Bricking your cell phone: Mayhem on a Massive Scale

So how hard is it to kill a cell phone?

GSMWorld gave me great statistics on phone usage: as of June 2009 there were 4.3 Billion cellular users. Imagine the number of phones matching the number of PCs under botnet control – 15% this year. That would equal 600 million cell phones. Now imagine 600,000,000 zombied handsets flooding emergency phone numbers as well as performing IP-based DDoS attacks.

Scary, huh?

According to Aryeh Goretsky,a twenty year malware industry veteran and one of ESET’s Distinguished Researchers I recently polled as he was walking past my desk, there are about 300 dedicated applications of cellular malware currently available. In Moore’s Law computer age terms this would put the cellular malware penetration at roughly around the PC malware equivalent of 1992.

No wonder FBI agents and the folks at the Regional Fusion Center are kept up nights.

Some differences stand out.

  1. In 1992 we were using the equivalent of a 286 PC, or in my case, the Commodore Amiga.
  2. To frame market share penetration, the Apple 2c was still in use at the high school my mom taught at. Now PCs are almost ubiquitous in schools. 
  3. Storage capacity was limited to a few Megabytes of data (40 MB external hard drive) and CD-ROMs were known as WORM drives (Write-Only, Read-Many) which could store a whopping 600MB of data.

Compare that with the capacity of the Smartphones in use today.

  1. Blackberries with removable storage can hold 8 Giga-bytes of data. 1GB = 1000 MB.
  2. Processor speeds on Smartphones rival those of PCs five years earlier.
  3. And web-enabled TCP/IP traffic means a conduit for applications to virtually anywhere.

Faster CPUs and higher storage mean Smartphones are approaching the attack surface horizon. With the critical exception of a phone having always-on connectivity. Any time, any place. And with Wi-Fi connectivity built into most smartphones, there is a potential infection vector for the enterprise or while just passing by. So how big is this threat?

What would happen if every single one of the four BILLION cell phones on this planet just went dark?

Or most likely, what would happen if every single cell phone went dark in one country? One scenario is a combined DoS attack on the internet was combined with a DoS attack on the cellular phone infrastructure at the same time.

Mobile Threats – 2009 Securing The Perimeter SOeC event at SDSU

Those are open ended questions. They relate with security as a whole and definitely relate to the impact of cyberwarfare.

As a longtime SoCal resident I tend to remember the Rodney King Riots in LA in 1992 as a comparison point of reference for what can go wrong when civility suddenly takes a sharp left turn off the road.

How about a combined cell / internet threat?

From smsanalysis.org comes this excerpt of their report:

“Cellular networks are a critical part of the economic and social infrastructures in which we live. These systems have traditionally experienced below 300 seconds of communication outages per year (i.e., “five nines'' availability).

However, the proliferation of external services on these networks introduces significant potential for misuse. We have shown that an adversary injecting text messages from the Internet can cause almost twice the yearly expected network down-time in a metropolitan area using hit-lists containing as few as 2500 targets.

With additional resources, cyberwarfare attacks capable of denying voice and SMS service to an entire continent are also feasible.

By attacking the less protected edge components of the network, we elicit the same effects as would be seen from a successful assault on the well protected network core.”

I would mention that their paper has all the details.

Analysis: Cyberwarfare will probably include DDoS on Cellular

If you can interrupt communications on several layers, you can disrupt any operations plan. This is pretty much a Sun Tsu principle applied to cyberwarfare.

Smart phones, Dumb phones – all are vulnerable

Let’s call phones with direct web browsers Smartphones and phones that are tier two basic call and messaging service available Dumb phones. Dumb phones used to be programmed to be remotely knocked out with SMS messages that kill the chip running the handset, known now as a ‘kill pill’. In fact, quite a few companies make an SMS Kill Pill which can, among other things, frag all of your data with an encryption remotely. 

  1. Central for Treo - a utility by Bluefish which includes a feature called SMS Kill Pill that remotely deletes your data.
  2. remoteProtect – designed for Windows Mobile phones by SCPSOFT. 
  3. Exchange Server 2010 – Allows a remote wipe of a Mobile Phone.
  4. MobileMe – Remote wiping for iPhone, iPad, etc.

Cellular Control Systems – SCADA and SMS

Cellular data has been part of the SCADA control systems for over fifteen years. While CDPD as a standard is no longer en vogue, many utilize the GSM and SMS messaging controls.

