CHAPTER 3

MOBILE
COMPUTING
SECURITY
 MOBILE COMPUTING
SECURITY
The protection of smartphones, tablets, and
laptops from threats associated with wireless
computing.
It has become increasingly important in mobile
computing.
Global System for Mobile
Communication (GSM)
The Global System for Mobile Communications is a
standard developed by the European Telecommunications
Standards Institute to describe the protocols for second-
generation digital cellular networks used by mobile devices
such as mobile phones and tablets.
GSM Architecture
 The Mobile Station (MS)
The MS consists of the physical
equipment, such as the radio
transceiver, display and digital
signal processors, and the SIM
card.
It provides the air interface to the
user in GSM networks. As such,
other services are also provided.
What is SIM? use padlet-link
 The Base Station Subsystem (BSS)

The BSS is composed of two parts:

The Base Transceiver Station (BTS)
The Base Station Controller (BSC)
 The Base Station Subsystem (BSS)
Base Transreciver Station(BTS)-BTS

It has radio transreciever that define a cell

and are capable of handelling radio link
protocols with MS.
 The Base Station Subsystem (BSS)

Base station controller(BSC)

It manages radio resources for one or

more BTS.
It controls several hundred BTS al are
connected to single MSC.
 Network System (NS)
It handles the switching of GSM calls
between external networks and
indoor BSC2.
It includes three different data bases
for mobility management as

A. HLR (Home Location Register)

B. VLR (Visitor Location Register)
C. AUC (Authentication center)
D. MSC (Mobile Switching Centre)
 Network System (NS)
A. HLR (Home Location Register)

Call roaming and call routing

capabilities of GSM are handled.
It stores all the adminstrative
information of sub scriber registered
in the networks.
 Network System (NS)
B. VLR (Visitor Location Register)

It is a temporary data base.

It stores customer information for
each roaming customer visiting
specific MSC.
 Network System (NS)
C. Authentication center

It is protected database
It maintained authentication keys
and algorithms.
It contain a register called
Equipment Identity Register.
 Network System (NS)
D. Mobile switching center (MSC)

It connects fix networks like

ISDN,PSTN etc.
Following are the functions of MSC
1. Call setup, supervision and relies
2.Collection of billing information
3. Call handling / routing
4. Management of signalling protocol
5. Record of VLR and HLR
 Security Problem with
GSM
While GSM was intended to be a secure
wireless system and considered the user
authentication and over-the-air encryption, it is
completely vulnerable to several attacks, each
of them aiming a part of network.
 Threat of GSM

Classified and explain the threat

according to CIA elements.
Refer to this.
 Security Problem with
GSM
Describe the security problem with GSM
Use mindmeister to show your findings
Malicious Software in
Mobile Computing
Spyware and Madware
Drive-by Downloads
Viruses and Trojans
Mobile Phishing
Browser Exploits
Malicious Software in
Mobile Computing
Spyware and Madware:
Usually finds its way onto a mobile
phone through the installation of a
script or program and often
without the consent of the user.
 Malicious Software in
Mobile Computing
Drive-by Downloads:
If you open the wrong email or visit a
malicious website, you could become the
victim of a form of mobile malware known as
the drive-by download.
Can unleash a range of threats, including
spyware, malware, adware
 Malicious Software in
Mobile Computing
Viruses and Trojans:
Might seem a legitimate application could contain a
virus or trojan ready to attack your mobile phone.
These viruses may have a fairly innocuous payload,
such as changing your phone's wallpaper or changing
the language.
However, most have something much more malicious
in mind like mining for passwords and banking
information.
 Malicious Software in
Mobile Computing
Mobile Phishing:
Mobile phishing takes this tactic one step further
and uses applications to deliver mobile malware.
The user, often unable to tell the difference
between a legitimate application and a fake
application is none the wiser as the fake
application collects account numbers, passwords
and more.
 Malicious Software in
Mobile Computing
Browser Exploits:
There are a number of browser exploits in the wild
that can take full advantage of your browser and
other applications that work within the browser,
such as PDF readers.
Mobile Risk Ecosystem
IS A FRAMEWORK FOR SPECIFYING AND
ENFORCING SECURITY POLICIES.

It describes the entities governed by the policy

It states the rules that constitute the policy.

