a much longer period of time. There are also variations on these attacks which exploit weaknesses in the architecture and some of the protocols used in 2.5G/3G cellular data networks.
Reasons for Vulnerabilities
Cellular data networks are vulnerable for several reasons. Some of the main reasons are:
1) Mobile operators are building out high speed wireless networks that are based on the Internet Protocol (IP) which allow users to do more while connected.
2) Mobile operators have opened up their networks to the public Internet and to other data networks, making their 2.5G/3G networks more vulnerable to attacks.
3) Mobile operators are evolving their networks to IMS (IP Multimedia System), enabling interconnected networks all running on IP.
The Need for 3G Security
In the past, mobile operators only provided cellular voice service. Their security concerns were limited to cloning and subscription fraud. Mobile data usage began with implementations of CDPD (Cellular Digital Packet Data) and Mobitex, but widespread adoption really began with the rollout of 2.5G networks (GPRS—General Packet Radio Service, EDGE—Enhanced Data rates for GSM Evolution—Global System for Mobile communications), CDMA 1X—Code Division Multiple Access) and now with third generation (3G) high-speed wireless networks such as CDMA. Rapidly the world is increasingly moving toward 2.5/3G networks.
The security implication here is that with more users of varied data-capable devices who are accessing content and communicating with one another across multiple networks, there will be more traffic on the cellular networks. That implies a higher likelihood of attacks occurring from any number of sources. For example, many sophisticated attacks disguise themselves in data flows across sessions and ports—the more traffic there is, the harder it is to identify the threats.
GSM Security Threats
There are major security flaws on GSM (Global System for Mobile communications), such as the base stations are not authenticated and do not support encryption capabilities by default. Due to United Nations’ restrictions GSM phones do not have encryption capabilities. Some may say this may not be a major security threats, as data is transmitted mainly through wired network using encryption standards such as DES (Data Encryption Standard), RSA (Rivest-Shamir-Adleman) etc. but, if a large key size typically between 64-128 bit to encrypt and decrypt messages are used, then the slow transmission bit rate may be an issue. Although, large key size ensures that a message is secure but the drawback is that it generates a large encrypted message block which requires greater processing power with longer duration of transmission period.
Other security threats from the smart phones come from the actual operating systems used, either Symbian or MS (Microsoft) windows CE (Embedded Compact) which are susceptible to malicious codes.
Threats to Mobile devices
With the 3G technology being adopted and the security threats from unknown territory in smart phone technology, we should be aware of the security threats to the mobile phone devices from various malwares. While many of us are still on the transient process of switching form 2, 2.5G to 3G, industry and governments together need to educate people and provide greater awareness of the dangers that exists when using mobile devices.
Currently identified malware specific to mobile devices are:
-
Cabir Worm, is the first dedicated mobile-phone Worm and infects phones running the Symbian operating system. Cabir spreads by disguising itself as a security management utility. Once it has infected a device that is using the Bluetooth Wireless technology the worm scans for other phones and sends a copy of itself to the first vulnerable phone it finds. The worst thing about this worm is that the source code for the Cabir-H and Cabir-I viruses can be found online.
-
Brador Trojan, affects the windows CE Operating System by creating an svchost.exe file in the windows start-up folder which allows full control of the device. This small executable file is conductive to traditional worm propagation vector such as e-mail file attachments. The typical functionality of the Trojan is to send the IP address of the infected device to the virus writer and flagging the device as active.
-
Lasco Worm, the first worm released in 2005, infects PDAs (Personal Digital Assistant) and mobile phones running the Symbian OS. Lasco is based on Cabir's source code. and replicates over Bluetooth connection and arrives at the inbox folder as velasco.sis file. On opening the file the worm is activated and looks for new devices using Bluetooth technology. It is also capable of replication by inserting it self into other SIS (Silicon Integrated Systems) files on the devices.
Other known Malwares are Duts virus, Pseudo-virus and Delf-HA Trojan.
Types of Attacks
As the mobile operators move to 3G services, they are, for the most part, not deploying entirely new networks but instead leveraging their existing 2.5G network infrastructure—GSM/GPRS/EDGE or CDMA/CDMA 1X equipment and backbone networks. For example, most UMTS (Universal Mobile Telecommunications System) cell sites can be collocated in GSM cell sites and much of the GSM/GRPS core network can be re-used. The Serving GPRS Support Node (SGSN) needs to be upgraded, but the mobile switching center (MSC) only requires a minor upgrade and the Gateway GPRS Support Node (GGSN) can remain the same.
Because 3G networks were not all built from the ground up, they were not necessarily built with IP data security in mind. Moreover, the world of IP data is relatively new to mobile operators—they are used to dealing with comparatively more mundane voice-centric security threats.
There are numerous attacks that can be perpetrated against a mobile network and they can originate from two primary vectors. One is from outside the mobile network: the public Internet, private networks, other operator's networks and the other is within the mobile network: from devices such as data-capable handsets and smart-phones, notebook computers or even desktop computers connected to the 3G network.
