Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1


Ratings: (0)|Views: 63|Likes:
Published by vishalpnaik

More info:

Published by: vishalpnaik on Dec 12, 2012
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Security Threats and Analysis of SecurityChallenges in Smartphones
Yong Wang, Kevin Streff and Sonell RamanDakota State University
—A smartphone carries a substantial amount of sen-sitive data and thus is very attractive to hackers, making it aneasy target. For these reasons, ensuring smartphone security isextremely important. While there are many similarities betweensmartphone security and regular security, distinct differencesexist between these two. The unique characteristics of smart-phones make securing them very challenging. In this paper, wesummarize smartphone threats and attacks, reveal the uniquecharacteristics of smartphones, evaluate their impact on smart-phone security, and explore the countermeasures to overcomethese challenges. Many enterprises have started to look intosecurity issues in smartphones. However, these solutions mustcorrespond with the unique characteristics in smartphones. Newbusiness models are highly desired to solve security issues insmartphones.
 Index Terms
—Smartphone, security, threats, attacks.
I. I
MARTPHONES overtook PCs in the global market in Q42010 [1]. They surpassed feature phones in shipments inWestern Europe in Q2 2011 [2]. According to Nielsen’s surveyin May 2011, smartphone purchases outsold feature phonesin the U.S. in the same time frame as Western Europe [3].Compared to 5.9 billion worldwide mobile phone subscribers,smartphone usage (835 million) still has significant upside [4].IDC predicts smartphone shipments will approach one billionin 2015 [5].Many functions have been integrated into smartphonesfar surpassing the original functions of a traditional phone.Compared to feature phones, a smartphone usually includesthe following elements:
Pre-installed with a modern mobile operating system
,such as iOS, Android, or Windows Mobile.
Support a carrier’s networks (2G/3G/4G), WiFi connec-tivity, and Bluetooth
. These networks work independentlyand serve different purposes for voice and data services.
Access the Internet 
. A smartphone provides Internet ac-cessibility through either a carrier’s network or a localWiFi hotspot.
Capable of running third party applications
. These ap-plications can be downloaded from application storesthrough the Internet.
Support MMS messages
. A smartphone supports Multi-media Message Service (MMS). A smartphone user caninteract with another mobile phone subscriber throughthese messaging systems.
Embedded sensors inside smartphones
. Smartphone sen-sors usually include GPS, gyroscopic sensors, and ac-celerometer sensors.
Equipped with camera(s) and microphone
. A smartphoneis often equipped with a high-resolution camera, a micro-phone, and a speaker.Among all the characteristics, Internet accessibility is themost important feature of smartphones. Internet accessibilityis usually provided through a carrier network via a data plan.Feature phones usually do not have data plans or have limitedInternet access.As smartphones become more popular for personal andbusiness use, it raises many security concerns [6], [7], [8],[9]. The central data management of a smartphone is veryattractive to hackers and it makes smartphones easy targets.Viruses emerged in smartphones as early as 2004. Since then,many incidents have been reported of spam, viruses, spyware,and other malicious software. As smartphones continue theirrapid growth in the next few years, it is critical to assuresmartphone subscribers that these services are reliable, secureand can be trusted.However, due to unique characteristics of smartphones,security is very challenging. In this paper, we summarizesmartphone threats and attacks, reveal the unique character-istics of smartphones, evaluate their impacts on smartphonesecurity, and explore the countermeasures to overcome thesechallenges. Practical ways to secure smartphones are alsodiscussed in the paper. To the best of our knowledge, thisis the first paper focusing on the uniqueness of smartphonesand their impacts on smartphone security.II. S
Mobile phone virus emerged as early as 2004. Since then,significant amounts of malware have been reported in smart-phones. In the last seven months of 2011, malware targetingthe Android platform rose 3,325 percent [10].
 A. Smartphone Threat Model
Figure 1 shows a threat model in a smartphone. The modelconsists of four parts, a malicious user, malware, a smartphone,and premium accounts/malicious websites.1) A
malicious user
publishes malware through applicationstores or websites.2)
carries threats and attacks while it waits to bedownloaded to a smartphone.3) A
is the target of malware. It carries largeamounts of sensitive data which is very attractive tomalicious users.
Digital Object Indentifier 10.1109/MC.2012.288 0018-9162/$26.00 2012 IEEEThis article has been accepted for publication in Computer but has not yet been fully edited.Some content may change prior to final publication.
Fig. 1. Smartphone Threat Model
Premium accounts/Malicious websites
are an escapedestination of malware. After infiltrating smartphones,malware targets to control smartphone resources, collectdata, or redirect smartphones to a premium account ora malicious website.A smartphone is divided into three layers in this model:Application layer, Communication layer, and Resource layer.1)
Application (App) layer
includes all the applications ina smartphone such as social networking software, email,text message, synchronization software and etc. Malwareis usually disguised as a normal application and attractssmartphone subscribers to download.2)
Communication (COMM) layer
includes communica-tion channels to a smartphone. Smartphone communica-tion channels include carrier networks, WiFi connectiv-ity, Bluetooth network, Micro USB port, and MicroSDslot. Malware might spread through any of these com-munication channels.3)
Resource (RSC) layer
includes the flash memory, cam-era, microphone, and sensors within a smartphone. Sincesmartphone resources contain sensitive data, malwaretargets to control these resources and manipulate datafrom them.An attack on a smartphone forms a loop from malicioususers, through malware, smartphone (App layer, Comm layer,RSC layer), premium accounts/malicious websites, back tomalicious users. Figure 1 shows such an attack. Malwarewas downloaded to a smartphone through social networkingsoftware via a carrier’s network. It hijacked the smartphone’sresources and sent MMS messages to a premium account.
 B. Services affected 
Based on the malware impact to smartphone subscribers,smartphone subscribers may endure low impact issues suchas performance degrade, spam messages and slow operation,to higher impact challenges, such as not being able to receiveand make phone calls, financial loss and so on. Figure 2 showsa general malware impact severity to smartphone subscribers.The impact to a specific smartphone subscriber may be com-pletely different from other smartphone subscribers.
 
