Security Analysis of Mobile Phones Svetlana Panfilova Erasmus Session (2007/2008)

The candidate confirms that the work submitted is their own and the appropriate credit has been given where references has been made to the work of others. I understand that failure to attribute material which is obtained from another source may be considered as plagiarism.

(Signature of student) ____________________________________

Summary The primary objective of this project was to investigate security threats for mobile telephones and to find countermeasures against these dangers. The findings of the project will be used to secure mobile phone networks where mobile phones participate. Two case studies describe different situations where mobile phones are integrated where the possible risks are analysed and countermeasures for these problems are demonstrated. The literature review presents definitions and descriptions of small mobile devices, their operating systems, and wireless communication protocols. The body of the project work describes known threats for mobile phones and offers countermeasures to prevent them. Finally, two case studies illustrate the utilisation of mobile phones in real business situations either a business situation or real business situations integrated into wireless networks. The case studies represent how mobile phones can be useful for customers to use the services of the market for example easy orientation in shops or making patient records available for both doctors and patients at any time. The information, which is obtained from the research about threats and analysis of them on mobile phones, is used to secure the networks in the conceptual designs of the case studies. The report ends with an analysis of the future trends in the security of mobile phone security and conclusion to the project.

2

Table of Content Table of Content ...................................................................................................................3 1 Introduction .......................................................................................................................6 1.1 Problem Definition .......................................................................................................6 1.2 Project Aim and Objectives...........................................................................................6 1.3 Minimum requirements.................................................................................................6 1.4 Methodology ................................................................................................................7 1.5 Deliverables..................................................................................................................7 1.6 Background reading......................................................................................................7 1.7 Evaluation of product....................................................................................................7 1.7.1 The first case study ................................................................................................7 1.7.2 The second case study ............................................................................................8 2 Literature Review ............................................................................................................11 2.1 Mobile Device ............................................................................................................11 2.1.1 Notebook .............................................................................................................12 2.1.2 Personal Digital Assistant (PDA) .........................................................................12 2.1.3 Smartphone..........................................................................................................12 2.1.4 Mobile phone (Cellular Phone).............................................................................13 2.1.5 Future of mobile phones.......................................................................................13 2.2 Mobile phones operating systems................................................................................14 2.2.1 Symbian OS.........................................................................................................14 2.2.2 Windows Mobile..................................................................................................16 2.2.3 Symbian OS versus Windows Mobile ..................................................................17 2.3 Cellular wireless protocols for communication............................................................18 2.3.1 Circuit switching and packet switching ................................................................18 2.3.2 Multiplexing ........................................................................................................19 2.3.2.1 Time Division Multiplexing ..........................................................................19 2.3.2.2. Frequency Division Multiplexing .................................................................20 2.3.2.3 Code Division Multiplexing ..........................................................................20 2.3.3 GSM ....................................................................................................................21 2.3.4 GPRS...................................................................................................................22 2.3.5 UMTS..................................................................................................................22 2.4. Wireless data transfer protocols .................................................................................24 2.4.1 WLAN .................................................................................................................24 2.4.1.1 Wireless Network Topologies........................................................................24 2.4.1.1.1 Infrastructure modus...................................................................................24 2.4.1.1.2 Ad-hoc-Modus (Peer-to-Peer Workgroup) ..................................................25 2.4.1.1.3 Data Link Layer and Physical layer ............................................................25 HR-DSSS (High Rate Direct sequence spread spectrum).......................................26 OFDM (Orthogonal frequency division multiplexing) ...........................................26 2.4.1.2 Wi-Fi System ................................................................................................27 2.4.1.2.1 802.11a...................................................................................................27 2.4.1.2.2 802.11b...................................................................................................27 2.4.1.2.3 802.11g...................................................................................................27 2.4.1.2.4 802.11i ...................................................................................................28 2.4.2 Bluetooth .............................................................................................................28 2.4.2.1 System architecture .......................................................................................28 2.4.2.1.1 Piconet ...................................................................................................29 2.4.2.1.2 Scatternet................................................................................................29 3

2.4.2.2 Bluetooth protocol stack................................................................................29 2.4.2.2.1 The OSI Model.......................................................................................30 2.4.2.2.2 Bluetooth Protocols ................................................................................30 2.4.3 Infrared ................................................................................................................31 2.4.4 WiMAX...............................................................................................................32 2.4.5 Analysis of Wireless Protocols .............................................................................34 3 Malicious Programs.........................................................................................................37 3.1 General definition of malware.....................................................................................37 3.2 Viruses .......................................................................................................................37 3.3 Worms........................................................................................................................37 3.4 Trojan Horses .............................................................................................................38 3.5 Spyware......................................................................................................................38 3.6 Hoax...........................................................................................................................38 4 Known mobile Malware ..................................................................................................39 4.1 Viruses .......................................................................................................................39 4.1.1 WinCE.Duts.........................................................................................................39 4.1.2 Cxover .................................................................................................................39 4.2 Worms........................................................................................................................40 4.2.1 Beselo ..................................................................................................................40 4.2.2 HatiHati ...............................................................................................................40 4.3 Trojan Horses .............................................................................................................40 4.3.1 Redbrowser..........................................................................................................40 4.3.2 Blankfont .............................................................................................................41 4.3.3 Bootton ................................................................................................................41 4.4 Spyware......................................................................................................................41 4.4.1 FlexiSpy...............................................................................................................41 4.4.2 Mopofeli ..............................................................................................................42 5 Attacks .............................................................................................................................43 5.1 Definition of an attack ................................................................................................43 5.1 Sniffing.......................................................................................................................43 5.2 Spoofing .....................................................................................................................43 5.3 Denial of service .........................................................................................................44 5.4 Man in the middle attack.............................................................................................44 5.5 Vulnerability Scanning ...............................................................................................45 5.6 Network Enumeration .................................................................................................45 5.7 Attacks on People .......................................................................................................46 6 Known security vulnerabilities of mobile devices...........................................................47 6.1 Bluetooth attacks on mobile phones ............................................................................47 6.1.1 BlueSnarfing: (Sniffing)......................................................................................47 6.1.2 BlueBugging: (Spoofing) ....................................................................................48 6.1.3 Bluetooth DoS attacks..........................................................................................49 6.1.4 BlueJacking .........................................................................................................50 6.1.5 BlueChop.............................................................................................................50 6.2 WLAN Attacks ...........................................................................................................50 6.2.1 Rogue Access Points: (Man in the middle attack) .................................................50 6.2.2 Wireless Zero Configuration ................................................................................50 6.2.3 War Driving .........................................................................................................51 7 Current security problems in wireless networks............................................................52 7.1 WLAN weaknesses.....................................................................................................52 7.1.1 WEP encryption weakness ...................................................................................52 7.1.2 WEP – CRC 32 weakness ....................................................................................54 4

7.1.3 Short Initialization Vector ....................................................................................54 7.2 Bluetooth weaknesses .................................................................................................54 7.2.1 Encryption ...........................................................................................................54 7.2.2 Random number generator ...................................................................................55 7.2.3 Unit key ...............................................................................................................55 7.2.4 Key length ...........................................................................................................55 7.2.5 PIN – Code ..........................................................................................................56 7.2.6 Driver exploits .....................................................................................................56 7.3 Weaknesses in operation systems................................................................................56 7.4 Weaknesses of mobile internet....................................................................................56 8 Countermeasures against vulnerabilities in mobile devices...........................................58 8.1 Countermeasures for WLAN.......................................................................................58 8.1.1 WPA ....................................................................................................................58 8.1.1.1 Encryption.....................................................................................................59 8.1.1.2 Extensible Authentication Protocol (EAP) .....................................................59 8.1.1.3 Preshared key (PSK) Authentication..............................................................60 8.1.2 WPA 2 .................................................................................................................61 8.2 Countermeasures for Bluetooth ...................................................................................62 8.3 Virtual private network (VPN) ....................................................................................62 8.4 Securing the network and operating systems ...............................................................63 8.4.1 Antivirus Programs ..............................................................................................64 8.4.2 Firewalls ..............................................................................................................64 8.5 Overview of security countermeasures ........................................................................65 9 Evaluation ........................................................................................................................66 9.1 Evaluation of solutions................................................................................................66 9.1.1 Evaluation criteria ................................................................................................66 9.1.2 A case study – “An electronic market” .................................................................66 9.1.2.1 Actual state ...................................................................................................66 9.1.2.2 Requirements ................................................................................................67 9.1.2.3 Solution.........................................................................................................67 9.1.3 A case study – “A hospital”..................................................................................72 9.1.3.1 Actual state ...................................................................................................72 9.1.3.2 Requirements ................................................................................................73 9.1.3.3 Solution.........................................................................................................74 9.2 Evaluation of the project .............................................................................................80 9.3 Future work ................................................................................................................81 10 Conclusion......................................................................................................................82 Bibliography .......................................................................................................................84 Appendix A: Project Experience........................................................................................87 Appendix B: Interim Report ..............................................................................................88

5

1 Introduction This project work describes mobile phones in general and especially the security issues of mobile phones.. Firstly, it illustrates mobile devices and mobile phones and some important definitions for them are explained. Secondly, two leading operating systems for small mobile devices are described. Thirdly, the main wireless protocols are shown, some of which are used for voice transfer and others - for data transmission. In the next chapters the existing malware and attacks are demonstrated and possible countermeasures against them will be identified. The main goal of this project work is to identify mobile phone vulnerabilities and how these threats can be avoided. In the last part of the project two different case studies will be illustrated, describing how mobile phones and other small mobile devices could be used and integrated into existing networks. Their security risks of this integration will be analysed and their protection will be provided.

1.1 Problem Definition Mobile telephony offers a convenient way for people to communicate with each other, access to the internet and other networks. The number of mobile subscribers overtook the number of people with landlines in 2002. By the end of 2008, more than half of the world’s population is expected to have access to mobile phones. Mobile phones will enable users to be more mobile and to do more of their daily work being on the move. In spite of these conveniences there are new threats coming from wireless communication. Wireless communication via Bluetooth and wireless LAN, grounded by the uncontrolled spread of radio waves facilitates attacks on the confidentiality and integrity of the transmitted data. Because mobile phones are becoming more like personal computers, they are able to execute software which makes them vulnerable to viruses and other malware. The number of malware grows from day to day. This could cause huge economic damages to mobile phone owners and companies where mobile devices have an access to corporate networks. To prevent these threats, a perfect knowledge of the threats is required, as is a wellplanned security policy for the usage of mobile devices as well for wireless network deployment.

1.2 Project Aim and Objectives The aim of the project work is to point out the current security issues of mobile phones. The project will focus on security risks and find solutions to avoid them. Moreover, security problems that could appear in the future will be analysed. The solutions that have been found will be used to secure different kinds of wireless networks that are used by modern mobile devices. These solutions are described in the project work in two case studies with complex applications for mobile phones and other small mobile devices that use wireless communication protocols.

1.3 Minimum requirements The first minimum requirement of this work is to determine security problems of mobile phones and to find solutions for these problems. The second requirement is to prepare the 6

conceptual design for two case studies where mobile phones are utilised, and to apply the known security solutions to secure the wireless networks that these mobile phones use.

1.4 Methodology Research methods in this project work are specified as follow: • Identification of possible security threats • Study of relevant research papers and books about the security of mobile phones and wireless networks • Determining solutions against known and future security vulnerabilities • Use of identified solutions to secure networks in two case studies where mobile phones are integrated.

1.5 Deliverables The following list details the deliverables for the project. • Project report • Case studies representing solutions found in the project work

1.6 Background reading 1. 2. 3. 4. 5. 6.

Mobile devices Mobile Operating Systems Cellular communication protocols for voice transmission Wireless communication protocols for data transfer Vulnerabilities in mobile phones and countermeasures against these threats Security solutions for mobile computing

1.7 Evaluation of product The product of this project work is a security analysis of wireless networks and two case studies.

1.7.1 The first case study The first case study “An electronic market” describes improved technology for customer services, where mobile phones are integrated for customer navigation to the equipment needed and providing information of electronic devices on mobile phones. People are very busy in our modern world, thus this case study is oriented to help people saving time during shopping and at the same time to raise profit in shops. The new navigation system allows customers to achieve the desired equipment in several minutes as instructions are given via mobile phones. On the way to the desired product, a customer should receive news about special offers or newly delivered goods. To keep the information about the found equipment is able for a user scanning a bar code placed on the equipment. If the price label gets lost, bar code scanning should be helpful in this case as well for saving time by looking for a shop 7

assistant. To make the service more convenient, a Bluetooth printer is provided in the shop in order to transfer information from mobile phones onto paper. The advantage of the presented solution consists in facility to buy needed equipment and pay for it being on move. In addition to the conceptual design of the described case study, the security techniques were set up to gain the trust of customers. The case study illustrated here can be implemented for any electronic market or similar shop anywhere in the world. All technologies, which are used in the solution, are described in the project work. These techniques are available now and were implemented before. In the described solution the combination of different methods introduced in the project work were produced. This solution could be implemented anywhere in the world. Not anything is used specific for a country. The necessary hardware (for example a Bluetooth Access Point or Bluetooth printer etc.) are relatively cheap and can be bought in any computer shop. The following components must be prepaid for the realisation of the solution “an electronic market”: firstly, implementation of application for mobile phone once for navigation of a customer in the shop and the second software for displaying information about available products, then creation of two data bases for the shop’s map and for the products’ data. The applications for mobile phones should be programmed in JavaME. It guarantees that the Java application is executable on every small mobile device independent of the operating system (Symbian, Windows Mobile or etc.). For the shop server one application is needed too, which enables download of a java application on mobile phones, displays information about the items being sent from the database. Software for the server can be implemented in every language. The communication between the shop server and a java application on a mobile phone happens through the seventh application layer according to OSI protocol stack. Below that, there are the Bluetooth protocols (Figure 12 in section 2.4.2.2.2 Bluetooth Protocols). It is spoken here about the Bluetooth protocol because the shop is equipped with Bluetooth access points. The Bluetooth protocol stack offers ready TCP/IP implementation that is also the same by WLAN and wired LAN systems. Thus, one needs to implement only a new own application layer, the rest can be kept which is made available by the Bluetooth protocol stack. The cost of developing the illustrated solution will be low. It is worth investing money for implementation of application for the shop. The program must be made once and then only used by next shops. For this purpose, one needs to buy additional equipment: several access points, server etc. The monthly support of access points and a server, administration of database updates belongs to the cost as well. Nevertheless, it is part of the normal daily routine in any shop and does not cost much. The next main point is compatibility of devices. Compatibility between mobile phones of users and Bluetooth access points should be ensured testing by the establishment of connections between these devices. Because small mobile devices and access points communicate via Bluetooth and this equipment is available on the market, it should bring no problems. Security settings may not be forgotten here. In case people’s mobile phones contain viruses, they cannot be dangerous for a server because it has another operating system. Maybe future viruses will exist that will be executable independent of the operating system so that an antivirus program should be installed. Against hacker access to the shop server the firewall must be placed on the server. For sure protection of the market LAN against any attacks, a demilitarised zone (DZM) should be established.

1.7.2 The second case study The second case study “A hospital” describes the extension of a hospital network using small mobile devices for achieving a higher quality of medical service, treatment for patients, and convenient access for medical staff to the patient data. The advanced network system enables 8

doctors to access patients data which is placed on the central hospital’s database server with PDAs via wireless LAN. It reduces the work of a doctor as he does not need to waste time writing prescriptions first on paper, then entering the same prescriptions into the computer. After typing a prescription on PDA, it will be sent wirelessly to the central database. The PDA is also helpful for downloading patient’s records needed by doctors from the server. The nurses must be equipped with PDAs or mobile phones too: firstly, for recalling patient data or entering changes in the state of health of a patient, secondly for arriving a nurse at any time making calls. After visiting a family doctor, patients store their medical records on mobile phone sent from the personal computer of a doctor via Bluetooth. A common format for saving medical data which can be read both on small mobile devices and on personal computers should be developed. There is one condition: it may not be changed by a patient on a mobile phone. After being discharged from hospital, a patient can also send his data in this common format to the doctor in case it will be needed. In addition to mobile phones, the utilisation of the protocol WiMAX and tracking of medical devices are of importance here. WiMAX is used for the transmission of images between several hospitals in an emergency. The connection speed of WiMAX allows sending real time video to the next hospitals so the difficult operation of a patient can be controlled by a specialist. Sometimes, some medical devices should be found in a short time. For this purpose, special locating software must be implemented and used on the PC platform. The hospital wireless network is secured against eavesdropping while a virtual private network is applied. The sending and receiving of data on PDAs happens inside a virtual private network (VPN) to prevent unauthorised access to the hospital’s database. The medical staff uses the 802.11a standard WLAN (5 GHz) on their mobile devices to communicate with a server. For patients and their visitors the 802.11b/g standard WLAN (2.4 GHz) was set up to offer an access to the external internet. Two different frequencies were chosen with a goal to avoid interferences and to distinguish the network equipment between two roles: staff and patient. Both networks are additionally secured with WPA2 against eavesdropping. The patients, after being discharged from hospital, should transport their data to a doctor. The web portal for discharged patients is placed in a demilitarized zone to secure the portal’s server and hospitals LAN against attacks. The hospital’s LAN is separated by firewall from the portal’s server. The patients can transport their medical records on mobile phone from a family doctor to hospital. In this case, the medical records must be protected against change signed by the private key of a family doctor. The record is readable on mobile phones. However, if something is changed, the hash value will produce a data signature different from the original one. For the realisation of this case study the following requirements must be implemented: At first several WLAN (802.11a and 802.11b/g) access points must be installed on the territory of a hospital. An Access Point can cover a distance of 300 m or less outside of a building so the Access Points should be placed with 250 m distant from each other. Inside the building the range of WLAN connection decreases highly up to 30 m. The devices for WLAN are widely available and they are easy to buy and because of their high availability, they are relatively cheap. For communication via WiMAX an antenna must be installed on the top of the hospital. The WiMAX antennas also should be placed on neighbouring hospitals. The hospitals must be at a distance from each other of no further than 20 km. If the distance between the buildings is more than 20 km, retransmission stations should be ordered which can be a little expensive. In this case, one ought to think about other solutions like normal internet or satellite-based communication. Some work places must be equipped with Bluetooth network cards to send patient records from their mobile phones to the personal computer of a doctor. For doctors and nurses PDAs (for example Symbol MC70) should be bought which provide WLAN 9

(Standard 802.11a) according to the conceptual design of the case study. Work places of medical staff need WLAN network cards with the same standard 802.11a because of the compatibility between the two. The WLAN standard 802.11b/g is not compatible with the one of 802.11a. To protect PDAs against theft and unauthorised access, the connection to the hospital network will be deactivated after not using a device during several minutes. A login mask will be displayed which requests to repeatedly enter a username and password for establishing an internet connection. Additionally, an application for PDAs must be implemented which allows communication with a hospital’s database for download and display of the patients’ records, for prescribing the medicines needed, for ordering of permitted menu etc. Special software must be developed for mobile phones on which the patients medical data is stored in a common format that is required for mobile devices as well as for personal computers. This application must be programmed in Java to be executable on any phone. There is also the need for a server, which gives the patient access to the web-portal for sending their data when they have been discharged from hospital. For this purpose, another java application for mobile phones is required, which enable the users to work offline. It means to prepare their data for transmission in offline mode and after that to set up a connection to the web-portal. The application for real time videoconferencing via WiMAX could be implemented and as a result the cost becomes because a little expensive. The WiMAX protocol stack contains TCP/IP implementation. Above the TCP/IP one can use an application protocol H.323 or SIP (Session Initiation Protocol, widely used for setting up and tearing down multimedia communication sessions such as voice and video calls over the Internet) or an own protocol for application layer can be developed. To save money, applications for communication via WiMAX that already exist can be bought by hospitals. The same one can say about software for tracking of medical devices (sleep diagnostic, pulse oximeters, patient monitors): to implement or to buy. This software is beneficial because it sends the measured data of a patient (cardiogram, blood pressure etc.) directly to a database or to a special station. Following on from the description above, the application for the access of doctors and nurses to the hospital network is complex. In comparison to the first case study one needs more time and investment to produce new systems for medical staff. Nevertheless, new programs and wireless access to the hospital’s network will improve life in the hospital so much so that investment is still profitable.