Some of the types of attacks against 3G mobile networks are listed below
Denial of Service
Currently one of the most prevalent security threats to wired ISPs is a distributed denial of service (DDoS) attack. Essentially, DDoS attacks use “brute force” methods to overwhelm the target system with data such that the response from the target system is either slowed or stopped. Creating enough traffic to inflict that kind of damage typically requires a network of compromised computers, which are often referred to as “bots” or “zombies” (sometimes collectively referred to as “botnets”).
Essentially, botnets are computers that have been compromised by attackers, generally through the use of Trojans (malware disguised as or embedded within legitimate software), which are then remotely controlled by the organization orchestrating the DDoS attack. Laptops, smart-phones, RIM (Research In Motion) BlackBerries and/or PDAs, connected to the Internet via a mobile broadband connection, could be similarly compromised and used as zombies in a DDoS attack.
Overbilling Attack
Another type of possible attack is called “overbilling.” Overbilling involves a malicious user hijacking a subscriber’s IP (Internet Protocol) address and then using that connection to initiate fee-based downloads or simply use that connection for their own purposes. In either case, the legitimate user is billed for activity which they did not authorize or actually conduct.
Spoofed PDP (Policy Development Process) context
These types of attacks exploit weaknesses in the GTP (GPRS Tunneling Protocol) protocol.
-
Spoofed “delete PDP context” packets, which would cause service loss or interruption for end users.
-
Spoofed “create PDP context” packets, which would result in unauthorized or illegal access to the Internet or customer data networks.
-
GTP packet floods, which is a type of Denial of Service attack.
Signaling-level attacks
The Session Initiation Protocol (SIP) is a signaling protocol used in IMS networks to provide voice over IP (VoIP) services. There are several well-known vulnerabilities with SIP-based VoIP systems. For example, there are vulnerabilities in the Call Manager function (which handles call routing and call signaling functions in VoIP systems) that might allow hackers to:
-
Reconfigure VoIP settings and gain access to individual users' account information.
-
Eavesdrop on VoIP communications.
-
Hijack a user's VoIP subscription and subsequent communications.
Protecting 2.5/3G Networks
To protect their networks and customers, then, mobile operators need to:
-
Take an architecture approach to implementing security solutions in their network; point solutions are not sufficient
-
Deploy a variety of products in their networks, such as firewalls, intrusion detection and prevention (IDP) and virtual private networks (VPNs).
-
Make client-side anti-virus and firewall software readily available to their subscribers who use data devices (e.g., feature phones with data capabilities, smart-phones, notebook computers).
-
Be vigilant and adopt appropriate security policies that reflect the threats in the 2.5/3G world. This has additional ramifications given the widespread use of WiFi and the general evolution toward networks based on the IMS standard.
-
Be aware that their networks are only as secure as the weakest link. Mobile operators need to work with each other, the ISP community and other telecom providers to ensure that even the minimum amount of security is quite strong.
-
Vigorously protect signaling as the migration of signaling traffic over IP creates new risks. Mobile operators carry much more signaling traffic than their wired counterparts and signaling is mission critical traffic.
Protection against Future Threats
Mobile data networks will likely be the target of an increasing number of attacks for two reasons. One is—they are now more accessible because they are interconnected with other IP data networks. The other reason is—mobile operators possess information that criminals want (e.g., private subscriber information) or the operators themselves are the object of extortion or defrauding.
There is no shortage of tools which attackers can use to penetrate mobile operator networks—e.g., botnet-based denial of service attacks, mobile malware, or attacks which exploit unprotected weaknesses in signaling protocols (SIP) or other protocols such as GTP (GPRS Tunneling Protocol) which are integral to many mobile operators’ networks.
Many mobile and fixed operators are evolving their networks to secure their 3G architecture. As this evolution progresses, operators will be able to offer dynamic, multi-dimensional applications i.e., combinations of content and communication applications—that are beyond their present capabilities. Vulnerabilities exist in many different networks, not just the mobile operator’s. For example, insufficiently protected WiFi (Wireless Fidelity) networks or even unprotected Bluetooth connections on a user’s handset can compromise not only a user’s or a company’s private data, but a network’s stable operations.
There is a need for strong, multilayered security technologies not only in today’s 3G world, but also in tomorrow’s IMS (IP Multimedia Subsystem) environment. Building that security begins today—with deploying firewalls, IDP (Intrusion Detection and Prevention) and VPNs (Virtual Private Networks). Those deployments can then be leveraged to protect future services.
—By: R. Manoj. The author is an Assistant Editor at Fanatic Media, Bangalore. He is also an Independent Researcher, specializing in Software Security. He has an active interest in designing security algorithms for securing softwares. He can reached at infosecurity@fanaticmedia.com |
