Security Vulnerabilities of Mobile Devices Tutorial in PDF
- What makes mobile devices less vulnerable to malware and Android’s “Verify Apps” security scanner
- Protection provided by sandboxing the apps
- Security provided by over-the-air encryption for cellular communications with a Python implementation of A5/1 cipher
- Side-channel attacks on specialized mobile devices
- Examples of side-channel attacks: fault injection attacks and timing attacks
- Python scripts for demonstrating fault injection and timing attacks
- USB devices as a source of deadly malware
- Mobile IP
Learning the Security Vulnerabilities of Mobile Devices
Mobile technology, such as cellphones, smartphones, smartcards, tablets, navigational devices, memory sticks, etc., has now impacted almost every aspect of daily life. Smartphones used to be mostly used for talking. Still, now they are used for almost everything, including cameras, music players, news readers, email clients, web browsers, navigational aids, banking apps, social media platforms, and, of course, as boarding passes when flying.
It's clear that people often store private and sensitive information on their mobile devices, which in the past would have been kept safe at home, played a role in the justices' decision. Given this modern fact, it's not surprising that people who make and spread malware are focusing more attention on mobile devices.
Malware makers are drawn to mobile devices because they can contain sensitive information that an attacker could use to make money, gain political power, break into a corporate network, etc.
As you might anticipate, many of the attack techniques used on mobile devices are also used on more traditional computing devices like desktops, laptops, etc., with one very significant exception: A non-mobile host is typically directly connected to the internet, unless it is part of a private network, where it is constantly vulnerable to hacking attempts made using software that scans large sections of IP address blocks for vulnerable hosts. That is to say, in addition to targeted attacks involving social engineering and other techniques, a non-mobile host connected to the internet also has to deal with untargeted attacks from cybercriminals looking to find hosts (regardless of location) on which to install their malware.
On the other hand, in most cases, when mobile devices are connected to cellular networks, outsiders can only access them through gateways that the cellphone companies strictly regulate. As a result, it is unlikely that a mobile device you own will be affected by the software used in a fly-by-night attack. It's not surprising that malware infection rates in the mobile OS are lower than in the desktop OS because cellular company gateways, encrypted connections with servers that want your private information, online app stores that check apps for security flaws before making them available to you, and the likelihood that a mobile OS will run apps in a sandbox protect them.
However, just like more conventional computing devices like desktops and laptops, mobile devices are equally susceptible to social engineering attacks. A mobile device could be hacked using common network attacks without social engineering if it has unpatched software with known vulnerabilities. In addition, some more specialized mobile devices, in particular smartcards, may be susceptible to attacks that fall under the umbrella of "side-channel attacks. The effectiveness of these attacks depends on the adversary's ability to physically control a mobile device and subject it to examination that either treats it as a block box and applies various types of inputs, or, if possible, directly examines it at the hardware/circuit level. In 2008, Karsten Nohl demonstrated how he could directly crack the encryption in Mifare smartcards during a Black Hat talk.
Before going on with the rest of this lecture, I'll review some of the most important findings from Google's 2016 Android security report.
After that, I'll talk about sandboxing apps, which is a great way to protect a mobile device from malicious apps.
After that, I'll go over the A5/1 algorithm, which has been widely used in GSM (2G) cellphone networks worldwide for encrypting over-the-air voice and SMS data. One of the best examples of what can happen when people choose to implement security through obscurity is this algorithm. For many years, cellphone providers kept this algorithm a secret. The algorithm eventually leaked, as is almost always true with such things. The algorithm was revealed to have almost no security as soon as it entered the public domain.
Following that, I'll explain what side-channel attacks entail. As previously mentioned in this section, specialized mobile devices, such as smartcards, are especially susceptible to these attacks. I'll provide my Python implementations for some of the more typical types of such attacks to further help clarify how one can construct such attacks.
Finally, I'll talk about a topic that's been getting a lot of attention in the news lately: how easy it is for malware infections to spread through USB devices like memory sticks, and why most anti-virus tools can't find them.
| Level : | Advanced |
| Created : | November 27, 2017 |
| Size : | 407.9 KB |
| File type : | |
| Pages : | 92 |
| Author : | Avinash Kak, Purdue University |
| Downloads : | 10127 |
More eBooks
Tips and tricks for Android devices
Interconnecting Cisco Networking Devices (ccna) Part1
Interconnecting Cisco Networking Devices (ccna) Part2
Mobile Phone Repair and Maintenance
Global System for Mobile Communication (GSM)
Building a mobile application using the Ionic framework