10

2 Literature Review This chapter demonstrates different types of existed mobile devices, widespread operating systems for mobile phones, available cellular communication protocols for making calls and wireless communication protocols for data transfer. The aim of this chapter is to equip the readers with the basic background knowledge which is needed for understanding the next sections.

2.1 Mobile Device A “mobile device” is a piece of hardware, which has an ability to execute computing operations and to communicate with other mobile and wired devices while being moved. People are increasingly on the move today and, with the proliferation of Notebooks, PDAs, smartphones and mobile phones, this means that an increasing number of networked devices are also on the move. To be on the move and always accessible is the meaning of mobility. There are many devices that can be called "mobile devices". They distinguish in the size, functionality and computing power. The existing mobile devices can be classified into the following groups: • Notebooks • Personal Digital Assistants (PDAs) • Smartphones • Mobile Phones (Cellular Phones)

Figure 1 "Mobile devices in relation to the size and computing power" The smaller the devices are, the more mobile they get. Besides their small size, they become less computing power (Figure 1). 11

On the one hand, there are simple mobile phones, which offer little computing power and execute simple applications, however their computing power is enough to run and spread malware. On the other hand, there are Notebooks, so big and bulky, that it is almost impossible to use them as a mobile device. The focus of this diploma thesis are mobile phones with enough computing power to implement safeguards against malware. Nevertheless, the most of the existing mobile phones fulfil this requirement. The individual groups of mobile devices are described on the following chapter:

2.1.1 Notebook Notebook is a portable personal computer. Notebooks have the same hardware components as desktop computers; these components are only smaller, shockproof and optimised for mobile usage. Notebooks can run the same applications like on desktop computers; this is the difference to the PDAs (Personal Digital Assistant), smartphones and mobile phones, which need a special operating system and software. The first Notebooks where equipped with big cathode ray tube (CRT) displays and therefore a bit uncomfortable for mobile usage, however, later with the development of liquid crystal displays (LCD) they become smaller and comfortable.

2.1.2 Personal Digital Assistant (PDA) PDA is a small portable computer with a size of approximately 10x20 cm. Their displays are touch-sensitive, so one can interact with a PDA using a pen called stylus. Most PDAs can recognize handwriting using a stylus. They have some buttons to get a faster access to important programs. Some PDAs have a small built in keyboard with the similar design like desktop PCs. PDAs have a specific operating system like Windows Mobile OS. These operating systems are specially made for PDAs to allow the usage of the stylus and are able to operate on a small display. The main applications for PDAs are called PIM (Personal Information Management) applications, which are similar to Microsoft outlook or Lotus Notes for PCs. Such applications like calendar, address book, to-do-list belong to PIM. They also have some reduced office applications (mobile word and excel) and online applications (web browser and e-mail). There are many other programs like games or GPS (Global Positioning System) navigation software, which can be downloaded from the internet. Some PDAs possess a GSM (Global System for Mobile communications) module so they can make calls via cellular networks, and they have Bluetooth, Infrared and wireless LAN modules to set a connection to desktop PCs or internet.

2.1.3 Smartphone Smartphone is first of all intended for voice communication and mobile entertainment, and only then - for work with the information (mail, the Internet, documents, etc.). Hence, one can represent a smartphone as PDA + mobile phone. Compared to PDAs they do not have a touchscreen and are only equipped with a digit keyboard. Smartphones are devices that balance two aspects - size and computing power. This is the class of medium size and medium computing power. The smartphones have operating systems with own file-system, multitasking and a huge selection of software for many aims. 12

The common applications for smartphones are PIM, online and office application, camera, mp3 player.

2.1.4 Mobile phone (Cellular Phone) Mobile phone is a portable telephone that allows mobile wireless communication. It also has another name „Cellular phone". The name comes from the division of the mobile-net area in cells. Each of these cells is served by an independent mobile-radio antenna, which is connected with other portable phones in its area. The major target of mobile phones is to make calls. Today the mobile phones are able to run a various kinds of applications like: • Personal-Information-Management (PIM): calendar, address book, remainder, notebook • Telephone applications: telephone, quick dialling list, phone book • Online-applications: web browser and e-mail • Photography: photo and video software • Multimedia applications: voice recording or music and video player • Games

2.1.5 Future of mobile phones Today a cell phone can take and send pictures, even video. It is possible to text messages and download ringtones and games, even watch television and do some web browsing. The services available now could not even be imagined by most of the people 10 years ago. With future generations of mobile protocols, data can be transferred at rates of several megabits per second. It will transform the mobile phone into a multimedia centre. All of this is going to lead to the point where there is no real line between a mobile phone and a PDA, photo camera, or a MP3 player. One British research company predicts that in tree years, about 125 million people will be watching TV on their mobile device. In Japan a wrist videophone is available to watch all manner of television, use the phone for downloading and listening to music and browse the Web freely. With new technologies, it will be possible to play games against someone else on the opposite continent with real-time action and improved 3-D graphics. The cell phone will be able to act as a GPS (Global Positioning System) unit too. Researchers are hoping that the 4G system can reach a much faster speed, a connection speed up to 100Mb per second, tighter network security and also bring up the quality during communication no matter on voice or video calls. Via mobile phones, many things such security systems, surveillance on certain items could be done easily. 4G should also bring truly smooth video transmission as good as “real” television. The size and outlook of mobile phones also plays an important role for the mobile phone industry. Nowadays, many mobile phones developed by the manufacturers are very fashionable and colourful. As for the size of mobile phones, concepts such as wrist phones and mini sized exist. The battery life is going to be vital for the successful implementation of 3.5G and 4G too. Along with the development of mobile phones, the operating system (OS) and software development for the phones will also be a big challenge. The mobile phone market will not only be a competed by mobile phone manufacturers (hardware manufacturers); software

13

companies such Microsoft, PALM and Symbian will also be competing in the amobile phone market, creating more and more new products and ideas. The original plan by NTT DoCoMo (Japan) was to introduce 4G in Japan in 2012, but that process has been pushed forward. Depending on their success, it is possible that 4G will be in global effect by 2009. 4G will allow users to be simultaneously connected to several different wireless access technologies and move between them seamlessly to give the most efficient signal.

2.2 Mobile phones operating systems The most widespread operation systems for mobile devices today are Windows CE (Pocket PC, Windows Mobile), Symbian OS, Palm OS and Linux. Windows Mobile is usually used for PDAs and Symbian is a dominating operation system for smartphones and mobile phones. Palm OS, Linux, Mac OS X, Qualcomm’s Brew and SavaJe devices are not very common OS`s in the area of mobile devices. The design of operating systems for mobile phones is similar to the design of the OS’s for desktop computers.

2.2.1 Symbian OS Symbian OS is an operating system, established in 2001, designed for mobile devices and produced by Symbian Ltd, which was formed in 1998 as a partnership between Ericsson, Nokia, Motorola and Psion. This operating system [30] runs exclusively on ARM (Advanced RISC Machines) processors. Symbian is the leading OS in the mobile device market. Statistics published February 2007 showed that Symbian OS had a 67% share of the market, with Microsoft having 14% through Windows Mobile and RIM (operation system for Black Berry mobile phones) having 7%. Design patterns are used at all levels, from applications (plug-ins to the application framework) to device drivers (plug-ins to the kernel-side device-driver framework) and at all levels, but especially for hardware adaptation-level interfaces. All applications are with a graphical user interface (GUI) and only servers have no user interface. All user interactions are captured as events that are made available to applications through the event queue. Specific methods are aimed at improving robustness of the OS. Streams and stores are used for persistent data storage. The Symbian OS System Model is split in the following layers (Figure 2): hardware, kernel services, base services, OS services, Java (runtime environment) and application services. According to Figure 2, the first four layers (hardware, kernel services, base services and OS services) correspond to the OS kernel, Java corresponds to the runtime environment, application services corresponds to the middleware layer.

14

Application Services

Applications (Calendar, Messaging JavaME Contacts) (SMS, MMS, E-Mail) Environment Application framework Personal Area Networking (User Interface, Texts, Graphic tools) (Bluetooth, IrDA, USB) OS Services Multimedia Communication (Pictures, Sounds) (TCP, HTTP, WAP) Base Services Libraries, Security Telephony Fileserver (Cryptography, Certificates) (GSM, GPRS, HSCSD, EDGE) Kernel Base Services ( Kernel, Device driver) Hardware Figure 2 "Symbian software platform" [27] Symbian OS has a microkernel architecture, which means that the kernel responsibilities are reduced to an essential minimum to improve robustness, availability, and responsiveness. It contains a scheduler, memory management, and device drivers. The Kernel Services layer includes the core kernel services (e.g. memory management, process management, and power management) as well as the device drivers and kernel extensions. The Base Services Layer is the lowest level reachable by user-side operations; it includes the File Server and User Library, telephony services, the Plug-In Framework, Store, Central Repository, DBMS (Database Management System), and cryptographic services. Other services like graphics, PC connection (Bluetooth, IrDA, and USB), networking and multimedia support are placed in the OS Services Layer. The application services provide middleware functionality to manage user data. Symbian provides an API (Application Programming Interface) that allows programmers leverage the functionality and incorporate it into their applications. These services are personal information management, messaging, browsing and data synchronization. Symbian OS is designed to emphasize compatibility with other devices; especially removable media file systems (e.g. memory cards like secure digital cards (SD cards) or multimedia memory cards (MMC)). There is a large networking and communication subsystem, which has three main servers – ETEL (EPOC telephony), ESOCK (EPOC sockets) for TCP/IP connections and C32 (responsible for serial communication like IrDA or USB). All Symbian applications are built up from three classes defined by the Application Architecture: an application class, a document class, and an application user interface class. Once developed, Symbian OS applications are packaged in files with SIS-extension, which may be installed over-the-air, via PC connect, via Bluetooth or memory cards. Mobile devices with Symbian OS are able to communicate with desktop PCs - data backup, transformation of documents from formats of PC applications to Symbian OS formats, up to synchronization of the desktop PCS and mobile devices with Symbian OS at home and at work. These requirements have been considered at creation of Symbian OS [27]. The most subject to virus attacks and the most vulnerable for them is the Symbian platform. Usually the viruses send themselves from phone to phone via Bluetooth. None of them have taken advantage of any flaws in Symbian OS – instead of this, they have all asked the user whether they would like to install the software. The new version 9.X of Symbian OS has the Platform Security in comparison to old Symbian versions. Symbian is able to detect unauthorised access to hardware and attempts to read or write restricted data etc. Capabilities protect the APIs (Application programming interface) against access to confidential user data, changing the network configuration and access network services like Bluetooth connections to other phones. 15

2.2.2 Windows Mobile Windows Mobile is an operating system combined with a suite of basic applications for mobile devices based on the Microsoft Win32 API. It is designed to be similar to desktop versions of Windows. Originally appearing as the Pocket PC 2000 operating system, Windows Mobile has been updated several times, with the current version called Windows Mobile 6. Windows Mobile [30] runs on multiple hardware platforms including Pocket PCs, mobile phones, Portable Media Centre, and automotive applications. Pocket PC 2000, was released in April of 2000, was based on Windows CE 3.0 and was intended basically for Pocket PC devices. The single resolution supported by this release was 240x320 (QVGA – Quarter Video Graphics Array). Supported removable storage cards were Compact Flash (CF) and Multimedia Card (MMC). Pocket PC 2002 (released in October 2001) was used the first time for smartphones. Windows Mobile 2003 (released in June 23 2003) was the first release under the name Windows Mobile. The next version (Windows Mobile 5.0) was released in May 2005, powered by Windows CE 5.0 and used the .NET Compact Framework 1.0. The latest version of Windows Mobile platform (Windows Mobile 6) was released on February 12, 2007 and is available with three different versions: "Windows Mobile 6 Standard" for mobile phones without touchscreens, "Windows Mobile 6 Professional" for Pocket PCs with phone functionality and "Windows Mobile 6 Classic" for Pocket PCs without cellular radios and with touchscreen. Windows Mobile supports these standard features in most of its versions: • Customizable screen shows the current date, owner information, upcoming appointments, e-mails, and tasks • Office Mobile, including Word Mobile, Excel Mobile and Power Point Mobile. These versions include many of the features, which are used in desktop versions. ActiveSync has capabilities, which convert desktop versions of files to Office Mobile compatible versions. • Outlook Mobile with POP31 (Post Office Protocol version three) and IMAP42 (Internet Message Access Protocol version four) access • Windows Media Player supporting music and video files • Client for PPTP VPNs (Point-to-Point Tunneling Protocol, Virtual Private Network) • VoIP (Internet calling) • Enhanced Microsoft Bluetooth Stack • Storage Card Encryption (encryption keys are lost if device is cold-booted). Following chart in Figure 3 illustrates the most important components of the Windows Mobile operating system. The HAL (Hardware Abstraction Layer) provides functionality to simplify the portability of the OS across heterogeneous devices. This layer includes device drivers, bus map and interrupt management [8]. The kernel provides the core OS functionality; including virtual memory management, exception handling, process and thread management, scheduling, executable loading, synchronisation, initialisation, process switching and memory mapped file management. OS services provide several key OS components with functionality, such as communication and networking support, multimedia, graphics, device management, object store and registry. Windows provide tools which allows developers to customise the OS services as part of the operating system kernel [27]. The application and services layer provides middleware services as wall as frameworks to assist in the development of applications. This component provides services to access 1 2

Most recent version of a protocol for receiving of e-mails. A protocol allowing a client to receive and send e-mails messages.

16

directory services and leverage message queuing, as well as component frameworks to standardize application development. Application Services OS Services Kernel Hardware Abstraction Layer (HAL)

Component Services Multimedia Memory Drivers

Device Management Graphic System

Message Queuing Device Manager Threads Exceptions Bus Map

User Interface, Desktop Networking Synchronisation Interrupts

Hardware Figure 3 "Windows Mobile software platform" [27] Additionally Windows Mobile-powered devices are using a combination of security policies, roles and certificates. Security policies provide the flexibility to control the level of security on the device. Application execution is based on permissions. Windows Mobile-powered devices have a two tiered permission model: Applications running at the privileged level have the highest permissions: they can call any API, write to protected areas of the registry and have full access to system files. Most applications run normal. They cannot call trusted APIs, write to protected areas of the registry, write to system files or install certificates to protected stores. Applications do not run if blocked, because they are not allowed to execute. An application could be blocked because it is not signed by an appropriate certificate, because the user blocks it after being prompted and so on. Executable applications and DLLs3 (Dynamic Link Lybrary) are signed and validated against certificates in the device privileged or unprivileged certificate stores. When a mobile device is lost or stolen, the potential security risk can be significant. Mobile devices often contain sensitive business data, including personal information of employees and customers, sensitive e-mail messages, and other items that could have a negative impact on the business [30]. Wiping (full data delete) the device locally or remotely has the effect of performing a factory or “hard” reset; all programs, data, and user-specific settings are removed from the device. Local device deletes are triggered on a device with device lock enforced if a user incorrectly enters a PIN more than a specified number of times. Remote wipes occur when the administrator issues an explicit wipe command through the Exchange ActiveSync management interface.

2.2.3 Symbian OS versus Windows Mobile Symbian OS is specially customized to smartphones and cellular phones which provides additional functionality, such as calendar, tasks, and e-mail. Windows Mobile (belonging to the family of Windows CE) was originally developed for handheld devices, provides a “look and feel” similar to the desktop counterpart and provides functionality to synchronize personal data and e-mails with PC applications. Symbian OS was the first application, which provided advanced functionality for cell phones, and it is widely used, especially in Europe. Windows Mobile (Windows CE) has been 3

A Dynamic Link Lybrary file is an executable file that allows programs to share code and other resources necessary to perform particular tasks.

17

developed from the PDA world and therefore provides an extensive collection of software titles. It provides a powerful programming environment that includes threads, memory management and networking. The Windows Mobile application API is compatible with existing Windows operating systems, such as Windows XP. As a result, porting applications across operating systems is simple. Windows Mobile provides support for remote device management, including remote application configuration (Windows Mobile Start Service). One of the key strengths of Windows Mobile is its seamless integration with existing PCbased productivity applications, such as Microsoft Outlook [8]. The strengths of Symbian OS is the security of mobile devices. Symbian OS is using signature and the security of critical device functions. Only signed programs with corresponded rights can access important system functions. Microsoft is using individual and well-passed security sets of devices for business customers. Even the installation of external applications can be prohibited. The most devices are configured more facile, so every application can’t be installed on them. That is a major problem for a developer of applications using windows mobile because the developer can’t guarantee that the software will run on every device. Symbian developers do not need to worry about the security at all. The only problem is the platform “Symbian signed”. In the past, it took often too long to certify every program. This problem is solved now, but it shows the weakness of this concept: an overloaded portal blocks the developers form the system. The good idea to distribute certificates fails because of bad accessibility and long waiting times, this way Symbian blocks the distribution of programs made by free developers. Windows’ mobile programmers of free software do not have to care about this. The most devices on the market do not need certificates.

2.3 Cellular wireless protocols for communication A cellular radio network supports mobility; the user can make calls from anywhere within the field of coverage of the network and also whilst the user is moving. The cellular network is a radio network, consists of a various number of radio cells, or a single cell. Each cell is served by fixed transmitter, better known as base station [30]. Each mobile phone uses a separate, temporary radio channel to interact with the cell site. The cell site interacts with many mobile phones at once, using one channel per mobile phone. The channels are using a pair of frequencies for communication—one frequency (the forward link) for transmitting from the cell site and one frequency (the reverse link) for the cell site to receive calls from the user. As soon as the subscriber moves into another cell, he comes under the control of another base station, which allocates him a frequency different from the first. This liberates the frequency used in the original cell. In this chapter, the basic principles of the protocols GSM, GPRS and UMTS based on the cellular principle of communication are described.

2.3.1 Circuit switching and packet switching Mobile data networks have special equipment located at the base stations to separate voice and data traffic into different network pathways. A basic technical difference of mobile data networks is whether they are circuit-switched or packet-switched. All analogue and early 2G (GSM) digital cellular networks provide circuitswitched data services. Newer technologies, such as 2.5G (GPRS) and 3G (UMTS) networks will also offer packet-switched service. Here are two basic definitions of these techniques: 18

Circuit-switched is a type of network that temporarily creates an actual physical path between parties while they are communicating. • Packet-switched is a type of network in which small discrete units of data are routed through a network based on the address contained within each packet. Circuit-switched data services are like using a landline phone and a modem to connect to the Internet. First of all you need to dial a phone number to establish a connection. Once connected the line remains open until the session is over and the customer decides to terminate the call. Circuit-switched services are usually charged by the amount of time that the customer remains connected to the network. This means that a longer call, even if very little data traffic is actually passed across the connection will cost more than a brief session where lot of data is transferred. Packet-based data services are sometimes called “always-on” connection. This term is used because the data is transmitted in separate packets rather than a single continuous connection of both the networks. As a result, a mobile phone can send and receive data in discrete amounts without maintaining a constant connection with the network. This eliminates the need to establish a dedicated circuit, which means that more users can share the data connection. The packets of data contained in each burst will find their proper destination with address information contained in them. Packet-switched services are typically billed by the quantity of data traffic that a customer transmits and receives from their mobile device, usually measured in kilobytes or megabytes [11]. •

2.3.2 Multiplexing Within a cell, mobile operators want as many customers as possible to use the network. They achieve this by using multiple access technology, which allows the available spectrum to be shared between several users. Analogue systems usually separate conversations by subdividing the spectrum into narrow frequency bands and by using directional transceivers at the base station. Digital systems also divide each frequency into time slots or encode transmission so that more than one can use the same airwaves at the same time [10]. 2.3.2.1 Time Division Multiplexing Time-division multiplexing access (TDMA): a channel can be sliced up into several individual timeslots. The speech captured by the microphone in a mobile phone is digitally sampled and then sliced up into tiny fragments that are assigned to one or more of these timeslots. Other mobile phones within the cell might share the channel, but get their own timeslots assigned in the multiplexed signal. This is done extremely rapidly with a microprocessor computer, and some multiplex systems are based on eight or more timeslots, which means that up to eight separate telephone calls can be simultaneously supported on each paired channel [11].