Fig. 2. Smartphone Malware Impact Severity
C. Resources in jeopardy
There are certain resources which contain sensitive data andare very attractive to hackers. Once malware finds a way intothe smartphone, it will try to gain privileges in order to accessand control these resources.
Flash memory
Flash memory can be reprogrammed. Withsome simple setup, it does not take long to reprogramthe flash memory. Malware can be programmed in theflash memory and it cannot be removed until the userreprograms the flash memory again.
MicroSD memory car
Smartphones may also supportMicroSD memory cards. With a data cable or a cardreader, a malicious user can easily disclose the contentin the memory card.
Sensors such as GPS, gyroscopic sensor, accelerometers
GPS reports location information of a smartphone sub-scriber and smartphone owners may not want to disclosetheir location information.
Camera and microphone
Cameras and microphones canbe turned on and off without users’ notice. If malwarehas full control of the smartphone, the smartphone canbe transformed into a tapping device.
WiFi and Bluetooth
A user does not need to physicallyconnect a smartphone to a computer to transfer data. Datacan be transferred through WiFi or Bluetooth networks.Data leakage may happen without notice.
A smartphone depends on battery to power iton. Battery exhaustive attacks can dissipate battery power
Digital Object Indentifier 10.1109/MC.2012.288 0018-9162/$26.00 2012 IEEEThis article has been accepted for publication in Computer but has not yet been fully edited.Some content may change prior to final publication.
faster than normal and disable the functions of a smart-phone.
 D. Malware
Smartphone malware falls in three main categories, virus,trojan, and spyware. Trojan and spyware are the dominantmalware in smartphones [10].Virus emerged in mobile phones as early as 2004. They aretypically disguised as a game, a security patch, or other desir-able applications and are then downloaded to a smartphone.Viruses can spread not only through internet downloads ormemory cards, but they can also spread through Bluetooth.Two Bluetooth viruses have been reported in smartphones:Bluejacking and Bluesnarfing. Bluejacking sends unsolicitedmessages over Bluetooth to Bluetooth-enabled device (limitedrange, usually around 33 feet). Bluesnarfing accesses unau-thorized information in a smartphone through a Bluetoothconnection.Trojan is another type of malware in smartphones. Mosttrojans in smartphones are related to activities such as record-ing calls, instant messages, locating via GPS, forwarding calllogs and other vital data. SMS trojans are one of the largestcategories of mobile malware. It runs in the background of an application and sends SMS messages to a premium rateaccount owned by an attacker. Malware belonging to thiscategory is the HippoSMS. It increases the phone billingcharges of users by sending SMS to premium mobiles andalso blocks messages from service providers to users alertingthem of additional charges.Spywares collect information about users without theirknowledge. Spyware has given rise to many concerns aboutinvasion of users’ privacy. According to Juniper’s 2011 mal-ware report [10], spyware was the dominate of malware whichaffects Android phones. It accounted for 63 percent of thesamples identified in 2011. A concern of Carrier IQ was re-cently raised. A Carrier IQ application is usually pre-installedin a smartphone device and it collects usage data to helpcarriers to make network and service improvements. Mobileoperators, device manufacturers, and application vendors mayneed this usage information to deliver high quality productsand services, however, smartphone subscribers have to beassured what data is being collected and how said data isprocessed and stored. Smartphone subscribers’ privacy needsto be preserved when data is transmitted, processed, andstored.
 E. Threats and attacks
Smartphones are under numerous threats and attacks. Thesethreats and attacks are summarized below.