Mobile Ecosystem: Scale
Mobile Ecosystem: Scale
 Mobile Ecosystem:
Perceived Insecurity

Security risks that related to mobile technology

Software /
OS Insecurity
Outdated
User
Negligence
Giving permission freely
Company
Ownership
China -US issues
Google User
Privacy Issues
Google can ‘control’ your
Android phone remotely
 Mobile Risk Model

Risk Areas

Risk Area 1
Physical Risks

Risk Area 2
Service Risks

Risk Area 3
App Risks
 Mobile Risk Model
Illustration of attack surfaces specific to mobile devices:
 Mobile Hacking
The attackers are easily able to compromise the mobile network
because of various vulnerabilities, the majority of the attacks are
because of the untrusted apps.
Mobile Hacking:
Basic Cellular Network
Functionality

Interoperability Voice Calls

Continuous ability to send and receive

data among the interconnected
networks, providing the quality level
expected by the end user without any
negative impact to the sending and
receiving networks.
Mobile Hacking:
Basic Cellular Network
Functionality
The Control Channels
Manage everything else about the mobile
device’s association, usage, handoff, and
disconnection from the cellular network.
Broadcast Control Channel
Contains information that allows the
mobile device to synchronize and
understand which network it is attaching
to, along with features (like neighboring
cell identities and channel information) of
the network.
Mobile Hacking:
Basic Cellular Network
Functionality

Location Update Voice Mailboxes

Mobile device is letting the GSM network
know which area it’s in
A mechanism for connecting a phone call
to a recording device, saving that
digitized file somewhere, and helpfully
replaying that sound file during another
call
Mobile Hacking:
Basic Cellular Network
Functionality

Short Message Service

A text messaging service component of

most telephone, Internet, and mobile
device systems
 Attacks and
Countermeasure in
Mobile Hacking
Hacking
Mobile
Voicemail
Attack

A hacker calls into a voicemail system

searching for mailboxes that still have the
default passwords active or have
passwords with easily-guessed
combinations, such as "1-2-3-4."
Hacking
Mobile
Voicemail
Countermeasure

Set a voicemail password (of reasonable

complexity), and configure access so that
entering the password is required in all
cases
Rogue Mobile
Devices
Attack

Unauthorized device
They exist for the sole purpose of
stealing sensitive information like credit
card numbers, passwords, and more.
Rogue Mobile
Devices
Countermeasure

Unauthorized device
They exist for the sole purpose of
stealing sensitive information like credit
card numbers, passwords, and more.
Rogue
station
Attack

An attacker station that duplicates a

legitimate base station.
The rogue base station puzzles a set
of subscribers trying to get service
through what they believe to be a
legitimate base station.
Rogue
station
Countermeasure

This issue is about cellular network

authentication, and thus, there is little
that you can do about this as an end-
user.
Organizations can install wireless
intrusion prevention systems to
monitor the radio spectrum for
unauthorized access points
Rogue
Femtocell
Countermeasure

Produce a dependable, open, and

correct method of mutual
authentication between the mobile
stations like your cell phones and the
mobile networks.
Requires somewhat novel decision
making on the part of handset
manufacturers, standards bodies, and
MNOs
Rogue
station
Countermeasure

This issue is about cellular network

authentication, and thus, there is little
that you can do about this as an end-
user.
Organizations can install wireless
intrusion prevention systems to
monitor the radio spectrum for
unauthorized access points
Rogue
Femtocell
Attack

A spoofed femtocell is one approach to

running man-in-the-middle attacks on
mobile networks
 Mobile Phone
Security and
Forensics
Scientific approaches with a focus on recovering
Potential Digital Evidence (PDE) from mobile devices leveraging forensic
techniques.
Mobile Phone
Security
What is?

Practice of defending mobile devices

against a wide range of cyber attack
vectors that threaten users' privacy,
network login credentials, finances, and
safety.
Mobile Device
and Security
Risk
What is?
Practice of defending mobile devices
against a wide range of cyber attack
vectors that threaten users' privacy,
network login credentials, finances, and
safety.
Mobile Device
and Security
Risk
Top Mobile Security Risks/ Threats
1) Data Leakage
2) Unsecured Wi-Fi
3) Network Spoofing
4) Phishing Attacks
5) Spyware
6) Broken Cryptography
7) Improper Session Handling
Google
Android
Security Model
What is?
Android is a multi-process system, in which
each application (and parts of the system) runs
in its own process. Most security between
applications and the system is enforced at the
process level through standard Linux facilities,
such as user and group IDs that are assigned
to applications.
Google Android Security Model
iOS Security
Model
What is?
System security is central to security in iOS. It
makes the hardware and software securely
integrated with each other such that every
component in iOS is secure and trusted.
Window Phone
Security Model
What is?
Built on the concepts of isolation and least
privilege. The device accomplishes that with a
tiered chamber system with varying degrees of
privilege.
Window Phone Security Model
Thank you!