19

Figure 4 "Illustration of the TDMA concept" 2.3.2.2. Frequency Division Multiplexing Frequency Division Multiplexing access (FDMA) shares available frequency bands into sub-bands, each of them constitutes a communicational channel and can be used by one or more users. The channel is identified by the central frequency of the band. Examples include broadcast radio, TV, and analogue cellular networks. Digital cellular systems also use FDMA, but they combine it with other multiplexing schemes [11]

Figure 5 "Illustration of the FDMA concept" 2.3.2.3 Code Division Multiplexing By applying Wideband Code Division Multiple Access (WCDMA) all channels use the whole bandwidth at the same time. The axis of channel separation is the method of coding the information. The coding algorithms generate codes having a low probability of being detected and a low probability of interception. Two different channels use orthogonal codes. The radio signal produced by a transmitter simulates noise. One illustration of this type of coding is that of reception at an embassy where all the guests speaks simultaneously and there only two individuals speaking the same language understand each other (their own codes) and ignore the others [11]. 20

Figure 6 "Illustration of the WCDMA concept"

2.3.3 GSM The abbreviation GSM means Global System for Mobile Communication. It allows transmission of voice and data on mobile phones. GSM is connection-oriented and based on the CSD (Circuit Switched Data) standard. The GSM-System performs with a combination of FDMA (Frequency Division Multiple Access) and TDMA (Time Division Multiple Access). FDMA splits the available frequency range into 124 carrier frequency channels with the width of 200 kHz each. During the access of multiple users on the same channel collisions among users can appear. To avoid this, the channel is split in eight timeslots (Traffic Channels TFC) with the TDMA. Base stations in the neighbourhood must use different frequency channels to avoid interference [5]. Only after a certain guarding range, the same frequency can be utilized once more. GSM phones use half-duplex modus communication; they can either send or receive in one time. The GSM protocol consists of the forward traffic channel (B-channel) and the traffic signalling channel (D-channel). The B-channel can transmit up to 22.8 Kbit/s of data from mobile device to the base station though one part of this rate is used for redundancy checking and another part, only 13 Kbit/s, - for voice transmission. User data is sent with the rate of 9.6 Kbit/s. To increase the transmission rate the TDMA channels can be bundled. It means a user get more time for sending of data [6]. Both data transfer protocols GPRS and HSCSD described in the next chapter use this technique aswell. On the one hand, it raises the data rate but on the other hand bundling of the channels causes some problems. It reduces the availability of the network because instead of eight slots there are only two (for example) available. One of the most interesting innovations of GSM is that the subscriber’s data is not maintained in the mobile phone. Rather a subscriber identity module (SIM) card called a “smart card”, is used. The SIM, inserted in the phone, enables a user to set up connection to the network and to communicate with it. SIM cards store the authentication of the user and encryption algorithms responsible for providing legitimate access to the GSM network [16].

21

The security architecture of GSM guaranties a safe authentification of a user, providing protection for the mobile stations against cloning and other fraud methods, and a good encrypting of confidential calls.

2.3.4 GPRS Although second-generation (2G) GSM networks successfully offered high-quality wireless voice services, GSM networks were not optimized for high-speed data. 2G GSM networks were entirely circuit switched and expensive. In the late 1990s, GSM operators developed a new specification for high-speed wireless data called General Packet Radio Services (GPRS). It represents an extension of the GSM standard, allowing data transmission in packet mode and providing higher throughputs as compared with the circuit-switched mode. GPRS achieves greater bandwidths by using many slots in parallel. This protocol is only used for data transfer, not for making calls. GPRS is an “always-on” service, which means that the customer does not have to dial-up their service provider each time the mobile phone is transmitting or receiving data [5]. Users pay only for the volume of transmission data not for time of connection. Therefore, GPRS-device enables to hold a permanent contact with the Internet. This makes mobile surfing per WAP convenient, because a WAP - page is only one Kbytes on an average. It allows the user to check the e-mails every time and look for example for share prices. To get the high speed, GPRS uses two methods: multiple timeslots and coding of transmission data with less error correction. There are four coding schemes for data transfer, which differ in the speed. The first Coding Scheme CS1 has the same rate as the GSM protocol (9.6 Kbit/s), and the fastest one (CS4) contains 21.4 Kbit/s. The higher the speed is the less the user data is checked [7]. The connection is established between the base station and the mobile phone. During the connection setup, the coding scheme and the timeslots are negotiated between mobile phone and a base station. The coding scheme is determined by means of the error rate during the communication. The more interference there is the more error correction is used. From this, it follows that more checksums and less user data is transmitted. In this case, one takes the smaller coding scheme with more error correction and less user data. The maximum one can get is therefore (eight timeslots with CS4) 171.2 Kbit/s. If some other users use the same base station, some timeslots will be given away and the transmission speed is decreased. The GPRS uses Internet for sending packets, so to get a secure connection one should use a VPN (virtual private network) [16].

2.3.5 UMTS The UMTS is called Universal Mobile Telecommunications System. The third Generation Partnership Project (3GPP) developed UMTS as a new generation of mobile phone standard and technology after 2G. The UMTS is used for both transmission of data and voice like the GSM. The major difference between the GSM/GPRS und the UMTS architecture, however, is the removal of the circuit-switched domain. In the new architecture, there is just a single IP-based packet-switched core network, over which all services are provided. UMTS transfer rate depends on the user moving speed. UMTS protocol allows data transfer rates up to 2 MBit/s if the user does not move. When the user moves slowly, the data rate is decreased to 384 Kbit/s. While moving very fast (for example in a car) the transfer rate drops to 128 Kbit/s. 22

UMTS is packet oriented like GPRS. The user only pays for amount of data, so that the UMTS mobile phone can always be connected to the network. The advantage of the UMTS is a high speed for sending and receiving of data. However, there is a disadvantage of this protocol. The UMTS coverage it is not available everywhere. If a UMTS customer travels to an area without UMTS coverage, a UMTS phone will automatically switch to GSM and the call will be handed off to available GSM coverage transparently for a user [7]. The new standard for SIM cards is also defined by UMTS, different from GSM. The normal GSM SIM card also can be used in an UMTS mobile phone. However, the new USIM cards, called Universal-SIM card, have more memory for personal and network data. UMTS phones are able to use as SIM cards as also USIM cards. The UMTS network uses some parts of the GSM technology: some parts of the user authentication, data and call switching, and the billing of connection fees. GSM and UMTS networks use different frequencies for data transmission. From this follows that UMTS needs different base stations and another Radio Network Controller (RNC). RNC controls if the cell change for a moving user is required. A base station covers tree cells with signals. It is responsible for all its cells, routing and assigns the codes for the WCDMA – channels [4]. A UMTS cell can operate four times more users as a GSM cell. UMTS cells are able to change their size depending on the count of users in the cell. Thus, speed of data transfer increases. The smaller the cell the more bandwidth is available for a single user. To send the data UMTS uses WCDMA (Wideband Code Division Multiple Access), a higher speed transmission protocol, with Frequency Division Duplex (FDD). Two 5 MHz wide wave bands are used to send and receive data. If two users use the same frequency, different coding will be assigned to users. FDD suits for symmetrical data transfer (like phone calls) and for cells with a big coverage area [8]. Third Generation

UMTS All over IP 2003 EDGE 2002 Data / Internet over IP Second Generation GPRS 2001 HSCSD Voice / Data 1999 over Circuit Switch Second Generation GSM 1992 First Generation Analog Technology Voice over Circuit Switch 1986-2000 Figure 7 "Three generation of mobile networks" [8]

23

2.4. Wireless data transfer protocols Wireless transmission is now a commonplace method of data communication for mobile phones, wireless PDAs, text pagers, and most important, wireless LANs.

2.4.1 WLAN Wireless Local Area Networks (WLANs) are strongly emerging complement to cellular communication. WLAN is a shot-range, high bit rate and easy-to-use radio access technology. It is used to replace wired LAN. Practically, a synonym to WLAN is the standard IEEE 802.11.The first release of the standard “802.11” was accepted in June 1997 and consisted of a specification for the Medium Access Control (MAC) layer and three different physical layers (PHYs), frequency hoping, Direct Sequence Spread Spectrum (DSSS) and infrared [7]. Radio PHYs operate in the 2.4 GHz unlicensed ISM (Industrial, Scientific, and Medical) band, which is available globally, and give up to 2Mbps. The MAC layer is robust and elegant, it is easy to operate and it works reliably even in interfering environments. No frequency planning or other radio-related parameters are necessary to be set before use, although larger areas with a number of access points operate more efficiently when some engineering effort is spent [1]. The IEEE 802.11 standard from 1997 supports two types of wireless media in PHY: radio and infrared optical signals. The range of coverage of infrared optical signals is much less than that of radio waves. Most wireless LANs used radio-frequency waves as the wireless media. The spectrum of the frequency in WLAN is spread into 79 channels, each of them 1MHz wide. The CCK (Complementary Code Keying) and OFDM (Orthogonal Frequency Division Multiplex) technologies are used for data transfer in Wireless LAN today. The actual standards of WLAN allow the data transfer rate among 11 and 54 Mbit/s, different standards use the 5GHz frequency range [18]. 2.4.1.1 Wireless Network Topologies A desktop PC or a mobile device with a wireless network interface card (NIC) is called a “station” in the WLAN terminology. The wireless network interface card turns a device like a mobile phone, PDA, Notebook or desktop computer into a wireless station and enables the device to communicate with other stations in a peer-to-peer network or with an access point. The wireless devices operate in either the 2.4-GHz band or the 5-GHz band. Regardless of exactly how the computers are interconnected, wired or wireless, each is an equal or “peer” and can share the files and peripherals of the others. This type of network is the low-cost solution for sharing resources like files, applications and peripherals, however in particular for small businesses doing routine word processing, spreadsheets and accounting [12]. Multiple computers can even share an external cable or Digital Subscriber Line (DSL) modem, allowing them to access the Internet at the same time. An 802.11 wireless network adapter can operate in two modes: ad-hoc and infrastructure state. In infrastructure modus, all traffic passes through a wireless ‘access point’. In ad-hoc modus computers communicate directly to each other and do not need an access point at all. 2.4.1.1.1 Infrastructure modus There are five major topologies in wired networks, including Bus, Ring, Star, Tree, and Mesh topology, however the star and mesh topologies are used in a wireless environment.

24

The star topology, which happens to be in widest use today, describes a network in which there is one central base station or Access Point (AP) for communication. This modus provides connectivity for wireless node while communicating with them through an antenna. The information packets are transmitted by the originating node, received by the central station and routed to the proper wireless destination node [3]. In infrastructure modus, the access point transform the radio data in Ethernet data and mediates between the wireless clients and the LAN. Mobile devices leaving the area of the first access point arrive in area of the second. This happens without loosing Figure 8 "Infrastructure modus" the connection. Access Points offer a big coverage range, however the coverage in outodoor without obstacles is up to some hundred meters outdoor. Doors and walls limit the range. An additional antenna or a second access point can counteract against these obstacles. 2.4.1.1.2 Ad-hoc-Modus (Peer-to-Peer Workgroup) A low cost method to connect few mobile devices is the mesh topology (ad-hoc modus). The ad-hoc modus is a slightly different type of network architecture than the star topology, main difference to the star topology is that there is no centralized base station. Each node that is in range of one another can communicate freely. This configuration has no access point and hence is cheaper. Ad-hoc modus allows to set up a small Wireless-Workgroup, in a short time of period for exchanging files or using printers. Some provider call ad-hoc networks peer-to-peer networks. Every node sends and receives directly as long as all stations are in the reception area. Some disadvantage are the short range and disconnections between clients can appear. If the clients lose the connection, the transfer will be lost., however an additional antenna can solve this problem . Figure 8 "Ad-hoc-Modus" 2.4.1.1.3 Data Link Layer and Physical layer The IEEE 802.11-Standard defines four physical coding schemes for WLANs. Their aim is to transmit data over the air without errors. Collisions between two transmitters should be avoided too. The 802.11 specifications concentrate on the two lowest layers of the OSI model: the data link layer and the physical layer. The data link layer in 802.11 protocols is split into two sub layers: the MAC sublayer and the LLC sublayer. The MAC (Medium Access Control)

25

sublayer is a set of rules that determine how to send data and how to access the wireless medium. Located directly above the MAC sublayer is the LLC (Logical Link Control) sublayer. The LLC sublayer handles making the various 802 standards indistinguishable to the network layer. The LLC sublayer takes care of error control, framing, and MAC-sublayer addressing. The physical layer (called PHY) of the OSI model transmits raw bits over a communication channel.

Figure 9 "WLAN protocol stack" Part of the PHY layer of today's protocols (802.11a and 802.11b/g) as defined by the standard are two different types of radio frequency (RF) communication modulation schemes: OFDM and HR-DSSS. HR-DSSS (High Rate Direct sequence spread spectrum)

One of the most used WLAN technologies is defined in IEEE 802.11b. The standard was completed in 1999 and a wide range of products exists since 2001. It allows the wireless transmission of approximately 11 Mbps of raw data in the unlicensed 2.4 GHz frequency band at distances from tens up to hundred meters [1]. Nowadays most wireless LAN installations use the standard 802.11b, which is also the basis for Wi-Fi certification from the Wireless Ethernet Compatibility Alliance (WECA). The Alliance established the label "Wi-Fi certified" to guarantee consumers that products will interoperate with other products displaying the same label [15]. The problem with this technology is unsatisfactory security. In the past some tremendous errors in Wired Equivalent Privacy (WEP) have been identified, which is supposed to secure WLAN communication, but does not deliver what its name implies. OFDM (Orthogonal frequency division multiplexing)

802.11g is an extension to 802.11b. The 802.11g task group aimed to develop a higher speed extension (up to 54 Mbps) compared to the 802.11b PHY, while operating in the same 2.4 GHz band. 802.11g implements all mandatory elements of the IEEE 802.11b PHY standard. For example, an 802.11b user will be able to connect with an 802.11b access point and operate at data rates up to 11 Mbps. In early 2002, 802.11g decided to use OFDM instead of DSSS as the basis for providing the higher data rate extensions. DSSS (Direct-sequence spread spectrum) operated in the ISM band at 2.4 GHz and offered bit rates up to 11 Mbps. A big issue with 802.11g, which also applies to 802.11b, is radio frequency (RF) interference from other 2.4 GHz devices, such as the newer cordless phones [1]. 26

2.4.1.2 Wi-Fi System The 802.11 standard is defined through several specifications of WLANs. It defines an overthe-air interface between a wireless client and a base station or between two wireless clients. Wi-Fi is an abbreviation of wireless fidelity, owned by the Wi-Fi Alliance, to establish the IEEE 802.11 family of technical standards developed by the Institute of Electrical and Electronics Engineers (IEEE) for wireless LANs. The Alliance puts considerable effort into testing and certifying equipment as being compliant with the 802.11 family of technical standards. The aim of the testing and certification initiative is to ensure that “Wi-Fi” equipped computers and handheld devices will work with any other terminal, access point or base station that calls itself Wi-Fi compatible. Unlike wired Ethernet, 802.11 does not adhere to one unique standard that is compatible with all vendor devices. In corporate environments, it is necessary to use equipment that follows the 802.11 standard without any proprietary features that cause incompatibility. The 802.11 standard used only one MAC protocol, but existed within three physical layers (PHY): • Frequency hopping (1Mbps) • Direct sequence (1-2 Mbps) • Diffuse infrared All these physical layers were completely distinct and incompatible with each other. Because of this problem, the Wi-Fi certification was established [15]. 2.4.1.2.1 802.11a

Because the physical layer of this specification involves the 5-GHz band, it is becoming the common replacement for the widely distributed 802.11b. It uses eight available radio channels. In some foreign counties it is possible to use 12 channels. 802.11a allows a high throughput of 54 Mbps per channel. The greatest user throughput is about a half of this value, because throughput is shared among all users who are currently transmitting data on a given radio channel. The data rate proportionally decreases as the distance between the user and the radio access point increases [15]. 2.4.1.2.2 802.11b

This is the most commonly used 802.11 standard. It has a physical layer standard that functions in the 2.4-GHz band, using three radio channels. The highest throughput link rate is 11 Mbps for each available channel. The greatest user throughput is about a half of this value since the throughput is actually shared by all users working on each radio channel, whose data rate proportionally decreases as the distance between the user and the access point increases. 802.11 wireless installations may experience significant problems at maximum speed as the number of active users increases, however the limit of three radio channels may cause interference with other access within the WLAN [15]. 2.4.1.2.3 802.11g

The 802.11g standard uses orthogonal frequency division multiplexing (OFDM) modulation schema; however, for backward compatibility, it can also work with the more commonly used 802.11b devices by supporting complementary code keying (CCK) and packet binary convolution coding (PBCC) modulation. 802.11g offers speeds in the same range as 802.11a as well as backward compatibility; however, the modulation issues include unresolved problems between key vendors whose support is divided between OFDM and PBCC modulation schemes. The ultimate compromise is the adoption of support for 802.11b’s CCK modules so that it will ultimately support all three types of modulation. The advantage is that vendors can have 27

dual mode devices that function in both 2.4 GHz and 5 GHz and use OFDM for both modes to cut costs. 802.11g provides maximal transfer rate up to 54 Mbps [16]. 2.4.1.2.4 802.11i

802.11i is an enhancement to the IEEE 802.11 standard specifying security mechanisms for wireless networks. This standard supersedes the previous security specification, Wired Equivalent Privacy (WEP), which was shown to have severe security weaknesses. Wi-Fi Protected Access (WPA) had been introduced by the Wi-Fi Alliance as an intermediate solution to WEP insecurities. WPA implemented a subset of 802.11i. The full implementation of the 802.11i is called WPA2. 802.11i makes use of the Advanced Encryption Standard (AES) block cipher, whereas WEP and WPA use the RC4 (Rivest Cipher 4) stream cipher, the most widely-used software stream cipher. The 802.11i architecture contains the following components: 802.1X for authentication (entailing the use of Extensible Authentication Protocol (EAP) and an authentication server), Robust Security Network (RSN) for keeping track of associations, and AES-based Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) to provide confidentiality, integrity and origin authentication [16].

2.4.2 Bluetooth Bluetooth is a specification for short-range wireless communication. It was created in part through the cooperation of several companies including Ericsson, Nokia, Intel, IBM and Toshiba, which formed the Bluetooth Special Interest Group (SIG) in 1999. Since then, several thousand companies have signed on to make Bluetooth the low-power short-range wireless standard for a wide range of devices. Bluetooth is intended to connect mobile phones, computers, PDAs, and peripherals like printers, headsets, displays, etc. This technology also aims to simplify data synchronization between networked devices and other computers. In addition to data, up to three voice channels are available. Connections can be point-to-point or multipoint, with a typical range of 10 meters. Data can be exchanged at a rate of 1Mbps per second (up to 2Mbps is anticipated for second-generation Bluetooth devices). Bluetooth provides built-in encryption and verification, but not like 802.11b, additional security on top of this may be required [31]. 2.4.2.1 System architecture Bluetooth communication, like 802.11 communications, occurs in the unlicensed frequency of 2.4GHz with 79 channels (1 MHz spectrum). The communication channel can provide both limited-range transmission of digital voice (synchronous) and data transmission between mobile devices (Notebooks, PDAs, phones, etc.) and desktop devices (asynchronous). There are three classes of Bluetooth radio transceivers: Power class 1: this has a maximum power of 100 mW with a range of up to 100 m. Power class 2: this has a maximum power of 2.5 mW with a range of 10 m. Power class 3: this has a maximum power of 1 mW with a range of between 1 and 2 m. Unlike wireless LAN, Bluetooth devices consume less power because of some special energy saving modes (sniff-, park- and hold-mode) and a power control is defined within the Bluetooth protocol. Bluetooth can send data up to 64 Kbps. This is slower than a typical 802.11b or 802.11g WiFi standard. Today a new version 2.0 of Bluetooth is used, which offers much higher data rates (up to 3 Mbps). 28

The establishment of Bluetooth connection consists of two steps: inquiry and paging. With inquiry, the mobile device searches for other devices in the near area. When some of them are found, their addresses and timings are saved. The paging procedure establishes the connection. The initiator becomes the master and defines the channel and the hopping sequence [9]. 2.4.2.1.1 Piconet

Bluetooth devices can communicate with a single or multiple Bluetooth devices in several different ways. The simplest constellation is when only two devices are involved. This is called as point-to-point. One of the devices must be a master and the other is a slave. This adhoc network is referred as a piconet or personal area network (PAN). A maximum of eight devices can be involved in a network, using a Bluetooth piconet, which is called point-to-multipoint structure, because each of the active slaves has an assigned 3-bit Active Member address (AM_ADDR) [30]. There is no direct transmission between slaves in a Bluetooth piconet; transmission is only between a master and a slave. The communication within a piconet is organized so that the master polls each slave. A slave is only allowed to transmit after the master has polled it. The slave will then start its transmission in the slave-to-master time slot immediately following the packet received from the master. 2.4.2.1.2 Scatternet

When two piconets overlap and link to each other, it becomes a scatternet. A scatternet can be build out of two to ten piconets. A bluetooth device can be a member of multiple piconets in scatternet, but it can be a master only in one piconet. In Figure 11 Mobile device L is a master in his own piconet, but is a slave in the piconet with the master M.