In effect the infrastructure may not be connected to the Internet, but as this article discusses, the cellular data structure security is also questionable.

Bricking the ERTs

Emergency Response Teams, or ERTs, depend upon technology to communicate just like the rest of us. With manufacturers like Lenovo, Panasonic Toughbook, and other ruggedized vendors vying for this DHS-grant funded public safety component, there’s no shortage of embedded cellular technology. Much of it uses the GSM standard, utilizing SMS messaging. With both an IP range to protect and specific blocks of cellular numbers (example as 555-2001 through 555-2500) issued as the de facto by carriers, cellular technology is more of a status quo.

There are more questions than answers here – in effect if cellular service loss was an effect of cyberwarfare, you can count on it impacting morale in a very big way. Comments?

Securing Our eCity Contributing Writer

Author ESET Research, ESET

  • Gavin

    Frankly, I think that this is an unrealistic scenario. You are being far too optimistic. I am increasingly concerned about the threat of alien invasion and the delivery of a masssive world affecting EMP. I saw a documentary recently where this was dealt with by using a non-processor specific virus which Jeff Goldblum was able to code up. I think this is the sort of system we should be thinking about, how to write polymorphic, self healing, self-learning, dynamic  code which will span any architecture and allow us to implement effective firewalls to defend from the 'alien' threat. 
    As the ancient chinese curse says, "May you live in interesting times."

    • Charles Jeter

      Hi Gavin,

      Thanks for your comment! Appreciate the feedback. Unfortunately, after spending a couple years in the wireless data sector with a major OEM manufacturer as well as conversations at length with our stateside Department of Homeland Security and Federal Bureau of Investigation agents, I’m in disagreement with you as to what is unrealistic.

      The feasability study of the SMS based attacks is found within the third party group smsanalysis.org’s report. I’m very interested in any resources people dedicate to debunking this report as well as others.

      As far as criminal intent to use the potential breaches of security, basic criminology shows that there is a potential for extortion wherever any breach is possible.
      As far as nation state intent, I just attended a webex by Ira Winkler who referred to many potential infrastructure insider based abuse issues which he and a former GRU colonel, Stanislav Lunev, have investigated in many industries.

      Additionally, Apple mentions that jailbroken cell phones lead to an infrastructure risk as quoted within the Register.
      http://www.theregister.co.uk/2009/07/29/apple_jailbreaking_patent_office_response/

      I wouldn’t mind the debate though… :) Thanks again for the comment!

      Charles

  • MysticKnightoftheSea

    Just a question: when I discontinued my AT&T TDMA service, the phones not only stopped working (expected), I couldn't access any of the data (phone #s, saved SMS,etc.) or even access the games. When I inquired back to AT&T/Cingular as to why, they referred me to Nokia to attempt data recovery. Nokia wanted to charge $100 per phone for the privilege. I was royally put out with AT&T when my phones stopped working immediately, and not just the service. If they had given me warning it would happen it would not have been so bad; I could have copied/forwarded the important stuff.
    Sorry the above was background. The question: did/do the cellphone service providers have a 'Kill Pill' of their own?

  • MysticKnightoftheSea

    Sorry, just reread a couple of lines. Seems they did. Thanks a heckuva lot, AT&T!
    MKotS

    • Charles Jeter

      @ MKotS:

      :) Yeah, but thanks for the blast from the past. Evidently my comment was eaten by the system, but I figure two things – first, unfortunately TDMA tower bandwith was sacrificed on the altar of cost savings through hardware streamlining… so TDMA (D-AMPS) went the way of APMS everywhere. In my research for my now digitally trashed comment, I did see some names I hadn’t seen in over ten years – Dobson Communications, AT&T Mobility, and the likes. Wow. Awesome.

      More history on cellular’s ‘Golden Age’ in the 1990s if you’re interested.

      Nokia is still one of my preferred handset vendors, although I swapped for Handspring / Palm years ago and now I’m stuck with whatever the company gives me. Most likely Nokia wanted to mitigate their cost of cable synching a deluge of old handsets and decided a hundred bucks was the way to go… I used to own stock in Nokia and made some good money buying in at $26 and selling around $35 in 2007, can’t recall if I still own it so I might mention that fact… :)

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

6 articles related to:
Hot Topic
24 May 2010
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.