How an SMS-Based Malware Infection Will Get Throttled by the Wireless Link Roger Piqueras Jover (w. Ilona Murynets) AT&T Security Research Center June 13, 2012 © 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

Agenda SMS-based malware Related work SMS over GSM and UMTS Simulation model SMS-based malware infection getting throttled by the wireless link Results © 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. 2

SMS-based Malware SMS is one of the most popular cellular services providing millions of revenue to operators. Also known for being a common platform for spam, fraud and malware. © 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. 3

SMS-based Malware © 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. 4 Malware infection and spreading. SMS message with a link to a malicious app. – Disguised as a game or social app User install app and phone gets infected App gains access to phone’s contact book – Selects targets to send SMS with link Infection spreads

Related work Husted and Myers, LEET’11 Direct contact propagation (via Bluetooth). Mild propagation, controllable by lowering susceptibility of population to infections. © 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. 5 Fleizach et al., WORM’07 MMS-based malware propagation through cellular. Slower propagation on a mobility network with respect to a wired network. Bottleneck at the link between NodeB and RNC. Assumes wireless signaling and control channel effects not significant. Traynor, IEEEE Trans Computing’11 Wireless link is the main bottleneck when it comes to massive SMS distribution.

SMS Network Architecture © 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. 6

SMS Over GSM Standalone Dedicated Control Channel (SDCCH) Shared by all users within one cell/sector Registration, establishment of authentication and encryption, initial call set-up, etc Highly bandwidth-limited – Aggregation of 4 logically consecutive time-slots within multi-frame – Effective bandwidth of 782bps © 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. 7

SMS Over UMTS © 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. 8 Random Access Channel (RACH) Control channel shared by all users within one cell/sector Registration, establishment of authentication and encryption, initial call set-up, etc Contention-based access channel – Collisions are possible – Collision avoidance and delayed transmission protocol Similar to Slotted-ALOHA Throughput  0.45

SMS Over UMTS © 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. 9 Random Access Channel (RACH) A user willing to transmit waits a certain backoff time and starts a preamble cycle A slot is randomly selected out of the 15 and also a signature (out of 16 possible) is chosen A short preamble message is transmitted on the selected slot with probability p and power P start If an ACK message is received on the same slot of the AICH channel containing the same signature… The user gets assigned to transmit data in the following frame (a data message is longer than a preamble and might occupy several slots)

SMS Over UMTS © 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. 10 Random Access Channel (RACH) A user willing to transmit waits a certain backoff time and starts a preamble cycle A slot is randomly selected out of the 15 and also a signature (out of 16 possible) is chosen A short preamble message is transmitted on the selected slot with probability p and power P start If no response is received on the AICH… In the following frame, the same preamble is sent (with probability p) on new random slot with power Pstart +  dB (power ramping) The user proceeds to listen to the same slot in the AICH If a maximum number of preambles is sent, we go back to the beginning and start a new preamble cycle

SMS Over UMTS © 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. 11 Random Access Channel (RACH) A user willing to transmit waits a certain backoff time and starts a preamble cycle A slot is randomly selected out of the 15 and also a signature (out of 16 possible) is chosen A short preamble message is transmitted on the selected slot with probability p and power P start If a NACK message is received on the AICH… Back to the beginning and start a new preamble cycle If a maximum number of preamble cycles is reached, the call fails (it is what happens when we try to call but it doesn’t go through…)

Simulation Model Scenario Large and dense urban environment (  Washington DC, 68.2mi 2 ). Only malware-related SMS traffic (no background traffic) mobile users 120 cells Barabasi and Albert network model – Contact book size  power-law distribution (80) – Contacts distributed in neighboring cells and a couple of other clusters Malware propagation: – SMS with link to a malicious app – Prob(user clicks on link and downloads app) = 0.5 – Infected phone sends SMS to k random contacts every  minutes k = 3  ~ exp(40min) © 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. 12

Simulation Model GSM SDCCH 8 SDCCH channels per cell/sector – Constant per cell SMS capacity: 8 SMS/5sec © 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. 13 UMTS RACH Matlab custom RACH model 3G Access Service Class #4 Simulation time Slots of 5 seconds

SMS-based malware infection throttled by the wireless link © 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. 14 GSM 3G Wired Transmitted load Input load Mbps Kbps 782 bps

Results Number of transmitted messages Exponential propagation in Wired Scenario Spreading rate much lower in mobility networks – Close to linear spreading in GSM (  8 SMS/5sec) – Faster spreading in UMTS Spreading stops when RACH is clogged Propagation slows down  RACH congestion level decreases  Propagation continues © 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. 15

Results Number of queued messages: global (a), one cell (b) Messages start queuing after  2000 slots of 5 seconds (2.7 hours) Total SMS network load at the saturation point: – 50 SMS/sec – Equivalent to 8.3  SMS per second per user – Malware message load could be masked by regular user message traffic Slow increase of queued messages © 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. 16

Results Number of queued messages: global (a), one cell (b) Messages start queuing after  2700 slots of 5 seconds (3.7 hours) Very fast increase of queued messages – RACH saturates and no message goes through – (As opposed to GSM’s constant throughput of  8 SMS/5 sec) © 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. 17

Results Number of infected phones Malware propagation throttled by the wireless link – Internet propagation hits all mobile users – Infection slows down on UMTS and GSM – SMSs generated by malware could potentially saturate the link for other users © 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. 18

Conclusions Wireless Interface The wireless link plays an important role on malware modeling over mobility networks – Bottleneck of SMS-based malware propagation No massive outbreak – Spreading rate much slower than in wired scenarios (Internet) 10x slower in GSM 3x slower in UMTS © 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. 19 Future work Large scale nation-wide simulation (pool of 100 million users) Background traffic New propagation vectors – LTE – iMessage, WhatsApp, Viber, etc Load effects on Core Network

Thanks! Questions? AT&T Security Research Center src.att.com © 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. 20