M L

K

Figure 10 "Possible topologies of networked Bluetooth devices" a)single-slave Piconet, b) multi-slave Piconet, c) scatternet from three piconets All devices in one piconet share the same channel. The channel for communication is changed every time. Every piconet in scatternet gets different hopping sequence. Thus, it should avoid the interference problems between piconets [32]. 2.4.2.2 Bluetooth protocol stack The Bluetooth protocol stack is different from any known standard protocol stack such as ISO, IEEE, or TCP/IP.

29

OSI stack 7 Application Layer 6 Presentation Layer 5 Session Layer 4 Transport Layer 3 Network Layer 2 Data Link Layer 1 Physical Layer

Bluetooth stack Applications SDP BNEP RFCOMM CMTP L2CAP HCI Link Manager Protocol Baseband Bluetooth Radio

2.4.2.2.1 The OSI Model

The physical layer (PHY) contains the actual physical interface and the rules for its use. In Bluetooth, the PHY is radio frequency (RF) and the modulation and detection processes are listed in the specification. The PHY is made reliable, link connection and detachment rules are provided by the data-link layer. This layer contains Media Access Control (MAC), which is a set of rules that determine the structure of basic data packets and how they are sent, and the Logical Link Control (LLC), which provides the protocol for link establishment and detachment. The network layer provides transparent transfer of data between transport entities (from source to destination) on each end of the communication link. In other words, a Bluetooth device can appear to be a serial cable to the transport layer. Fourth and above layers in the OSI model are called higher layers. The transport layer includes optimization routines and other quality of service (QoS) methods for efficient data exchange, and the session layer contains the method for controlling the dialog between applications on either end of the link. Finally, the presentation layer resolves differences between format and data representation between entities. As one moves up the OSI layers, their implementation gradually changes from hardware, to firmware, and finally into software. The Bluetooth protocol stack exhibits the same behaviour [9]. 2.4.2.2.2 Bluetooth Protocols

Figure 16 shows that the Bluetooth protocol stack is not exactly equal to the OSI model, but the layers are transition from implementation in hardware and firmware (lower layers) to software (higher layers). If each of these groups of layers is separate entities, such as a PC card and Notebook computer, then they can communicate with each other through the host controller interface (HCI). HCI provides paths for data, audio and control signals between the Bluetooth module and host. Figure 11 "Bluetooth stack protocol" [43] The radio completes the physical layer by providing a transmitter and receiver for two-way communication. Data packets are assembled and fed to the radio by the baseband state 30

machine. The link controller provides more complex state operations, such as the standby, connect and low-power modes. The baseband and link controller functions are combined into one layer in Figure 12 to be consistent with their treatment in the Bluetooth 1.1 [9]. The link manager provides link control and configuration through a low-level language called the link manager protocol (LMP). The logical link control and adaptation protocol (L2CAP) establishes virtual channels between hosts that can keep track of several simultaneous sessions such as multiple file transfers. L2CAP also takes application data and breaks it into Bluetooth-size morsels for transmission and reverses the process or received data. Radio frequency communication (RFCOMM) is the Bluetooth serial port emulator and its main purpose is to run an application to emulate a wired serial port instead of RF link. It includes service discovery protocol (SDP), object exchange (OBEX), telephony control protocol specification (TCS) and Wireless Application Protocol (WAP). Beside of data communications, Bluetooth has a special provision for real-time, two-way, digitized voice as well. Once these voice packets are created by an application, they bypass most of the data protocol stack and are handled directly by the baseband layer. This prevents unacceptable delay between the time the packets are created and the time they arrive at their destination [9]. The Bluetooth radio and the baseband/link controller consist of hardware which is usually available as one or two integrated circuits. The firmware-based link manager and one end of the host controller interface, however the Bluetooth module is shown in Figure 12. The remaining parts of the protocol stack and the host end of HCI can be implemented in software on the host itself.

2.4.3 Infrared The Infrared Data Association (IrDA) defines the physical specifications for the communications protocol standards for the short-range exchange of data over infrared light, for uses such as personal area networks (PANs). IrDA interfaces are used in PDAs, mobile phones, and Notebook computers. For the devices to communicate via IrDA they must have a direct line of sight [30]. The key features of IrDA standard are simple and low cost implementation, low power requirement, efficient and reliable data transfer. The IrDA standard does not specify any security measures for data transfer. Since the line-ofsight is required for data transfer, a low-level security is provided. The system depends on the application level security measures. The protocols stack of IrDA is demonstrated in Figure 13. Applications

IrLAN

IrOBEX

IAS

Tiny TP

IrCOMM

IrLMP IrLAP Physical layer (IrPHY) Figure 12 "Infrared stack protocol" [27] The IrPHY (Infrared Physical Layer Specification) is the lowest layer of the IrDA specifications. The optical transmission takes a place here. The appropriate standard specifies bit representation, rate of transmission and optical features. There are different transmission rates speed categories: 31

SIR (Serial Infrared) was the original standard and ran at 115 kbps. This is the same speed as a standard serial port, on which the IrDA protocol was based. MIR (Medium Infrared) runs at 1.152 Mbps, fast enough to transmit or receive televisionquality video. FIR (Fast Infrared) offers speeds of up to 4 Mbps. This is build into most computers. VFIR(Very Fast Infrared) goes up to 16 Mbps and is not yet widely implemented. UFIR (Ultra Fast Infrared) protocol is also in development. It will support speeds up to 100 Mbps. The IrLAP (Infrared Link Access Protocol) is the second layer of the IrDA specifications. It represents the Data Link Layer of the OSI model. This layer provides reliable data transmission between two devices. The IrLMP (Infrared Link Management Protocol) is the third layer of the IrDA specifications. While the only one connection in the IrLAP layer between two devices exists, IrLMP provides several logical channels over a physical connection. The IAS (Information Access Service) layer informs about available services of other communication partners. The following protocols are optional and can be left by IrDA realisation: The Tiny TP (Tiny Transport Protocol) lies on top of the IrLMP layer. It provides transportation of large messages by SAR (Segmentation and Reassembly) and flow control by giving credits to every logical channel. Large messages are segmented for the transport and reassembled at the destination, so this way large data volume can be send pro each transmission (up to 64 Kbyte). The IrCOMM (Infrared Communications Protocol) lets the infrared device act like either a serial or a parallel port. Applications, which are developed for these interfaces, can use the infrared connection without modifications. The IrOBEX (Infrared Object Exchange) provides the exchange of complex data objects (for example, electronic business card, formatted text, vCalendar or graphics) between infrared devices. It lies on top of the Tiny TP protocol. The IrLAN (Infrared Local Area Network) provides the possibility to connect an infrared device to a local area network. There are three possible methods: access point, peer-to-peer and hosted [27].

2.4.4 WiMAX WiMAX (the Worldwide Interoperability for Microwave Access) provides wireless communication over long distances from point-to-point connection to full mobile cellular type access. High transfer rate gives the possibility for fast access to information like movies, multimedia, and allows to exchange data over long distances. Mobile devices with WiMAXChips enable moving from one cell to another without interruption of the connection. WiMAX was created by the WiMAX Forum and is based on the IEEE (Institute of Electrical and Electronics Engineers) 802.16 standard, which is also called Wireless MAN. IEEE 802.16 is mainly aimed to provide broadband wireless access (BWA) and at replacing the wired DSL. Its main advantage is fast deployment, which results in cost savings. The WiMAX Forum is the organization working to certify the compatibility of WiMAX products [13]. There are two kinds of WiMAX networks: • Fixed WiMAX deployments cannot offer mobility to their users. • Mobile WiMAX implementations can be used to deliver both fixed and mobile services. The bandwidth and coverage of WiMAX make it suitable for the following applications (Figure 14): 32

• • •

Connecting Wi-Fi hotspots with each other and to other parts of the Internet Providing a wireless alternative to cable and DSL (Digital Subscriber Line) for last mile broadband access (residential internet access) Providing high-speed data and telecommunications services and mobile connectivity (Notebook with built-in WiMAX-Chip)

Figure 13 "WiMAX network" [44] In theory, WiMAX covers a range of 50 km with a bit rate of 75 Mbit/s. However, in the real world, the rate is about 12 Mbit/s covering a range of 20 km. The long term goal is to achieve 100 Mbit/s mobile and 1 Gbit/s fixed bandwidth through the adaptive use of MIMO-AAS (Adaptive Antenna Systems with multiple-input multiple-output communications). The two lowest layers are the Physical (PHY) Layer and the Data Link Layer, which splits the OSI Data Link Layer into two sublayers named Logical Link Control (LLC) and Media Access Control (MAC). The MAC protocol is connection oriented. This allows WiMAX to provide strong support for Quality of Service. The 802.16 MAC scheduling algorithm offers optimal first-in first-out (FIFO) prioritization instead of random queue assignment as in 802.11. Moreover, WiMAX allocates bandwidth effectively by balancing client’s needs instead of Wi-Fi “best-effort” service and ensures therefore optimal quality of service. All downlink (from base station) and uplink (to base station) connections are controlled by the Base Station (BS). Each connection is identified by a connection identifier (CID) which is an address for data transmissions. Instead of encrypting the signals with WEP or WPA, which are used by WLAN, 802.16a use a PKI (public key infrastructure) certificate authorization. The PKI is a database, where the public keys of the network users are stored. The users must be registered in the PKI database in advance. The base station validates the client's digital certificate before permitting access to the physical layer. The physical layer of WiMAX can support 10 to 66 GHz licence frequency. The IEEE 802.16a physical layer is specifically designed to support frequencies below 11 GHz, which 33

enables waves to bend over obstacles like houses and trees. The WiMAX PHY layer supports two modes of duplexing: time division duplex (TDD) and frequency division duplex (FDD). This physical layer is based on Orthogonal Frequency Division Multiplexing (OFDM), a transmission technique known to have relatively high spectrum-use efficiency. OFDM reduces the bit rate by splitting a high-speed data stream into several lower speed streams and sending each one separately, however every stream has its own channel. In this respect, OFDM is the opposite of CDMA and TDMA. They share one frequency between many users, whereas OFDM shares one user between many frequencies [42]. WiMAX will make broadband network access widely available, without the expense and distance limitations associated with wired solutions. Most of the popular technologies, Video over Internet, Voice over Internet and others technologies require high-speed access. The performance of WiMAX systems is suitable for the broadband traffic demands of today. WiMAX will complete other wireless standards such as WLAN and cellular networks. All these protocols will fulfil customer needs and grow the popularity of wireless systems.

2.4.5 Analysis of Wireless Protocols A wide variety of different wireless data technologies now exist, some in direct competition with one another, others designed to be optimal for specific applications. Most of them use unlicensed frequencies. Unlicensed bands vary from country to country. Most have a 2.4 GHz ISM band, but other bands are only available in certain countries and non-ISM bands have restrictions as noted above. Wireless protocols broadcast data and are generally insecure by their nature. Most of the standards add security features to counteract that problem. The next Figures 15 and 16 show the comparison of wireless protocols, which are described above. Criterion License free frequency Frequency Circuit switching Packet switching Max. transfer speed Average speed Min. speed Multiplexing Coverage range Max. number of user/cell Digital voice transmission Data transmission Primary Use

GPRS UMTS No No 0.9; 1.8 GHz 1,92 GHz No No Yes Yes 171,2 Kbit/s 384 Kbit/s 57,6 Kbit/s 240 Kbit/s 9,6 Kbit/s 128 Kbit/s TDMA/FDMA WCDMA/FDD 10 km 8 km 11 9 No Yes Yes Yes Mobile Mobile phone Internet Always-on connection No Yes Yes Encryption Own algorithm Own algorithm Own algorithm Figure 14 " Cellular Communication Protocols in comparison with each other "

Criterion License free frequency Frequency

GSM No 0.9; 1.8 GHz Yes No 9,6 Kbit/s 9,6 Kbit/s 9,6 Kbit/s TDMA/FDMA 10 km 45 Yes No Mobile phone

IrDA Yes 850nm

Bluetooth Yes 2,4 GHz 34

WLAN Yes 2,4 GHz (802.11b)

WiMAX No 2.3 GHz, 2.5 GHz, 3.5 GHz

Circuit switching Packet switching Max. transfer speed Average speed Min. speed

No Yes 16 MBit/s 115,2 Kbit/s 115,2 Kbit/s

No Yes 1 MBit/s 1 MBit/s 1 MBit/s

Multiplexing Coverage range Max. number of user/cell Real time communication Data transmission Primary Use

TDMA 1m Many

TDMA/TDD Max. 100 m 7

5,2 GHz (802.11a) No Yes 54 MBit/s 54 MBit/s 11 MBit/s (802.11b) DSSS/OFDM Max. 300 m Many

Yes

Yes

No

Yes PAN

Yes PAN

No Yes 108 MBit/s 54 MBit/s 10 MBit/s SOFDMA 50 km 200 Yes

Yes Yes Mobile Mobile Internet Internet Always-on connection Yes Yes Yes Yes Encryption No RC4/E0 RC4 / AES Different Figure 15 "Comparison of different types of Wireless Protocols after several criterions" Bluetooth and IrDA are intended for so-called Wireless PAN systems. They are intended for short-range communication between devices typically controlled by a single person. IrDA is designed for point-to-point and line-of-sight communications; once two such nodes get too far apart to communicate directly, they can no longer communicate. That is the reason why Bluetooth is dominating now by devices that used the infrared protocol in the past. Unlike Wi-Fi, Bluetooth has a low data rate and established for small distances. However, Bluetooth is always free of cost. One can think Wi-Fi cannot compete with Bluetooth. In reality, Wi-Fi and Bluetooth are aimed at different markets. Bluetooth is meant to be a cable replacement technology that is cheap and robust. Wi-Fi is a more costly high-performance WLAN and more compatible with the higher bit rates of the fixed-wire LANs. Wi-Fi is the most successful system intended for use as a WLAN system. A WLAN is an implementation of a LAN over a wireless system. Such systems are becoming common in the private sector. Because of the fact that 802.11 is far more power-hungry than Bluetooth, the Wi-Fi protocol can not be used with small devices like mobile phones for long time. GSM and GPRS are today’s existing 2G cellular systems, providing telephone and internet access to their users. 3G systems like UMTS provide combined circuit switched and packet switched data and voice services as standard, usually at better data rates than 2G. All of these services can be used to provide combined mobile phone access and Internet access at remote locations. Typically GPRS is used to provide slim, mobile phone oriented, Internet access, such as WAP, multimedia messaging, and the downloading of ring-tones, whereas UMTS higher speeds make them suitable for use as a broadband replacement. Third generation (3G) wireless communication technology refers to pending improvements in wireless data and voice communications through any of a variety of proposed wireless standards. The immediate goal of 3G technology is to raise average data transmission rates up to 2 megabits/second. This increase in data transmission rate will enable a 3G device to provide an extensive range of new functionality to mobile phone users. In the past, mobile telephones have mainly been used for voice communications, voice messaging, as well as sending/receiving short message service (SMS) text. 3G will build on the current uses of the mobile telephone to offer simultaneous transfer of speech, data, text, pictures, audio and video. On the long run, 3G technology may revolutionize the way people use mobile devices; 35

for example, it is envisioned that users will be able to shop online, perform online banking, or even play interactive games over the Internet using a handheld device. It is important to recognize that while 3G and Wi-Fi are both methods to provide wireless broadband data access, they are not directly substitutable technologies. 3G is a “true” mobile service. 3G is capable of providing real-time hand-offs between cells and roaming across geographical regions and across international borders and it requires mobile operators to obtain new spectrum and special radio authorizations. Wi-Fi, by contrast, is not „really mobile“. It is more accurately defined as a portable wireless service based on local area network architecture, which means the reach of any specific access point is limited at best about 100 meters. Wi-Fi users can “roam” only to the extent that they might find another wireless local area network within the vicinity that they can use, but this is not the same as the hand-off capability under the central control of a wide area cellular network system. In addition, Wi-Fi providers do not need to obtain radio licenses and do not need to build a large network of infrastructure to support the service. As a commercial service, 3G offers integrated circuit-switched voice and packet-based data, with downlink bandwidth for data service achieving 2Mbps under ideal conditions. Wi-Fi, on the other hand, is capable of packet-based data service only, but with a much higher bandwidth of 11 Mbps or even 54 Mbps. Monthly 3G services may be relatively costly for most customers, whereas Wi-Fi service is available for free in many locations. In comparison to WiMAX, Wi-Fi is a shorter-range system, for typically hundreds of meters. Typically, Wi-Fi is used by an end user to access his or her own network, which may or may not be connected to the Internet. WiMAX is a long-range system, covering many kilometres to deliver a point-to-point connection to the Internet from an ISP to an end user. WiMAX and Wi-Fi have different Quality of Service (QoS) mechanisms. WiMAX guarantees QoS parameters for each connection. One of the significant advantages of WiMAX is spectral efficiency. For example, 802.16-2004 has a spectral efficiency of 3.7 bit/s [Hertz], and other 3.5–4G wireless systems offer spectral efficiencies that are similar to within a few tenths of a percent. For any network, whether it is wired or wireless, security of the network components and the data traversing the network are very important. In a wired network, physical security can be controlled, preventing unauthorized users from physically connecting to the wires of the network and thus preventing data from being viewed by unintended users. As technology advances and wired networks expand, more and more networks use wireless Access Points (AP) and mobile terminals (MT) to give users mobility and flexibility. The wireless medium, by its very nature, cannot be readily or easily contained or secured. Physical security is not as simple as preventing unauthorized users from attaching to a physical wire of the network. In the wireless environment, any user within the network coverage area can “see” the network. This fact makes security critical, especially in instances where private or sensitive information is being transferred.

36

3 Malicious Programs This chapter introduces the general definitions of several malware types, their differences from each other and their spreading techniques.

3.1 General definition of malware A malware (software threat) is a program that performs unexpected or unauthorised, but always malicious actions. It is a general term used to refer to viruses, Trojans, zombies, logic bombs, trap doors and worms. These threats can be divided into two categories: those that need a host program and those that are independent. The former are fragments that cannot exist independently of some actual application program, utility or system program. The latter are self-contained programs that can be scheduled and run by the operating system [21]. Malware, depending on the type, may include replicating and non-replicating malicious code. While some payloads may only display messages or images, many may be destructive - they can destroy files, reformat the hard drive, cause trouble by consuming storage space and memory or reduce speed of the operating system.

3.2 Viruses A virus is a program or piece of code which is loaded onto the computer without the user’s knowledge through the internet or another system disks. Virus can “infect” other programs by modifying them. A computer virus carries in its instructional code the recipe for making perfect copies of itself. Lodged in a host computer, the typical virus takes temporary control of the computer’s disk operating system. Then the infected computer is exposed to an uninfected piece of software, a fresh copy of the virus passes into the new program. Thus, the infection can be spread from computer to computer by unsuspecting users who either swap disks or send programs to one another over a network [21]. A virus can do anything that other programs do. The only difference is that it attaches itself to another program and executes secretly when the host program is running. Once a virus is executed, it can perform any function, such as erasing files and programs. The key to its operation is that the infected program, when invoked, will first execute the virus code and then execute the original code of the program.

