GSMWorld gave me great statistics on phone usage: as of June 2009 there were 4.3 Billion cellular users. Imagine the number of phones matching the number of PCs under botnet control – 15% this year. That would equal 600 million cell phones. Now imagine 600,000,000 zombied handsets flooding emergency phone numbers as well as performing IP-based DDoS attacks.
According to Aryeh Goretsky,a twenty year malware industry veteran and one of ESET’s Distinguished Researchers I recently polled as he was walking past my desk, there are about 300 dedicated applications of cellular malware currently available. In Moore’s Law computer age terms this would put the cellular malware penetration at roughly around the PC malware equivalent of 1992.
Some differences stand out.
Compare that with the capacity of the Smartphones in use today.
Faster CPUs and higher storage mean Smartphones are approaching the attack surface horizon. With the critical exception of a phone having always-on connectivity. Any time, any place. And with Wi-Fi connectivity built into most smartphones, there is a potential infection vector for the enterprise or while just passing by. So how big is this threat?
Or most likely, what would happen if every single cell phone went dark in one country? One scenario is a combined DoS attack on the internet was combined with a DoS attack on the cellular phone infrastructure at the same time.
Those are open ended questions. They relate with security as a whole and definitely relate to the impact of cyberwarfare.
As a longtime SoCal resident I tend to remember the Rodney King Riots in LA in 1992 as a comparison point of reference for what can go wrong when civility suddenly takes a sharp left turn off the road.
From smsanalysis.org comes this excerpt of their report:
“Cellular networks are a critical part of the economic and social infrastructures in which we live. These systems have traditionally experienced below 300 seconds of communication outages per year (i.e., “five nines'' availability).
However, the proliferation of external services on these networks introduces significant potential for misuse. We have shown that an adversary injecting text messages from the Internet can cause almost twice the yearly expected network down-time in a metropolitan area using hit-lists containing as few as 2500 targets.
With additional resources, cyberwarfare attacks capable of denying voice and SMS service to an entire continent are also feasible.
By attacking the less protected edge components of the network, we elicit the same effects as would be seen from a successful assault on the well protected network core.”
I would mention that their paper has all the details.
If you can interrupt communications on several layers, you can disrupt any operations plan. This is pretty much a Sun Tsu principle applied to cyberwarfare.
Let’s call phones with direct web browsers Smartphones and phones that are tier two basic call and messaging service available Dumb phones. Dumb phones used to be programmed to be remotely knocked out with SMS messages that kill the chip running the handset, known now as a ‘kill pill’. In fact, quite a few companies make an SMS Kill Pill which can, among other things, frag all of your data with an encryption remotely.
In effect the infrastructure may not be connected to the Internet, but as this article discusses, the cellular data structure security is also questionable.
Emergency Response Teams, or ERTs, depend upon technology to communicate just like the rest of us. With manufacturers like Lenovo, Panasonic Toughbook, and other ruggedized vendors vying for this DHS-grant funded public safety component, there’s no shortage of embedded cellular technology. Much of it uses the GSM standard, utilizing SMS messaging. With both an IP range to protect and specific blocks of cellular numbers (example as 555-2001 through 555-2500) issued as the de facto by carriers, cellular technology is more of a status quo.
There are more questions than answers here – in effect if cellular service loss was an effect of cyberwarfare, you can count on it impacting morale in a very big way. Comments?
Securing Our eCity Contributing Writer
Author ESET Research, ESET