1) Sniffing:
There are various ways to sniff or tap asmartphone. In 2010, Karsten showed that GSM’s encryptionfunction for call and SMS privacy, A5/1, could be brokenin seconds [11]. All GSM subscribers are at the risk of sniffing attacks. Further, as eavesdropping software continuesto become available and installed in smartphones, smartphonesubscribers with 3G or 4G networks are at risk too.
2) Spam:
Spam can be carried through emails or MMSmessages. Spam messages may include URLs which directusers to phishing or pharming websites. MMS spam can alsobe used for starting denial of service attacks. The number of U.S. spam text messages rose 45 percent last year to 4.5 billionmessages, according to Richi Jennings, an industry analyst.
3) Spoofing:
An attacker may spoof the
“Caller ID”
andpretend to be a trusted party. Researchers also demonstratedhow to spoof MMS messages that appeared to be messagescoming from 611, the number the carriers use to send outalerts or update notifications [12]. Further, base stations couldbe spoofed too.
4) Phishing:
Phishing attack is a way to steal personalinformation, such as user name, password, credit card account,and etc., by masquerading as a trusted party. Many phishingattacks have been recognized in social networking, emails,and MMS messages. For example, many mobile applicationsinclude social sharing and payment buttons. A maliciousapplication can similarly include a “Share on Facebook” buttonand redirect the users to a spoofed target application. Thetarget application can then request the user’s secret credentialsand steal the data.
5) Pharming:
In pharming attacks, attackers can redirectweb traffic in a smartphone to a malicious or bogus website.By collecting the subscriber’s smartphone information, specificattacks may follow after pharming attacks. For example, whena user browses a web site in a smartphone, the HTTP headerusually includes the smartphone’s operating system, browserinformation, and version number. With this information, anattacker may learn the security leaks of the smartphone and isthen able to start specific attacks on the smartphone.
6) Vishing:
Vishing is a short term for
. It is an attack which malicious users try to gain accessto private and financial information from a smartphone user.By spoofing the
“Caller ID”
, the attacker may look like froma trusted party and spoof the smartphone users to release theirpersonal credentials.
7) Data leakage:
Data leakage is the unauthorized trans-mission of personal information or corporate data. It includesboth intentional or unintentional data leakage. Malicious soft-ware may steal persons information such as contact list,location information, bank information and send this data to aremote website. A smartphone owner may be at risk of identitytheft due to the data leakage in the phone. Business owners orclassified users such as government and military users haveeven more concerns about data leakage. ZitMo, a mobileversion of Zeus, has been found in Symbian, BlackBerry andAndroid and could be used to steal one-time passwords sentby banks to authenticate mobile transactions.
8) Vulnerabilities of Webkit engine:
A vulnerability on webbrowsers in smartphones is another usual scenario of attacks.The Webkit engine used by almost all mobile platformshas a certain vulnerability which allows attackers to crashuser applications and execute malicious code. In a recentvulnerability revealed by CrowdStrike, the attackers could usethe Webkit vulnerability to install a remote access tool toeavesdrop on smartphone conversations and monitor the userlocations. The vulnerability has been found in BlackBerry, iOS
Digital Object Indentifier 10.1109/MC.2012.288 0018-9162/$26.00 2012 IEEEThis article has been accepted for publication in Computer but has not yet been fully edited.Some content may change prior to final publication.

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->