3.3 Worms A worm is a program that spreads copies of itself through a network. The primary difference between a virus and a worm is that a worm program use network connections to spread from system to system, and a virus can spread through any medium (but usually uses copied program or data files). A worm does not need a host and does not need to attach itself to another program. It is able to send copies of itself as a stand-alone program to other machines over a network, whereas the virus spreads copies of itself as a program that attaches to or embeds in other programs.

37

Once active within a system, a network worm can behave as a computer virus or bacteria, or it could implant Trojan horse programs or perform any number of disruptive or destructive actions [19]. To replicate itself, a network worm uses some sort of network vehicle: by using e-mails, network program and creating of its own server sockets, by cracking the passwords and logging in as a regular user on a remote machine, or by using of the back doors of an operating system.

3.4 Trojan Horses A Trojan Horse is a malware packaged with a useful program, usually free for download, such as a screen saver or a game, but carries viruses, or destructive instructions, that perpetrate mischief invisible for users. Trojan horse program hidden in the main program runs secretly commands, which steal passwords, some private data, play sounds, videos or display images, shut randomly off the computer, scan e-mail addresses and use them for spam, install a backdoor on a computer system. Unlike viruses and worms, Trojan horses do not have replication abilities.

3.5 Spyware Spyware is misleading software that is secretly installed on a computer through the web - it usually comes with free software applications that one downloads - gather data from a computer and forward it to a third party without the consent or knowledge of the computer’s owner. This includes monitoring key strokes, collecting confidential information (passwords, credit card numbers, PIN numbers, etc.), harvesting e-mail addresses or tracking browsing habits. Spyware is similar to Trojans. However, malicious functions are executed by trojans are hidden and by spyware these destructive functions unlike Trojans are known in the application description [33]. Too much spyware can slow down the operation of a computer too.

3.6 Hoax A hoax is a fake warning about a virus or other piece of malicious code. Typically, a hoax takes the form of an e-mail message warning the reader of a dangerous new virus and suggesting that the reader pass on the message to “everyone they know” or at least to a lot of other people [34]. This forwarded email can slow down or even stop a mail server, fill peoples' mailboxes and, of course, frighten them and cause them to lose time on something, which is just a hoax. Hoaxes cause no damage in themselves, but their distribution by well-meaning users often causes fear and uncertainty. Most anti-virus vendors include hoax information on their web sites and it is always advisable to check before forwarding warning messages.

38

4 Known mobile Malware This chapter illustrates the actual malware for mobile phones, the functionality of malware and how they infect and damage the mobile phones. Malware for mobile phones can penetrate a mobile device in different ways (Figure 17). The common way is the infection after a user downloads and simply starts the file with a virus. The second way to infect a mobile device is to spread the virus via Bluetooth or MMS. The victim saves the virus in the incoming folder and then starts it. Some viruses like Beselo listens for memory cards inserted to the infected phone and copy itself to inserted card so that if infected card is inserted into another phone it will also be infected. Malware sends SMS to premium numbers, creates backdoors for remote control, infects and deletes files, opens access to phone book and other confidential information [34]. Infection way Occurrence Bluetooth 15% MMS 7% Memory cards 0,06% User Downloads 78% Figure 17 “Infection ways of mobile phones”

4.1 Viruses 4.1.1 WinCE.Duts Duts is the first known virus for the PocketPC platform. It is written in assembly for the ARM processor and infects therefore ARM-based devices only. When the virus is executed, it asks for permission to infect:

Figure 18 "Virus WinCE.Duts" When granted the permission, Duts attempts to infect all EXE files in the current directory [35].

4.1.2 Cxover Cxover can infect PCs using Windows with .NET runtime installed and Windows Mobile devices with .NET. If Cxover is executed it will search for any devices connected over ActiveSync and copy itself there so that it will start automatically at next boot. The virus can delete user files on the mobile device [35]. 39

4.2 Worms 4.2.1 Beselo Beselo is a MMS and Bluetooth worm that infects Symbian mobile devices. Beselo spreads as Symbian SIS installation files using the filenames beauty.jpg, sex.mp3, or love.rm in order to trick the recipient into thinking that it is multimedia file. If the phone user attempts to open the file, Symbian will recognize it as an installation file and will start the application installer. Beselo hides its process; it sets his process type to "system" process. System processes can not be terminated by user. Beselo replicates using MMS messages that are sent to numbers found in the device phone book. Beselo copies itself to any Memory card in the mobile phone. If this memory card is inserted into another phone, it will be infected too [35].

4.2.2 HatiHati HatiHati is based on commercial anti-theft software for Symbian phones. It was not authored with malicious intent. Because of the bad implementation, this software acts like a worm. HatiHati spreads via MMC cards. Once the MMC Card is inserted in the device, the worm starts sending SMS messages to a predefined number. HatiHati was originally written against mobile phone theft. When another SIM card is inserted in the mobile phone, the application detects a change and sends SMS to a predefined number. This software has two errors in the implementation. The first error is that the software copies itself from a Memory card to any new phone in which the Memory Card is inserted. The second error consists of that the HatiHati application starts to send thousand of SMS messages to a predefined number [35].

4.3 Trojan Horses 4.3.1 Redbrowser Redbrowser is a first Java malware that runs on all mobile

phone operation systems. The J2ME midlet sends SMS messages to specific number. The Redbrowser pretends to be a WAP browser that offers free WAP browsing using free SMS messages. However, Redbrowser sends SMS messages to one specific premium number and causes financial losses to the user. Every SMS costs 5 $. The user has to allow the application to use Java SMS capabilities in phones before sending SMS messages [35]. Figure 19 "Trojan Redbrowser"

40

4.3.2 Blankfont Blankfont installs a corrupted Font file into the memory of Symbian phones and thus prevents the phone from loading the valid font files from ROM. The corrupted font file installed to the phone does not cause device to crash, but if the device is rebooted it will then lose the system font and is unable to show texts on the display. This makes most of the applications unusable until the phone is disinfected [35].

Figure 20 Trojan Blankfont"

4.3.3 Bootton Bootton is sent over bluetooth by Symbian Onehop trojan. This worm replaces operating system files and third party applications with own application, which displays a heart icon with the text "I-Love-U". The start of this application causes device to reboot. Bootton disables most of critical system functions and third party file managers, so even if the device would not immediately reboot it is still unusable before it is still usable until it is disinfected [35]. Bootton also installs modified Cabir worm that distributes Bootton to another devices. However, due to a programming error, this file is not executed automatically and even if it were started by a user, it would be unable to send anything, because the file it is trying to send does not exist on the system. Figure 21 “Trojan Booton”

4.4 Spyware 4.4.1 FlexiSpy FlexiSpy is a spyphone application available for Symbian, Windows Mobile, and Blackberry Operating Systems. If it is installed without the knowledge of the phone's primary user the application hides itself and locks its files so that the application uninstaller cannot remove it. The user interface of FlexiSpy is only accessible by entering a special code in the phone number field. There the attacker can control when the spying application reports and what information is recorded. The spyware records voice calls and SMS information and send the details to the FlexiSpy server. From there the information can be accessed through a web browser [35]. Figure 22 “Spyware Flexispy” 41

4.4.2 Mopofeli Mopofeli is an SMS spying tool that runs on Symbian devices. Mopofeli thus makes it possible to monitor all SMS traffic on the victim’s phone and forwards all incoming and outgoing SMS messages to an external number that is specified within the software's configuration file. The virus hides its process so that it is not visible in the process list. In addition, it does not have an application icon and entry in the application uninstallation list. The only way to detect Mopofeli is to locate the application files in file system or to use an antivirus application [35].

42

5 Attacks This chapter gives an overview about the definition of the term “attack”, known types of attacks used as in wired as well in mobile computing and their damage process.

5.1 Definition of an attack An attack is an attempt to destroy the integrity, availability and confidentiality of a computer system. The attacker could try to eavesdrop the network communication or to crack an encryption system. Unlike malware, which runs on a target computer, an attack is executed from a remote computer.

5.1 Sniffing A packet sniffer (also known as a network analyzer) is a computer software or hardware that can intercept and log traffic passing over a digital network (Figure 23). The sniffer captures each packet and analyzes its content. These software packages are running in a “promiscuous mode,” in which the operating system provides the software access to all traffic on the network instead of providing filtered traffic that is just directed to or from the computer on which it is running. While such packages exist to help network administrators debug problems, they can be used for eavesdropping. Attackers may not have administrator privileges, but can obtain them by first getting access to some accounts and then exploiting software vulnerabilities in the operating system to gain such privileges [14].

Figure 23 “Network sniffing”

Sniffer

5.2 Spoofing A spoofing attack is a source address falsification. An attacker uses one PC to impersonate another PC. He uses a fake IP address. An attacker from outside of the network may send packets with a source address like a LAN user. The internal servers identify the attacker as a legitimate internal network user. For example, in the office LAN the manager and the bookkeeper can access the confidential data on the PC of the bookkeeper. The manager has an access from his computer to these data. His computer always has the same IP address in the office LAN. If somebody in the LAN tries to access the confidential data on the PC of bookkeeper, he will be only admitted, when his IP match the IP of the manager PC. The attacker takes the manager’s IP and he is recognised as a manager by the system, so he can read the secret information on the bookkeeper’s PC. Spoofing is used in most of the wellknown DoS attacks [37].

43

5.3 Denial of service In a denial-of-service (DoS) attack, an attacker attempts to prevent legitimate users from accessing information or services. The most common kind of DoS attack is to send more traffic to a network address than its data buffers can receive. After that, it cannot respond to legitimate traffic or responds so slowly as to be rendered effectively unavailable. DoS attacks are implemented by forcing the targeted computer to reset, or consume its resources so that it can no longer provide its intended service or obstructing the communication media so that the users can no longer communicate adequately (Figure 24) [36]. Denial of service causes networked computers to disconnect from the network or just crash. The attacker may exploit a weakness of the target system or the attacker may just try to see, if the attack works.

Figure 24 “Denial of service”

5.4 Man in the middle attack An attacker sits between user A and user B (Figure 25). All the information goes through the PC attacker, so that the attacker intercepts a communication between two friendly parties. The attacker controls the flow of communication and can destroy or change the information sent by one of the original communication partner for example user B without the knowledge of either the original sender B or the recipient A. In this way, an attacker can read confidential information and alter it by spoofing the identity of the original sender or receiver [37].

44

User B

User A Man in the middle

Figure 25 “Man in the middle”

5.5 Vulnerability Scanning The easiest way to attack systems is to use known vulnerabilities. In most cases, exploits have already been written for known vulnerabilities. Attackers can use a large database of vulnerabilities and can scan the system for these vulnerabilities remotely. After collecting enough information on the target system, the attacker exploits one or more vulnerabilities. The attacks lead to a violation of one or more of the basic security properties: confidentiality (unauthorized disclosure), integrity (unauthorized modification), or availability (denial of service).

5.6 Network Enumeration Enumeration is the act of discovering network services, user accounts, groups, directories and domains on systems. A major source for network enumeration are widely available public databases. These include Domain Name Service (DNS), which is used to resolve IP addresses into domain names. An attacker can go to the following internet registries such as “www.arin.net”, “www.apnic.net”, and “www.ripe.net” and looks which IP addresses belongs to which companies. The companies can possess several IPs. As IP consists of four digits (123.456.789.111), the organisation “RIPE NCC” forgives the firs two or three digits separated by dot to the company. The company defines the last digit itself. This IP of the company can identify a company LAN, or a web server, or single terminals. To find the right IP, the attacker has to prove 256 possible IPs because there are 28 possibilities and every digit until the dot is described with 8 Bits. While proving these IPs the attacker sends Packets to every IP address and waits for replay. After getting the replay, the attacker scans every possible port number to find out which operating system (Linux or Windows Vista) and applications and which versions of them run on the target system. The attacker gets this information by analyzing the content of the replay packets. He can look for the known exploit and not only for operating system but also for the combination of the operating system and application. After executing of this exploit, the attacker can get an access to the system.

45

The goal of the enumeration is to search out which computers with which operating systems and applications are available in the LAN [38].

5.7 Attacks on People People are an important part of any information system. Therefore, targeting people is often an effective way of attacking systems. The most common attack against people is social engineering. Social engineering attacks contain a wide range of techniques that aim collecting information and using it later to execute an attack on the target system. Major attacks include espionage, access control violation, theft of business secrets and theft of computer resources [38].

46

6 Known security vulnerabilities of mobile devices To defend systems better, it is need to have a better understanding of security attacks so the aim of this chapter is to show current Bluetooth and WLAN attacks on mobile phones. With proper tools and time, all encryptions can be broken and all privacy of the network can be lost. Although many other techniques can be used to compromise physically the integrity of a wireless network, this section focuses on some of the known non-physical security vulnerabilities in wireless compliant networks. Security attacks affect all aspects of information systems: people, networks, and software applications. Risks of wireless networks bring in addition to classical risks of wired networks new risks introduced by vulnerabilities of wireless protocols [38]. Attacks on the security of information systems have become a standard occurrence. Attacks have gotten more complex while the knowledge needed to execute such attacks has decreased. Attacks are directed against all components of a system including people, networks, and applications. Attackers look for the weakest links in each component. To defend systems better, it is need to have a better understanding of security attacks.

6.1 Bluetooth attacks on mobile phones 6.1.1 BlueSnarfing: (Sniffing) The BlueSnarf attack is an OBEX protocol (OBject EXchange communications protocol that allows the exchange of binary objects between devices) which allows hackers to access the mobile phone’s calendar, pictures, phone book secretly, however even changing a pin code without owner’s knowledge is possible. Using the OBEXAPP application it is easy to establish a connection with a target phone (OBEXAPP is an application form, which the SDPTools package used to administrate OBEX objects like calendar, pictures and phone contact list via IrDA or Bluetooth) with the command: obexapp –a BD_ADDR –f –C 10 „-C 10“ is a channel for the Obex- Push- service. „-f“ makes a connection with a „Folder Browsing Service“ BD_ADDR is a Bluetooth device address of a target. The command „get“ can be used to download the phonebook: obex> get get: remote file (empty for default vCard)> telecom/pb.vcf get: local file> phonebook.unpaired.vcf Success, response: OK, Success (0x20) obex> Spammer4 can use this command to get e-mail addresses from passerby. 4

Spammer is a person who sends unwanted e-mails galore.

47

To get the calendar, the command line should be: get: remote file (empty for default vCard)> telecom/cal.vcs Some competitor could get the business appointments of the target person.5 Following phones are vulnerable to the BlueSnarf attack: Manufacturer Nokia Nokia Sony Ericsson Sony Ericsson Sony Ericsson Sony Ericsson

Type 6310 6310i T68i T610 T630 Z600

Firmware-Version 4.10 4.07, 5.50 und 5.51 R2B025 R1A081 R4C003 R2E004

The range of the attack can be increased from maximal 100 m (class 1 Bluetooth devices) up to about 1.7 kilometres using an Bluetooth antenna which some specialists from the trifinite group6 have used.

6.1.2 BlueBugging: (Spoofing) BlueBugging allows hackers to send SMS messages from a remote vulnerable phone controlled by an attacker. This attack uses the weaknesses in the implementation of Bluetooth protocol. This error makes it possible to establish a serial connection to a target phone using two secret RFCOMMchannels (Radio Frequency Communications). Channels 16 and 17 are not secured by Bluetooth security functions. After the connection with the target, it is possible to send SMS or to call premium rate services7. SMS which are sent will be not saved in the folder “Send” of the attacked phone. It is possible to read and change phonebook and to eavesdrop all calls.

User A

User B

Attacker

Figure 26 “Bluetooth Spoofing”

The Integralis8 company have successfully demonstrated an attack on a phone (by using the Bluetooth Spoofing). After the intrusion they have bought a WLAN access ticket to use internet by hotspots9. After getting a login name and a password, they deleted all SMS communication, used to get the WLAN ticket. This deleting makes it nearly impossible for the phone owner to proof the attack, which took less than two minutes.

5

www.giac.org/practical/GCIA/Scott_Renna_GCIA.pdf The trifinite group is a loosely coupled group of computer experts that spend their free time for doing research in wireless communications and related areas. 7 Premium rate services are services, which are calculated through selection of expensive phone numbers. 8 www.integralis.de/media/press_releases/2004/250304.html 9 Hotspots are public wireless internet access points. 6

48

The first step in the attack is to make a RFCOMM- connection: rfcomm bind /dev/rfcomm0 BD_ADDR 17 • •

„BD_ADDR“ is the Bluetooth device address of a target. „17“ is the communication channel

The next command opens a terminal channel to the phone: cu10 -l rfcomm0 -s 9600 • •

„-l“ is the device name „-s“ is the connection speed.

Now one can send AT- commands11. Vulnerable phones: Manufacturer Nokia Nokia Nokia Nokia Nokia Sony Ericsson Sony Ericsson Motorola Motorola

Type 6310 6310i 8910 8910i 6560 T68i T610 V80 V600

Firmware-Version 5.50 und 5.51

13.89 R2B025 R1A081

6.1.3 Bluetooth DoS attacks Bluetooth is also vulnerable to denial of service attacks. Hackers can send invalid Bluetooth requests to a mobile device or phone. It blocks the mobile phone until the device restarts. The only thing needed to execute this attack is an program from the Linux Bluetooth stack called „BlueZ utils”. The attacker uses an exploit in the implementation of the L2CAP Layer (see chapter 4.2.2.2 Bluetooth Protocols). The attacker uses the application “l2ping” to send “Echo”-requests on the L2CAP layer. One can define with “Echo”-request (for example “echo 127.0.0.1”), if a computer exists. L2ping allows to set the packet size of the Echo-request. A special packet size causes a buffer overflow in the target device. Vulnerable phones to Bluetooth DoS attacks: Manufacturer Type Firmware-Version Nokia 6230 3.14 Nokia 6810 3.30 Nokia 6820 3.19 Nokia 7600 3.01 Siemens S55 00.2563 Panasonic X70 EFFCGAX70A18-1818, LPA-00038, GCP1X70302 10 „call unix“ a part of the Linux UUCP- Package (Unix-to-Unix-CoPy, for copying files between computers) 11 Attention Commands for communication between computer and modems: http://ncsp.forum.nokia.com/download/?asset_id=11579;ref=devx http://marc.free.net.ph/message/20050104.134619.b0ccddc3.en.html

49

6.1.4 BlueJacking This trick was discovered through flirting habits of Bluetooth phones owners. It uses the possibility to change the name of the phone to another name or to send a business card (vCard). After renaming the name of his phone, the hacker can force the victim to accept the Bluetooth connection. Usually, the name of the phone is the name of the manufacturer and mobile type. If the hacker changes the phone’s name to the string “click here for free cash”, the victim will often click the pop-up frame mistakenly and accept the connection. This allows the hacker to connect to the device. BlueJacking can be used by hackers to infect phones, to show obscene movies, etc.

6.1.5 BlueChop BlueChop is an attack that disrupts any established Bluetooth piconet with a device, which is not a member of the piconet. A precondition for this attack is that the master of the piconet supports several connections (a necessary feature of the Bluetooth device for building up scatternets). In order to access a piconet with BlueChop-attack, a device which is not a member of the piconet imitates itself as a random slave of the piconet and contacts the master of the piconet. This leads to confusion of the master's internal state and disrupts the communication inside the piconet. This attack does not depend on the device manufacturer and seems to have a general validity by all Bluetooth devices.

6.2 WLAN Attacks 6.2.1 Rogue Access Points: (Man in the middle attack) Wireless access points (WAP) are easy to install, however many employees install access points in their companies, without informing the network administrator to make their work more convenient. Often the connection with these access points is not protected by password or encryption. An attacker can easy get access to the corporate network through such access point. Otherwise an attacker can install a so-called rogue access point that pretends to be a corporate access point, but in reality it is under control of the attacker. If the attacker can install an access point with a stronger signal than the valid one, the target’s computer automatically connects to the attackers AP. Then the attacker can see all the traffic that goes through this AP. This attack is difficult to prevent, because many wireless systems automatically set up the connection without asking the user [41].

