Exploitation and threat analysis of open mobile devices

Abstract

The increasingly open environment of mobile computing systems such as PDAs and smartphones brings rich applications and services to mobile users. Accompanied with this trend is the growing malicious activities against these mobile systems, such as information leakage, service stealing, and power exhaustion. Besides the threats posed against individual mobile users, these unveiled mobile devices also open the door for more serious damage such as disabling critical public cyber physical systems that are connected to the mobile/wireless infrastructure. The impact of such attacks, however, has not been fully recognized. In this work, we show that mobile devices, even with the state-of-the-art security mechanisms, are still vulnerable to a set of carefully crafted attacks. Taking Linux-based cell-phones as an example, we show that this vulnerability not only makes it possible to attack individual mobile devices such as accessing unauthorized resources, disabling predefined security mechanisms, and diverting phone calls, but also can be exploited to launch distributed denial-of-service attacks against critical public services such as 911. Using the open multi-class queuing network model, we analyze in detail the consequence of these attacks against the 911 service in a large region and also present some unique characteristics of these attacks. We further discuss potential countermeasures that can effectively mitigate or eliminate these attacks.