6.2.2 Wireless Zero Configuration When a computer connects to an access point, it generally stores the details of that connection locally. The next time the computer is switched on. The wireless network card immediately searches for the connection and re-establishes the connection without asking the user.

50

To find the last used AP, the wireless network card sends a request with the Service Set Identifier (SSID)12 of the desired access point. The AP sees this packet and sends back an answer. Since the SSID is sent as a plain text, anyone with a sniffer can see it. An attacker can configure an AP with the same SSID. This AP will then answer like an original access point. Some programs can automatically establish a connection with a wireless user, and take over their web connection, email and more. The function of automatically setting up the connection can be turned off while it is deactivating in the Services list of Windows XP or other operation systems.

6.2.3 War Driving The process of searching for open wireless LANs by driving around a particular area is called War Driving. The name comes from the term “war dialling”, which is an old attack method that involves repeatedly dialling different numbers to search for modems and other network entry points. The war driver only needs a Notebook with a wireless network card and some free software from the internet. Using a Global Positioning System (GPS) receiver it is possible to create a map of opened wireless networks of a city War driving are the techniques of identifying software systems running on the target network and the topology of the network. Simple War driving uses information that is provided by the system such as software name, version, network address, Service Set Identifier (SSID), Network name, equipment manufacturer and whether encryption is used.

12

SSID is a name of the wireless network. The name can be up to 32 characters long. The name will be sent from every access point (AP) and thus one knows to what network an AP belongs.

51

7 Current security problems in wireless networks The existing weaknesses in WLAN and Bluetooth protocols, in mobile operating systems and mobile internet are analysed in this chapter. Since the development of the Internet, network attacks have become common. The used Internet protocol stack is initially insecure as well as WLAN. It lacks on logging, authorisation, or no repudiation. The signals can be received from the street. Denials of Service attacks like Radio jamming13 and microwave oven or cordless phone interference14 can lead to communication breakdown.

7.1 WLAN weaknesses 7.1.1 WEP encryption weakness The Researchers from the Technical University of Darmstadt have developed a fastest technique to crack WEP in 60 seconds [39]. In a WEP protected network, all packets are encrypted using the stream cipher RC415 with a common key (root key Rk). The root key is shared by all communication partners. A successful recovery of this key gives an attacker full access to the network. RC4 is a widely used stream cipher that was invented by Ron Rivest in 1987. The RC4 uses a key K of up to 256 bytes to generate a "random" key stream. The key stream is combined with the plaintext using XOR to generate the ciphertext. For each packet a 24-bit initialization vector (IV) is chosen. The IV concatenated with the root key creates the “per-packet-key” K = IV xor Rk. Over the data that should be encrypted, an Integrity Check Value (ICV) is calculated. The CRC32 (cyclic redundancy check) algorithm is used to calculate the ICV. The data followed by the ICV is then encrypted using the RC4 stream cipher with a key K. The IV is transmitted unencrypted in the header of the packet (Figure 27).

Figure 27 “An 802.11 frame encrypted using WEP” The active attack on the WEP protocol is able to recover a 104-bit WEP key (Rk) from less than 40.000 WLAN frames with a success probability of 50%. To get a success in 95% of all cases, 85.000 packets are needed. If there is a network with a data rate of 54 Mbit/s, the number of required frames can be obtained in less than a minute. The required computational effort is approximately 220 times to find the right WEP key (Rk).

13 14 15

Radio jamming is disturbance of radio waves. Interference is because of using the same frequency range like WLAN http://en.wikipedia.org/wiki/RC4

52

If host A wants to send an Internet Protocol (IP) datagram to host B, A needs the physical address of host B or the gateway, through which B can be reached. The Address Resolution Protocol (ARP) is used to resolve the IP addresses of hosts to their physical address. ARP requests and ARP replies are of fixed size. The first 16 bytes of cleartext from an ARP packet are made up of an 8-bytes long 802.11 Logical Link Control (LLC) header followed by the first 8 bytes of the ARP packet itself. The LLC header is the same for every ARP packet. The first 8 bytes of an ARP request are also fixed. For an ARP reply, the last two bytes change from 00 01 to 00 02, the rest of the bytes are identical to an ARP request. An ARP request is always sent to the broadcast address, while an ARP reply is sent to a target address (Figure 28).

Figure 28 “Cleartext of ARP request and response packets” Because the physical addresses are not encrypted by WEP, it is easy to distinguish between an encrypted ARP request and reply. To recover the WEP key stream the captured ARP packet can be XORed with the fixed patterns shown in Figure 34 (AA AA 03 00 00 00 08 06 00 01 08 00 06 04 00 02). This makes it possible to recover the first 16 bytes of the WEP key stream. To make the key stream recovery faster it is possible to resend a captured ARP request into the network. This will cause a new reply from the network and a new part of the key stream can by obtained. If the sender and the receiver of the original request are both wireless stations, every re-injected packet will generate three new packets. The first packet comes from the retransmission of the request by the access point, the second is the answer from the target, and the third is the retransmission of the reply by the AP. Because ARP replies expire quickly, only a few seconds or minutes are needed to capture an ARP request and to start re-injecting it. The first implementation of a re-injection attack was in the BSD-Airtools16 package. It is even possible to decrease the time it takes to capture the first ARP request. A de-authenticate message can be sent to a client in the network, saying him that he has lost the contact to the base station. Clients that rejoin the network delete their ARP cache. The next IP packet the client will send will cause an ARP request to get the Ethernet address of the destination. The more key streams with their corresponding IV are collected, the more easier it is to check if a WEP key is correct. A key stream can be generated using an IV and a guessed key, and compared with the collected one. The success rate of this passive attack depends on the kind of the captured traffic. Some simulations have shown that it needs some more captured packets are necessary than the active version which uses ARP packet re-injecting. Some wireless device manufacturer implemented WEP encryption with keys up to 232 bit instead of 104 bits. It is more difficult to attack such networks, because 31 (31*8= 248) bytes 16

http://www.freebsd.org/cgi/url.cgi?ports/net/bsd-airtools/pkg-descr

53

of the cleartext are necessary and only the first 16 bytes of cleartext of an ARP packet are known. The missing 15 bytes are constant for every request or response, if the same ARP packet was used for the injection. Using the Chopchop attack invented by KoreK17 it is possible to decrypt the request packet and one of the response packets. The decrypted packets can then be used for the ARP injection attack. Because ARP replies contain values that are generated for every packet and the same packet is used in this kind of the attack, all other replies contain exactly the same plaintext [39]. This allows recovering enough plaintext to crack even with keys longer than 232 bit.

7.1.2 WEP – CRC 32 weakness WEP uses an Integrity Check (IC) field in the package to check if the packet was transmitted without any errors. The IC field contains a CRC-32 (cyclic redundancy check) checksum - a very common error detection scheme. The problem of this algorithm is that it is linear. It protects the integrity against accidental changes but not against intentional changes. It is possible to compute the difference of the two CRCs based on the alteration of the data packets. This allows the attacker to determine which bit of the CRC-32 code and bits in the packets need to be changed, so that the checksum of the resulting packet is valid.

7.1.3 Short Initialization Vector An Initialization Vector (IV) is added to the WEP shared key to avoid encrypting two plaintexts with the same WEP key stream. The weakness of the WEP algorithm is that it uses a 24-bit initialization vector. Only 224 different IVs can be used. This causes that the same WEP key stream is used after a short period of time. On an access point with much traffic and data packets with data packets of the average size, the time before a key is used again is about 5 hours. This time seems less if the packet size decreases. This allows the attacker to gather two ciphertexts that were encrypted with the same WEP key stream and begin the statistical analysis to recover the plaintext.

7.2 Bluetooth weaknesses 7.2.1 Encryption The Bluetooth specification does not describe encryption, some manufacturers produce devices without encryption or the encryption mode is deactivated by factory setting. The E0 algorithm is used for Bluetooth encryption. The E0 encryption is a typical stream cipher. The plaintext is encrypted with XOR: plaintext XOR key-password. The cyclic redundancy check (CRC) checksum is added to every data package to check the transmission error. The whole Bluetooth packet is encrypted except the header. The E0 algorithm uses XOR encryption, so it has the weakness for known plaintext attacks.

17

KoreK. chopchop(experimental WEP attacks) http://www.netstumbler.org/showthread.php?t=12489, 2004

54

If the attacker knows that one Bluetooth device is transmitting TCP packets, he can guess the TCP- header. Then he makes XOR with the guessed TCP-header and with the encrypted Bluetooth packet without header, therewith he can obtain a part of the key-password. This technique, gives the attacker a part of the key, however the key length reduces then form 128 bit down to 84 bit and makes the algorithm vulnerable to brute force attacks.Brute force attack is an attack, which uses every possible key and tries to decrypt the encrypted text to get the plaintext.

7.2.2 Random number generator A random number generator is used for the challenge- response- authentification18. The generation of random numbers is very important for the security of the Bluetooth protocol. The random number generator utilizes the state of the system memory to generate random numbers. The output of this generator is used for generating random numbers for the encryption. There is no specification for a random number generator, neither how to implement. If cheap generators are used, the numbers, which they produced, are not really random numbers. These numbers can be guessed by an attacker so he can calculate the connection key.

7.2.3 Unit key The unit key can be used several times, but is normally used once. The Bluetooth standard does not specify where the unit key is saved. In some devices, the key is stored in places, which can be read by an attacker. If the unit key is sniffed, the attacker could use the key as his own and impersonate himself as a master. Secondly, the attacker could eavesdrop the communication if he guesses the link key, which is generated from the unit key.

7.2.4 Key length At the beginning of the connection, the communication key length is negotiated. The Bluetooth encryption key can have a length up to 128 bit. The shortest length is 8 bit. The user cannot control the key length. If one device only uses an 8-bit length key, all the communication will run with 8-bit encryption. While the negotiation, that runs unencrypted, the attacker can force the other communication partners to use the short key of 8 bit. With a brute force attack, this short key length could be later easy guessed.

18

One communication partner (sender) sends a number to the other communication partner (receiver). The receiver calculates another number with the algorithm, which is only known by the both partners. To calculate this new number, the receiver uses the number, which he has got from the sender. The calculated number is sent to the first partner. The first partner calculates a number using the same algorithm and the origin number too. Then he compares the number, which he has calculated, with the number, which he has received from his communication partner.

55

7.2.5 PIN – Code To establish the communication, the same PIN- Code must be entered in both communicating Bluetooth devices. The PIN-Code is used to calculate the link key and the session key. Often the PIN-code is only 4 digits long. This makes brute forcing of the key possible, because of the few key combinations (104 =10.000 possibilities). Many PIN-codes in Bluetooth devices are set by default to “0000”. Some devices without digit keyboard (like headsets) cannot even change a PIN-Code, hence the link key can be guessed.

7.2.6 Driver exploits Many Bluetooth communication adapters for PCs use often the windows driver from the Widcomm Company. The software offers many important Bluetooth profiles (for example, the Basic Printing Profile (BPP) allows devices to send text, e-mails, vCards, or other items to printers or File Transfer Profile (FTP) provides access to the file system on another device). It is possible for an attacker to induce a buffer overflow in the driver and to run his code under permissions of the current user. Widcomm-driver versions 1.3.2.7 and 1.4.2.10 (Windows XP and Windows 98) and version 1.4.1.03 for Windows CE 3.0 are affected. It would be possible to write a worm that spreads between Windows PCs and PDAs.

7.3 Weaknesses in operation systems Some operating systems like Symbian allow the user to install applications that are written in C++. These applications can directly use the operation system functions. They can make calls, send MMS and SMS and use Bluetooth. Most viruses written for mobile phones takes advantages of this weakness. Such direct access allows malware to spread via wireless protocols and to make calls or to send SMS to premium rate numbers without user knowledge. The user is never asked by the operation system if a virus tries to overrides system files. Symbian has problems if files have an abnormal format. The system becomes instable, even a crash of the system is possible. For example there is an error in the mobile phones Siemens SX-1 and Nokia 3650. A file called “INFO .wmlc“ with 67 spaces after the “INFO” could be sent via Bluetooth or infrared protocols to the victim. If the victim opens the file, he gets the message “App. closed AppArcServerThread USER 8”. After the error message, the phone works much slower. Windows CE (Windows Mobile and Pocket PC) does not support file encryption and does not separate memory blocks of different programs. Therefore, programs can shut down other applications, read password from the memory of other applications or get access to all OS functions like file management (deleting, creating new files etc.) and make calls or send SMS. Signing of applications to ensure that the programs come from the original producer is supported by Windows CE, but not all mobile device manufacturers use this feature. There is no buffer overflow protection too, therefore it is possible to infect a Windows CE device from internet when the user visits a webpage.

7.4 Weaknesses of mobile internet Some mobile phones still use the old WAP-1.x (Wireless Application Protocol) standard This standard has some encryption weaknesses. WAP 1.x does not support point–to-point 56

encryption. The data on the WAP-gateway is not encrypted and everybody who has an access to the WAP-gateway can read the WAP packets, which are sent by mobile phones (Figure 29). Thus, data is vulnerable at the gateway itself. Furthermore, if the WAP Transport Layer Security (WTSL) encryption is used, the weak 40bit Data Encryption Standard (DES) encryption can be used. Because of the short key length of 40 bit, it is possible to try all combinations of possible keys to find the right one in a very short time of period. There is also a possibility to cancel a connection between mobile phones and the internet. The attacker can find out the sequence number of an encrypted datagram. Then he can send an unencrypted alert message with the same sequence number. This alert message causes the gateway to close the connection to the mobile phone [30]. WAP 2.0 allows end-to-end security. The only way to ensure complete security for these is to have an own gateway. Several banks have tried to establish this technique, so that their customers do not need to share the gateway with the wireless operator. To control their accounts, customers have to dial into the bank’s own gateway, where they will also be able to access the Internet and pay-per-view content [10].

Figure 29 “Security vulnerability in a WAP 1.x network”

57

8 Countermeasures against vulnerabilities in mobile devices Nowadays mobile devices are not helpless against the threats that are described in chapters above. In this chapter countermeasures for the weaknesses will be illustrated: first, countermeasures against wireless threats, then general countermeasures for computer systems to prevent network attacks and malware spreading.

8.1 Countermeasures for WLAN 8.1.1 WPA WPA (Wi-Fi Protected Access) is an encryption system to secure WLAN networks. It eliminates all known vulnerabilities in Wired Equivalent Privacy (WEP), the original security system for 802.11 networks. Six years ago, the WEP-encryption was decoded. Hence, there it was necessary to create a new encryption system. WPA provides strong data encryption to correct WEP’s weaknesses and also adds user authentication, which was missing in WEP (Figure 30). WPA is specially designed to work with WPA wireless network cards (through firmware upgrades), but there are some older network cards where it does not work. WPA uses the Temporal Key Integrity Protocol (TKIP)19 for encryption and provides 802.1X authentication with the Extensible Authentication Protocol (EAP)20. Data is encrypted using the RC4 stream cipher, with a 128-bit (WEP uses 108 bit) key and a 48-bit (WEP uses 24 bit) initialization vector (IV). One major improvement in WPA over WEP is the TKIP, which dynamically changes the encryption keys during the communication. Combined with the much larger initialization vector, this provides greatly improved protection against the key recovery attacks on WEP. Some manufacturers offer a “mixed mode”, access points with WPA and WEP support for older clients that cannot update to WPA. Nevertheless, this mixed mode is insecure. Intruders will get access to the wireless network through vulnerabilities of the WEP clients. The WPA network will not be more secure than if it were running with WEP only. Mixed mode is not a feature of WPA. There are two kinds of WPA: enterprise and personal. For enterprise networks, WPA uses a full 802.1X infrastructure with EAP and access points (AP) with WPA. For authentication the Remote Authentication Dial-In User Service (RADIUS)21 is typically used (Figure 30). Personal WPA utilizes the "pre-shared key" (PSK)22 mode, where every computer which is allowed to use the wireless network gets the same password. In PSK mode, security depends on the strength and secrecy of the password.

19 20 21 22

http://en.wikipedia.org/wiki/Temporal_Key_Integrity_Protocol http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol http://en.wikipedia.org/wiki/RADIUS http://en.wikipedia.org/wiki/Pre-shared_key

58

Figure 30 "WPA Secured WLAN" 8.1.1.1 Encryption The Temporal Key Integrity Protocol (TKIP) increases the strength and complexity of wireless encryption. The WPA key size is increased to 128 bits and the WEP single static key is replaced with keys that are permanently generated and distributed by the authentication server. The authentication server, after accepting user’s login, uses 802.1X to produce a unique master key (also called “pair-wise” key) for current communication session. TKIP sends this key to the client and the AP. Then the “pair-wise” key is used to generate unique data encryption keys permanently to encrypt every data package. TKIP’s exchanges WEP single static key to roughly 500 trillion possible keys, which can be used on every data package. The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packages, changing them and resending them. The MIC provides a mathematical function which the receiver and the transmitter use to calculate and then compare with the MIC. If the calculated and the received MIC are not equal, the data is assumed to have been changed and the package is dropped [40]. 8.1.1.2 Extensible Authentication Protocol (EAP) WPA uses 802.1X authentication with the Extensible Authentication Protocol (EAP). This mutual authentication protects users from accidentally connecting to a rogue AP. The authentication also ensures that all users who access the network are allowed to use the network. When a user requests access to the network, he sends his name to the authentication server via the AP. If the server accepts this user, the master TKIP key is sent to the client and to the AP. A four-way handshake, where client and AP acknowledge each other and install the keys, completes the process (Figure 31).

59

Figure 31 "WPA Enterprise Authentication" 8.1.1.3 Preshared key (PSK) Authentication Users in small office and home office (SOHO) environments do not have the possibility to install and maintain a RADIUS authentication server. WPA offers these users the “pre-shared key” (PSK) or password. The PSK gives home and SOHO users strong TKIP encryption, different keys for each package, and key management that WPA provides for an enterprise.

Figure 32 "PSK Authentication"

60

A password must be manually entered on client mobile devices and on the AP. This password is also used for authentication. Each user must enter a password to access the network. The password may be from 8 to 63 ASCII characters or 64 hexadecimal digits (256 bits). If ASCII password is chosen, a hash function reduces it to 256 bits. The password must remain in the Wi-Fi access point. To protect a WLAN system against a password guessing, a truly random password of at least 20 characters should be used, 33 characters or more is recommended. WPA offers a Password-Based Key Derivation Function (PBKDF2) which automatically generates and distributes strong keys.

8.1.2 WPA 2 From March 13, 2006, WPA2 certification is mandatory for Wi-Fi certification (for all new devices wishing to be Wi-Fi certified). WPA2, also called RSN (Robust Security Network) uses TKIP encryption, 802.1X/EAP authentications and PSK technology like WPA, but uses the Advanced Encryption Standard (AES)23 cipher, where WEP and WPA use the RC4 stream cipher. Like WPA, WPA2 is designed to secure all versions of 802.11 devices, including 802.11b, 802.11a, and 802.11g. AES is an official government standard in the U.S. AES uses counter cipher-block chaining mode (CCM) and supports the Independent Basic Service Set (IBSS) to secure the connection between clients in ad hoc mode. AES uses keys in variable sizes of 128-, 192- or 256-bits. Like WPA, WPA2 use the 802.1 X framework as part of the infrastructure to ensure mutual authentication and dynamic key management. For home and small office environments, it offers a pre-shared key. WPA2 also offers a high secure “mixed mode” for the older WPA and the newer WPA2 client workstations (Figure 33).

Figure 33 "WEP / WPA / WPA2 in comparison" 23

AES (Advanced Encryption Standard).The AES algorithm is a shared(secret)-key encryption algorithm. The AES algorithm may be used for traffic data encryption and can also be used for the encryption of the traffic encryption keys.

61

8.2 Countermeasures for Bluetooth When using Bluetooth devices, the following security settings are important to protect the system. The mobile device should never left in its default configuration. A long and unsystematic PIN should be chosen. To protect the Bluetooth devices and make it invisible for the attacker, the device should be in non-discoverable mode24 until pairing25 and after pairing. Pairing devices should occur in a hidden location. It reduces the fact that the PIN code will be intercepted by an attacker. Checking the manufacturer's Web site for updates secures the mobile devices against new discovered vulnerabilities. Bluetooth messages or requests for pairing from unknown users should never be accepted. The viruses infect systems only when users accept an incoming message and then decide to install the attached file. The new Bluetooth 2.1 standard offers the Simple Pairing procedures. The most significant change is that the user will not need to enter a PIN manually. The PIN is generated automatically and the user is only asked to accept or reject a pairing. Additionally, Simple Pairing introduces stronger encryption compared to the old Bluetooth 1.0 standard. These two enhancements (Simple Pairing and strong encryption) give much more security to the Bluetooth devices.

8.3 Virtual private network (VPN) To improve the security of wireless networks the virtual private network (VPN) technology can be used. VPN makes point-to-point encryption between the client and the access point so that the transferred data cannot be eavesdropped by attackers. A large company can use VPN technology to connect offices in different cities and home offices. Over the Internet all data goes through different ways, switches, routers, and providers. Theoretically, anyone along the path of the data can pick up the data and look at it without anybody’s knowledge. Except the Secure Sockets Layer (SSL)26 encryption done by Web browsers, most programs do not support any type of encryption. A VPN allows to create a secure channel between two communication points and to encrypt all transmissions automatically [31].

24

Invisible state in relation to other Bluetooth devices Two devices become paired when they start with the same PIN and generate the same link key, and then use this key for authenticating al least the present communication session. The session can exist for the life of a L2CAP link (for Mode 2 security) or the life of the ACL link (for Mode 3 security). 26 Secure Socket layer (SSL) is a protocol at the fourth layer (TCP layer) that provides secure communications on the Internet. 25

62

Figure 34 "Virtual Private Network" The process is illustrated in Figure 34. There is no difference whether the VPN node is on a wired LAN or on a WLAN. Anyone who intercepts the communication will capture encrypted data, which is useless. Nobody can translate the VPN transmission without the encryption key and only the two VPN communication partners have that key. The security of this type of connection depends on the frequency of key changes, the method of key exchange, the key length and the strength of the encryption algorithm. The only serious issue that remains is the authentication of a user’s before granting access to the AP. The VPN server is often placed on an existing router or firewall in the network. To initialize the tunnel, the client requests a connection with the VPN server. The server authenticates the request and sends a key to begin the secure communication. In general, a tunnel is set up for each IP port over which data is sent. An individual connection from a Notebook or a mobile device could require multiple tunnels for a complete set of applications.

8.4 Securing the network and operating systems The best defence against network attacks is to update the system with the latest patches. Good network security applications are also important. These applications include intrusion detection system (IDS)27, firewalls and antivirus programs. The wireless network should be checked for known vulnerabilities. Security functions like access controls and checks for rogue access points must be implemented in the network. Static IP addresses (not Dynamic Host Configuration Protocol “DHCP”) in small networks should be used. Ethernet MAC Access Control Lists (ACLs) to prevent access of foreign clients should be also implemented. Service set identifier (SSID) broadcast by access points must be disabled and the SSID should be changed from the factory default settings. By default, when wireless access points are delivered, their security functions are switched off. The result is that an attacker can easily connect to the access point and configure the router as he wants. The Domain Name System (DNS) server name can be changed to an IP that is owned by the attacker so all requests to websites will lead to attacker’s page where he can steal passwords. Uploading a hacked firmware28 version to the router could put the

27

28

An intrusion detection system (IDS) detects an attack by analysing the network traffic and systems functions for strange behaviour or attack specific behaviour. Firmware is software that defines how the router works. Firmware contains instructions for the router, how it should work.

63

attacker in full control of the data. He can install undetected sniffing programs on the router. Moreover, these devices can be used by attackers to launch virus or spam attacks. The operating system needs to be secured too. One of the most serious security flaws in programs is a buffer overflow. The software industry knows about this vulnerability for more than 20 years, but it still exists. A buffer overflow in operating memory is caused by incorrect memory usage when developer write their programs with languages without built-in memory management (e.g., C/C++).Overflowing a buffer often results in a program crash. However, a carefully constructed exploit may run a program of the attacker or crash the whole operating system. One solution to prevent this problem is to use languages that do better memory management. Languages such as Java and C# provide a safe alternative to C and C++.

8.4.1 Antivirus Programs Antivirus software detects and protects a computer from viruses, worms, Trojan horse programs, and backdoors, as well as blended threats, which combine aspects of different threats. Some antivirus programs will also help to block well-known joke or hoax e-mail messages, spyware programs and program exploits. To secure mobile devices, the leading antivirus software companies like F-Secure or Kaspersky offer solutions for the most mobile operating systems and for java. Most antivirus software includes three basic types of scanning: real-time, manual, and heuristic. Real-time scanning is the main line of defence. This is the scanning, which is done on the fly while the device is used. The manual scan is a scan run to check the files that are already on the mobile device and make sure none of them is infected. These scans can be initiated by user if something suspicious seems to be going on, but they should also be run periodically to make sure that no malware got past the real-time scanners. It is also possible that an infected file will make its way onto the computer before the antivirus software vendor updated their software to detect it [20]. The third form of detection included in most antivirus software is called heuristic detection. The standard malware scanning relies on signatures or pattern files used to identify known threats. However, until a threat is discovered and researchers identify its unique traits that they can use to detect it, the standard malware scanning will not detect the new threat. Heuristic detection does not look for specific malware threats. Heuristic detection uses general characteristics of typical malware to identify suspicious network traffic or e-mail behaviour. Based on known traits from past threats, heuristic detection attempts to detect similar traits to identify possible threats.

8.4.2 Firewalls Firewalls are used in order to protect networks from outside attacks. Typically, firewalls come in three categories: static packet filters, statefull packet filters and application level gateways. Static packet filters have static rules that describe which packets are granted or denied. They filter each packet based only on information contained in the packet itself (most commonly combination of the packet's source and destination address, its protocol, and the port number). Statefull packet filters use the information about the session state and depending on this information packets may be granted or denied access. This kind of firewalls can detect for example packets that start a new connection and reject them [24]. Application layer gateways are the most complex firewalls and can analyze the packets up to the application layer. They can "understand" protocols (such as File Transfer Protocol, 64

Domain Name Service, or web browsing) and they can detect whether a non-standard port is used or whether a protocol is being used to send not allowed data. Nowadays, the only known firewall for mobile devices included mobile phones is offered by the antivirus specialist f-secure. The firewall scans the WLAN traffic for unwanted or dangerous packets. The application runs on Symbian and Windows Mobile devices [35].

8.5 Overview of security countermeasures Like any new technology, Wireless networks bring benefits but also new and increased risks. Before setting up a wireless network, it should be considered to develop policies standards, procedures and guidelines, to perform periodic wireless security assessments and audits to monitor and track wireless and handheld devices. Wireless security features like encryption and authentification must be enabled. Techniques like trusted computing with signed applications that can get access to critical system functions can give additional security to mobile devices. Because it is impossible for programs to overwrite operation system files, the users can easily reset the device to its initial (not infected) state. The best defence against social engineering attacks is to have an informed work force. Organizations must educate users on that issues. Establishing a strong security policy that includes specific guidance on passwords, data classification, access control and physical security goes a long way in combating social engineering. An implementation of a security architecture that includes the use of firewalls, cryptography, and Intrusion Detection System (IDS) cat protect from unwanted intrusion [38].

65

9 Evaluation This chapter provides the evaluation of security solutions for mobile phones achieved in this project work and used in the case studies shown. The effectiveness of the solutions used is discussed in this section and was described in the first chapter the introduction. Furthermore, some useful solutions from antivirus vendors (firewalls and antivirus programs) are illustrated in this work.

9.1 Evaluation of solutions The aim of the project work is to present the state of the art of security issues that mobile phones incur and to find solutions to these problems and problems that could arise in the future. The solutions that have been found are applied to secure different kinds of networks which use modern mobile devices. These solutions are described in two case studies with complex applications for mobile phones and other devices that use wireless communication protocols.

9.1.1 Evaluation criteria The effectiveness of the security solutions like virtual private networks (VPN), demilitarised zones (DMZ), digital signatures, encryption of transmitted data, is implemented in the next two case studies - “An electronic market” and “A hospital” which can be evaluated by multiple criteria (cost, implementation time, security level, usability, compatibility of hardware and software, consumers’ demand). One of the most important evaluation criteria is the cost and then the time, needed for the implementation of the solution. The next necessary criterion is the achieved level of security. There are different states of security which a consumer wishes to have and able to pay for whose quality. The main point of the solutions is also to prove if it can be reused at multiple places and how high the complexity of the implementation is. One should consider if the elements used in the solution are compatible to devices and software available on the market and if there are enough consumers who will accept this solution.

9.1.2 A case study – “An electronic market” An international electronic market group wants to modernise its stores to be more modern and offer their customers more comfort while buying goods in their stores. The market sells electronic articles like computers, TV sets and Hi-Fi systems. In addition, refrigerators, ovens, microwaves and vacuum cleaners are sold too. 9.1.2.1 Actual state The customer enters the market and looks for his desired device. On the way to the shelf with the needed equipment, the customer can see the special offers of the market. There is no guarantee that he will see all of the interesting offers. It depends on the direction which he takes and at least he can only know about the offers if he accidentally walks past the advertisement. After the customer has found the equipment he needs, he searches for the price 66

label to found out how expensive the equipment is. If he is lucky he might find some information about the desired device near to the price tag. If the customer needs more information as described on the label, he has to ask the shop assistant about that object. The shop assistant can also show the same devices but from a different manufacturer and help the client to compare the available devices and to choose the right one. After the final decision, the customer takes the desired equipment to the cashier (or only the price label of the device if the device is too big itself) and pays for it. If the customer wants the equipment to be delivered to his home, he will need to tell the cashier his address. 9.1.2.2 Requirements A requested product should be found in shops much easier than today. The customer should search for the necessary equipment on the shelf for no longer than a few minutes. On the way to the device the consumer wants to buy, he should not overlook advertisements of special offers. It would be ideal if the customer could receive advertising on his mobile phones of goods he is actually looking for. It should be easier to find necessary information about the goods. The absence of the price label should not be so dramatic In addition to this, the customer should get more information about the device near to where it’s located in the shop without asking the shop assistant. It would be a win-win situation for a customer and shop owner. The customer does not need to ask the salesperson or wait for him while he is advising another customer, and the shop owner could maximise profit. If the customer only wants to compare prices, he should have the possibility to take home the information about the device and to have more time to make decision about buying the equipment. As long as the customer did not pay money directly at the shop (he wants the device to be delivered home), there is no need to speak with a cashier. The customer should be able to select the desired equipment, enter his delivery home address and chose for himself the payment option he would like to use. 9.1.2.3 Solution To show the customer the way to his desired product and to give him advertisement depending on the needed equipment, a mobile device is useful. Problems such as giving sufficient information about the equipment or ordering the equipment home could be solved by hardcopies of prospects with forms for home delivery. In this case a mobile device offers the most convenient solution for these problems. There are two alternatives for the mobile equipment, which can be used in the market. The first one could be provided by the market itself. One of the advantages of this solution is that it would provide the best compatibility of the interaction of devices. It is guaranteed that all necessary applications for the project will run on mobile devices with ideal performance and the information is perfectly displayed. The second advantage is that if there are enough devices, which are bought for the market, that they could be available to every customer. The disadvantage is that the management of mobile devices needs the additional effort for the market. Somebody must hand them out to the customer, explain how it works and keep an eye on these devices until the customer leaves the market to ensure that none of the mobile devices will be stolen. Broken devices must be repaired and discharged batteries must be loaded in time. The second disadvantage is that many users must be taught how to use these mobile devices which would require extra staff to illustrate to the customers how to use these devices. The second alternative is that the customers should use their own mobile phones. Today just about everybody has a mobile phone, so the market would save costs as no management of 67

these mobile phones is needed. The customers charges their equipment themselves, no employees are needed to give the devices out and then to collect them. Thus, there is no need to invest any money to buy the device: the customers bring them themselves. Usually the customers are more familiar with their own equipment and need less instruction from market staff unlike if they were using the shop’s own devices. The disadvantage is that not really everybody owns a mobile phone or they can forget to take it with them. Besides, not every phone will be able to execute the shop’s application for navigation and information about products. Moreover, even if the application is run, it might be not very convenient to use the application because of the small display of some mobile phones or an unhandy application control depending of the keys position on the phone. Because the second described alternative for utilization of mobile phones in the market is much cheaper than to buy devices and to employ additional personnel, this alternative should be chosen. However, if somebody does not have a mobile phone, he is likely not to be interested in modern technology and would probably not use the new service anyway. After the decision for using of mobile phones in the market has been made, the technology for the implementation of application and for distributing of data between mobile phones and shop server should be developed. The requested application must contain the following features: it must have a navigation function to show the customer the way to his desired equipment. On the way to the product, the customer must be informed about special offers, he is interested in, or about offers for products on the shelves, which he is passing by. The application must display the price and information of the product that the customer is interested in. It must be possible to take this information home for comparison with other products. The application must enable the customer to order the desired product to be delivered at their home. The information, which is sent to the mobile phone of the customer, is not static, it depends on the product he needs. For the routing of the customer to the desired equipment, tracking of the customer is required. To achieve the compatibility between different operating systems, the application should be implemented in the java micro edition (JavaME) language. JavaME is a language, which is independent of the operating system, and because hence, an application written in java language is executable on most mobile phones. There is no other equivalent alternative, because other languages depend on their platform. Thus, the same application in another language would would not be able to function on all mobile devices. Another solution for this problem could be a web portal written in html because it is platform independent. Every internet browser in mobile phone that has the equal functionality like tracking, information product and ordering could display html, but it would need more effort to implement customer tracking in html language. For communication between mobile phones and the shop server, common communication protocol is necessary. Only the Bluetooth protocol can fulfil this request. The Bluetooth protocol is supported by most of present-day devices available. Compared to Infrared, which is also widespread and could be used instead of Bluetooth, Bluetooth does not need a direct line of sight and allows tracking through the measuring of the signal strength. It is feasible to use the Wireless LAN protocol for the realisation of the project for the market. However, the problem is that WLAN is not available in all mobile phones. After determining of the most important components, the shopping of the future could look like the following example: The customer enters the market, connects to the market network and downloads the JavaME application via Bluetooth on his mobile phone. After installation of the application he has to enter the name of the product, he is looking for. The mobile phone illustrates the map of the market to the customer, his actual position in the shop and the place of the needed device. In addition voice navigation, which is used today for driving cars, could 68

be provided at the shop. For routing the customer through the market the device must know two positions: the first one - where the device he needs is located and the second the actual position of the customer. The location of the device which he is searching for, is constant. The position of the customer is tracked by multiple Bluetooth access points in the market. While he is going to find the product, the friendly voice from his mobile phone would inform him on the way about special offers, of goods he is passing by. Although the device knows which product the customer is interested in, the advertising could be even context sensitive and suggest the customer for example DVD movies if he wants to buy a DVD player. After the customer has reached the product or product group, he can get detailed information by the phone about every product he wants. To let the phone know the details about the device, the customer needs only take a photo of the barcode of the product he is interested in. The java application in the phone recognises the barcode and requests the information of the product from the shop server. If a customer’s mobile phone does not have a camera, he can simply type the numbers shown under the barcode into the device. On the display, he can see all details about the device with a picture of it. He can also compare technical characteristics of one device with another. Price comparison of these products with the same products from other sellers via the internet would be possible but it is likely there would be limited demand from the market itself. The product’s information can be saved in the phone or can be printed on Bluetooth printer provided by the market (Figure 35).

Figure 35 “HP Deskjet 460wbt Mobile Printer with bluetooth“ While the connection of a mobile phone with the Bluetooth printer is set up, the mobile phone data of the customer will be stored in the shop’s database server. The goal of the storage is to limit the printer usage, for example to 10 pages per day, and to reduce market costs. The application provides a comfortable form to buy the product. The customer has to fill in his name and address and the payment. After that, he can go home and wait for the delivery.

69

Connection

Downloading Application

Navigating to the shelf

Location based Information about goods

Scanning of barcodes of products with mobile phone and comparison of description of different goods

Printing of product information

Ordering Product in the shop Figure 36 “A visit the electronic market with mobile phone service” During the shop visit, the customer leaves some confidential information there, for example, his credit card number if he wants the product to be delivered to his home.

70

To protect the customer against his private data being stolen some security settings are needed. While connecting with the market network via Bluetooth the customer must enter the Bluetooth session key. Every customer uses the same session key for establishing a connection however this is a disadvantage, because everybody knows the key und would be able to decrypt the transmitted information. In this case, the connection is not secure. Another way to enter the secure Bluetooth password is to create an individual key for every connection. It would be a little uncomfortable. Somebody from the shop must be employed to type different keys into the market’s Bluetooth access point every time. When every user gets the same Bluetooth session key, it causes no effort for the shop. Because of the insecure connection, the customer needs an additional encryption in the JavaME application. After entering the shop the user downloads the shop application from the server, executes this program and the program itself establishes an encrypted connection with the server. This encryption takes place on the seventh protocol application layer. On the contrary, the Bluetooth ciphering is on the second layer and could be easily cracked if the same session key is used; hence, it would be a good idea to implement an asymmetric pointto-point encryption between the mobile device and the server. The asymmetric encryption uses two keys: one key encrypts, only the other can decrypt. The transmitter encrypts the message with the public key of the receiver. The receiver decrypts the message with his private key, which must remain secret. When the receiver sends a message to the transmitter, it encrypts this message with the public key of the transmitter. The application layer in this solution uses the https protocol. The connection by https is established at first with asymmetric encryption. Then the session key for the further symmetric communication will be generated by the java application and exchanged with asymmetric encryption between a transmitter and a receiver. The symmetric encryption uses the same key for encryption and decryption. The remaining communication runs with the symmetric encryption. The reason for that is that the symmetric encryption needs less processor power. The encryption on the seventh layer is necessary to protect the customer private data. In case he wants to order the desired equipment via the application on his mobile phone, the shop must guarantee him that his credit card data details transmitted by the application to the shop server will be not eavesdropped. Finally, to guarantee the security to the customers it is much better to realise the first solution that mobile phones are bought and handed out by the market. The private data of the customers are not stored on the mobile phones. There is no sense for a hacker to crack the mobile phone. To reduce the costs of the shop it is beneficial to use the second solution that customers have their own mobile phones. The Bluetooth connection is established on the second protocol level. The probability that mobile phones will be affected in the shop by the Bluetooth attacks, which were described in this project work before, is low. It is necessary to switch off the Bluetooth modus after the connection is terminated. To provide the better security to the shop itself, the demilitarised zone (DMZ) must be installed (Figure 37). It means, the server from the market that delivers the information about the products could be a kind of web server placed in the demilitarised zone. The web server is secured by firewalls from the users. At the same time, the web server is separated by another firewall from the market LAN. The target of the demilitarised zone is that if the web server is hacked, the attacker will have no access to the market LAN. The confidential information about the volume of sales, salary of employees, the names of investors on the market LAN are protected through the second firewall.

71

Figure 37 “Demilitarised Zone”

9.1.3 A case study – “A hospital” A big hospital complex in Hamburg wants to update its infrastructure for the qualitative treatment of patients and faster administering of first aid, to shorten the distance hospital employees have to go from their work place to the sickroom where patients are being treated and to reduce the amount of paper used in the hospital. The Hospital complex includes the hospital building, doctor’s offices and external support facilities. 9.1.3.1 Actual state When patients come to the hospital nothing is known about their medical history. To get their medical records, the attending doctor has to call the family physician or the doctor the patient was with before. After that, the records are sent to the hospital by post. All records must be allocated by multiple medics, so it may take a long time to get all the necessary records together. After leaving the hospital, the records of the patient are stored in the hospital. If his family physician wants to see them, he must request them by post again. When the doctor examines the patient, he makes a diagnosis and prescribes medicines writing these in the patient’s record. After the patient leaves the doctor’s room, the doctor has to type the diagnosis and the prescribed medicine into the desktop computer. While the patient is being treated, the nurse gives the patient the prescribed drugs and follows instructions, which are written by the doctor on the desktop PC. If the nurse takes the patient’s temperature, first she has to write it on paper as a doctor would and then to enter the data into her PC. In case of an emergency, some patients need a specific medical device for emergency treatment as soon as possible. Sometimes there is no possibility to locate the nearest medical device in the building. The necessary device, for example an electrocardiogram unit must be picked up from its storage place. Moreover, while the nurses check over the patient these special devices are used and quite often these devices can be lost. It is difficult to find “lost” devices if somebody has left them somewhere in the hospital or put them in an unusual place. If someone is seriously ill then a specialist from another hospital may be needed to give the patient advice or treatment. If the advice of an external specialist is necessary, he can be invited to the hospital, or he can receive the patient’s medical records by post. After investigating the records, he can give some advice for treatment of the patient by telephone. If during an operation a doctor needs to get the help of another specialist, the invited doctor must come to the hospital and be in the operation room to see what is happening during the operation to give the correct advice. 72

To choose their meals, the patients have to fill in a paper form with available dishes. They have to keep in mind what meals they are allowed to eat or not (for example no sweet food for diabetics). Later the nurse collects the sheets and types the chosen meals in the computer but the nurse does not check if a meal is suitable or not for the patient. While the patient is in hospital, the only one way for him to communicate with his relatives except of visitors is to call them with their mobile phone or to use a phone card bought at the hospital. There is no internet access for the patients provided by the hospital today. After the patient is released from the hospital, he has to go to the hospital several times again for health examinations. There is no possibility for him to tell doctors about the state of his health besides coming to the hospital. 9.1.3.2 Requirements 1) To guarantee doctors the availability of patients’ medical histories it would be convenient to store patient information on a central database server. The diagnoses and prescriptions of all patients would be stored on this server. X-ray photographs and other results should be saved there too. But if this central storage system is broken into by hacker, all the medical records of the patients might be get out into the public, therefore some security settings are necessary. Nobody should have an access to this data without the consent of the patient. Neither the patient nor anybody else should have the possibility to change his own data. 2) There is no need to write diagnosis and prescriptions first on paper and then to type this again into the patient’s medical records. A mobile device can do this function. It can be recorded by a doctor while visiting his patients. The device must display the patient records and give the doctor an overview if he has to change dosage or to prescribe new medicines. In emergencies, the doctor must be informed about the state of the patient as fast as possible. On the way to the emergency room, the medic should get information about the actual medical state of the patient via mobile phone while he is on his way to see the patient. A mobile phone is required for the nurses too. It has two advantages. Firstly, it would save much time using the mobile phone instead of writing of measurement results in different places (on paper and then on PC). Secondly, the nurse is available anytime and at every place in the hospital. These mobile devices contain very confidential information. If such a device is lost or stolen, nobody can get access to the device except the owner and the access to the information of the network should be avoided. Furthermore, the communication between the mobile phone and the network should be safe against eavesdropping and alteration. 3) A tracking of devises like electrocardiogram units or infusion pumps is needed in hospitals. It must be possible to locate equipment within a range of about a meter. The position of the device should be illustrated on the computer on the hospital’s map. 4) In some difficult situations during an operation, the internet communication between neighbouring hospitals is needed to allow fast exchange of information. For example if an advice from the external specialist must be used, he should get all of the necessary records like X-ray photographs or electrocardiogram immediately. Besides, the possibility to transmit the live conferences from the operation room is needed. The operation will be filmed, so the operating doctor can get useful instructions from another doctor. It must be not be impossible to eavesdrop or to disturb the communication between the hospitals. 5) To avoid patient menu-forms being filled in twice the chosen meals should be entered into the hospital’s network and then passed down to the kitchen. Furthermore, the new menu 73

system should automatically control dietary restrictions for example to prevent diabetics from ordering food items with sugar in them. 6) Patients who are in hospital and their visitors should have access to the internet via their laptops or mobile phones, so they can communicate with their relatives comfortably through the internet, or just read the news or just enjoy the internet. It should be foreseen that the patients could not access to the hospitals network. Moreover, they should not be able to intercept the communication of other users in the hospital. 7) After being discharged from the hospital, the patients must have the possibility to send information about their health status to the hospital via the internet which should save the hospitals time and money as they won’t need to send as many doctors out on patient visits. In this case, this should also be foreseen: no external access to patient data except of doctors and a patient himself and no access to the hospital network with the patient database from outside. 9.1.3.3 Solution First of all it is important to identify the different roles of people and devices with tracking in hospitals and to determine their requirements. The patients should provide their medical records from different doctors to the hospital (a requirement from point number 1). The doctors need a device with mobile access to the data of patients to fulfil the requirement in the point number 2. Hospital devices like infusion pumps or health monitors must be tracked as planned in point number 3. External medics need a fast real-time access to the hospital data like X-ray images. It is required for video conferencing (point number 4). The nurses need a similar device like that of the doctor’s one to check and add the patient data needed to fulfil the point number 2. They can also use the same device to fill out the menus for their patients to carry out the requirements of in point number 5. Patients should have an access to the external internet through the hospital network and at the same time no access to the internal hospital network (which is a requirement of the point number 6). After being discharged, they may have a delimited access to hospital network to submit information about the state of their health (number 7). According to all the requirements reported above, it would be advisable to equip the hospital’s doctors with PDAs, which have wireless LAN access to the hospital’s network. It would make it possible for doctors to access the hospital’s network everywhere within the hospital’s area. If an emergency with a patient occurs and the doctor’s help is needed, the doctor can be informed via Wireless LAN. On the way to the patient, the nurse can investigate the patient’s medical records in advance. The PDA offers enough screen size to demonstrate the patient’s data. The WLAN protocol provides quite a high speed to send images or cardio logs to the mobile device without delay. With the PDA it is comfortable to prescribe medicaments directly to the patient’s bed. The doctor can select the necessary medicine from the database using a stylus. The software which is installed on a PDA can check if a new recommended drug is compatible with other drugs of the patient. If this is not the case, alternatives will need to be found. Such a system makes the medic’s work much easier. The doctor does not need to waste time with entering a prescription manually at the PC at the PC after a patient visit any more. This application transmits the prescription over the WLAN to the hospital pharmacy immediately, where the medicines are filled and labelled with the the patient’s name. At the 74

same time the nurse also gets notice about the change of prescription for some patients to her PDA or to the computer. While the doctor are making their ward rounds at the hospital, he can prescribe additional procedures for the patient’s treatment, for example, physiotherapy or a necessary surgery using the PDA for giving instructions to staff. The PDA queries the schedules of the free surgery rooms and the schedules of anaesthetists and recommends acceptable dates for surgery. Sometimes during the difficult operations a doctor needs the advice of the external medics. In this situation a high-speed real-time connection with neighbouring hospitals is required. The solution for the problem could be a data transmission via WiMAX. The protocol is fast enough to transmit the large X-ray pictures of gigabyte size and offers quality of service settings to provide video conferencing with the operation room. The quality of service is guaranteed by the quality of the connection. This means that the images achieve the destination one after another in the correct order and without the delay as the speed is guaranteed. There is no need to send the patients records to specialists by post which saves a lot of time and money. The external medics can give help at any time from every corner of the country. Nurses can also aquire the same PDA devices as doctors. An application for menu making could help to order meals for the patients. The nurse has to ask the patient, what he wants to eat, and chooses the meal from the menu giving in the PDA. The program automatically controls dietary restrictions and can recommend better combinations of food for the patient with different diseases. The collected data will be immediately transferred to the kitchen, so there is no need for the patients to fill in menu forms and for the nurse to then type the preferred meal into the computer. Furthermore, the nurse will see in her mobile device which treatment and medicines are prescribed for the patient, so she does not waste the time with looking in the patient records. Patients and visitors will be happy if they can use internet while their staying in the hospital. All modern Notebooks are equipped with a wireless LAN network card so it is a good idea to provide access to the internet via WLAN for the patients. There is no need to install the Ethernet and to lay new cables. There are two possible solutions for storage and transfer of patient data. The first one is to generate a global central database with patients’ medical records. However, there is a disadvantage in this solution. If it will be hacked, the data of all patients will be visible to the attacker. The other solution is to implement a common format for patient data, how data has to be stored so that it can be copied to the mobile devices of the patient. An easy way to give the patient his medical records is to send the records to his mobile phone for example X-ray pictures via Bluetooth. If a hacker gets access to the data on the patient’s mobile phone, he will only get the data of one patient. Nowadays, just about everyone owns a mobile phone therefore the patient can always carry his data with him. After visiting the family doctor, the patient connects his Bluetooth mobile phone with the doctor’s computer and downloads or uploads his records. Then he comes to the hospital, where he sets up connection from his mobile phone to hospital’s computer and transmits all the required data there. The patient needs access to the hospitals network to send information on the state of their health from home after they have been discharged; this could be realised as an internet web interface. The registered patient can log in into their private area at the hospital’s website from their mobile device or from their personal computer anytime. Modern hospital devices like health monitors often have the wireless LAN access to send the measured data directly to the hospital’s network where the nurses are monitoring the state of health of several patients. It is possible to track and locate such medical devices by measuring

75

the signal strength of these devices; therefore, the hospital should pay attention to the WLAN functionality of the medical devices. The innovation mentioned above brings expansions to the hospital’s network. A wireless network with several access points must be established. To achieve the best compatibility with visitors’ and patients’ devices, the WLAN standard 802.11b/g should be used (see section 2.4.1.2.2 802.11b and 2.4.1.2.3 802.11g), because most Notebooks and PDAs contain the wireless network card with these standards certificated by Wi-Fi (see section 2.4.1.2 WiFi System). For internal communication between medical staff, the hospital should utilise the 802.11a standard. Its 5GHz frequency range is not so overcrowded like the frequency range of 802.11b/g standards. If patients and doctors access the network simultaneously, the connection will be not interfered because of distinct communication frequencies. Access points with the possibility to track WLAN devices must be installed. A WiMAX antenna must be set up (Figure 38) which would allow a real time connection to hospitals in the neighbourhood. Some work places need to have a Bluetooth terminal to download patient data. Although the Bluetooth (2.402 – 2.480 GHz) and WLAN 802.11 b/g (2.400 – 2.485 GHz) work in the same frequency range, the probability of interference is very low because the Bluetooth protocol changes its frequencies all the time using up to 79 channels (see section 2.4.2.1 System architecture). At the very least, the hospital needs an internet web portal with access for ex-patients.

76

WiMAX link Neighbour Hospital

Neighbour Hospital

WLAN access (802.11 a/b/g)

Web access (via HTTP)

Discharged Patient Figure 38 “Connections to the hospital network” To secure the hospitals network, the following tactics can be used (Figure 39). Because of the high importance of the data that the doctors and nurses need for the patient’s treatment, their PDAs should use a virtual private network (VPN) tunnel to make the wireless communication more secure (see section 8.3 Virtual private network). The VPN tunnel must be established between the WLAN access point and the PDAs of the medical staff. Access to the hospital’s network with medical staff’s PDAs requires identification with a user name and a password. As soon as the PDA is not used by a doctor or a nurse, the network access must be interrupted after some time the device must be protected with a login prompt immediately so that the device can be guarded against theft. The visitors or patients must use a direct access to the external network separated from the hospital’s network. For patients the security against eavesdropping is also intended by activating WPA2 encryption (see section 8.1.2 WPA 2). Patients bring their medical records kept on their mobile phones to the hospital and may not change them, a goal that could be achieved using signatures. The sender (a doctor) uses the software to calculate the hash value of data (medical records). The program gets the document as an input. As an output the large numbers can be generated as a hexadecimal digit and this output is the hash value. The hash value is encrypted with the private key of a sender (a doctor). The result of the encryption is the electronic signature of the document. This signature can only be decrypted with the public key of a sender (a doctor). It ensures that only this sender (a doctor) has created this signature. 77

A family doctor must sign the medical record making the record readable but if someone changes something in the record, the signature will not match with the document. While transmitting the data via Bluetooth from a mobile phone to the doctor’s computer, a good password should be chosen to protect the connection against eavesdropping. The discharged patients can access the hospital’s web server. This server should be put in a demilitarised zone (DMZ) to avoid hacker attacks. A SSL Server connection should be used to prevent eavesdropping of the data submitted between the patient and the hospital. Secure Socket layer (SSL) is a protocol at the fourth layer (TCP layer) that provides secure communications on the Internet. This protocol is supported by most browsers. The WiMAX protocol offers itself a very good protection from eavesdropping and against unauthorized access. All security options must be activated so that the communication between the hospitals can be secure.

78

Figure 39 ”The hospital network infrastructure”

Discharged Patient

Router

Router

Web server in DMZ

Doctors PDA

(discharched patient submit their data here)

802.11a AP 802.11b/g AccessPoint (AP) server

VPN Tunnel

802.11a AP

Hospital Network (patient’s records and hospital data)

Visitors Laptop

Medical Unit

WiMAX Link Neighbour Hospital

79

Since the laws in Germany require, that healthcare information remain strictly confidential, the local traffic encryption across the wireless LAN must be implemented. Radio Frequency scans should identify and isolate rogue access points (see chapter 8.2.1 Rogue Access Points: man in the middle attack) or other possible infiltrators. Network services could be based on user identity instead of ports or devices, further ensuring the privacy of hospital’s medical records. For additional security, WLAN access points could be assigned different Server Set Identifiers (SSIDs is the name of the wireless LAN network), creating separate WLANs for the hospital administration and doctors, wireless medical devices and patient access.

9.2 Evaluation of the project The defences against known threats, which were presented in this project work, are used in the solutions for the two case studies provided at the end of this work. The demonstrated case studies are scenarios designed from real situation with integration of small mobile devices for higher comfort of customers and employees. These examples describe the current situation without using mobile devices, they propose the requirements for new improved services offered to customers and a final solution, involving small mobile devices and necessary security settings. The first case study describes an electronic market, which uses mobile phones to navigate customers to the equipment they require and provide information about these devices directly to their phones. Evaluating the case study after the evaluating criteria described in chapter 9.1.1 shows the devices needed are relatively cheap and could be bought in any computer shop, also the software needed can developed very rapidly. If the encryption is used by communication, the security level provided by the solution will be very high. This case study can be implemented anywhere in the world. No element, used in the solution, is country specific or depends on the place where the market stands. Compatible devices can be bought at any computer shop in any country. The investment for developing the shop’s application must be made only once. The next shops, which will use this technology, can assume the same application so it enables the spreading of this solution will be very easy and fast. Most of the needed technologies (hardware or implemented software) are available on the market. Additional software can be produced without high complexity because of the simple functionality introduced in this case study. The scenario uses common mobile phones and Java Micro Edition (JavaME) technology which is already widespread. There are also many consumers who are interested in innovation and want to shop in good convinces saving time. The second case study uses the wireless LAN technology to interconnect hospital employees with one another to simplify and increase the quality of the patient’s treatment and to provide wireless internet access for patients and hospital visitors to ensure a pleasant stay in the hospital. The equipment used in this case study is widely available and not expensive. The development of such applications does not take much time as most of the programs already exist. Virtual private networks (VPN) and other encryption techniques used to secure the hospital network, are very reliable and prevent eavesdropping and the changing of transmitted packets in the network. The WiMAX (the Worldwide Interoperability for Microwave Access) connection which has been used can only work if some hospitals are near to the described hospital. The range of a WiMAX connection is about 20km. To establish a connection to a hospital which is far away, a retransmission station is needed which causes additional costs. If the hospital is on an island for example, the cost of building a retransmission station in the sea could be very high. This means that this solution can only work in big cities and in small cities there is no need for this technology as most have only one hospital. Therefore in small cities other solutions must be used such as normal internet or satellite based communication instead of WiMAX antennas, technology that has already existed for a long time. The devices 80

for WLAN with different frequencies ranges are amenable to all consumers and they are easily available to buy, so the implementation of the solution should not be very complex. The patient record, which is carried on mobile phone, requires a common format which must still be developed but many doctors will only use this technology if the project is successful. All of these solutions save money and will make life much easier and more comfortable. The cost of implementing the project at the beginning will be covered very quickly because of the regularly increasing of customers. Some costs could undoubtedly be saved if not all of the recommended protections against security risks were implemented. In case attackers are successful, the reputation of organisations described in the case studies, will decrease and they will lose many of their customers.

9.3 Future work Today many anti virus companies offer security solutions for mobile phones. They use the fear of the customers predicting virus epidemics in the near future to sell anti virus protection. For common consumers antivirus programs and firewalls are offered. To prevent infection, all files are automatically scanned for viruses when they are saved, copied, downloaded, synchronized or otherwise modified. For mobile phones with WLAN, a firewall can safeguard the mobile device from intrusion attempts and malware attacks. Businesses can purchase solutions that provide automated distribution of antivirus updates directly to the mobile phone over a wireless connection. Company IT administrators can easily see the antivirus service status of each company mobile phone. Mobile operators already provide some of their mobile phones with mobile antivirus software. But there are still many phones that come without any protection to the consumer. Mobile phone operators could supply any phone with antivirus software, but they have to buy every copy of this software from the antivirus manufacturer and this would raise the price of mobile phones. Secondly only a few consumers are afraid of mobile viruses today and ask for protection against threats. If some people would become more interested in increasing the security of their mobile phones, then mobile operators would provide more security software and security functions on their mobile phones.

81

10 Conclusion The aim of the project work was to emphasise the security risks for mobile phones, determine countermeasures against them and find solutions for secure communication. First of all, the currently available classes of mobile devices and their operating systems were introduced. Secondly, the most common wireless communication protocols were presented. Mobile networks bring more security risks than traditional wired networks because they spread radio waves everywhere which enables communication to be eavesdropped. Thirdly, the many security threats of mobile phones were illustrated. These threats were categorized into two distinct groups: malware and attacks. Some special attacks for different wireless protocols like WLAN or Bluetooth were described. One part of vulnerabilities like WEP weaknesses are based on bad standard specification. The reason for other threats is inaccurate implementations of protocols, like several Bluetooth vulnerabilities. Moreover, the people as the weak part of the whole network system should not be forgotten. Many attacks or viruses would not be so successful if their human victims did not help them to spread quickly. The classical network attacks like “man in the middle” or “denial of service” are especially widespread on wireless devices. In addition, operating systems for mobile devices contain weaknesses. Most of them are caused by weak implementation of some system functions. Most operating systems for mobile devices are new developments and have been created especially for small mobile devices (PDAs, smartphones, mobile phones) particularly with regard to their weaknesses. The theoretically acquirable security level with these operating systems is very high; the security model of the operation systems is designed to provide a robust, protected environment for mobile devices. Nevertheless, most producers of mobile devices often reduce security levels to make using the devices more convenient for users. Viruses have been a rising threat since mobile phones spread around the world and appeared in such large quantities. It was demonstrated that all kinds of malware (trojans, viruses and worms) for all operating systems already exist. With the first java-malware, called “Red Browser”, the border between different operating systems was broken. This malware is able to run on different operating systems. A java worm could infect every mobile phone containing java independent on the operating system. There is commercial motivation for virus authors too. If a mobile malware sends an SMS or makes calls to premium rate numbers, it involves high costs for the victims and brings big profit for the malware writer because this expensive phone number belongs to him. Certainly, today’s computer systems and mobile devices can be protected against these threats. The most modern security software was investigated in the project work and some countermeasures for the weaknesses of wireless networks and mobile phones were described. The main weakness is the spreading of radio waves. It can be corrected by using a strong encryption of wireless connections. There are defences against all known threats, but the progress of the malware and attacks could bring new dangerous problems, which we do not yet know. Today’s security systems should foresee these dangers and react on them immediately. The implementation of security functions inside the operation systems, like authorization or buffer overflow prevention is very important. While this work was being written, it became clear that only a combination of countermeasures mentioned above could secure a huge network against attacks. This work illustrates two case studies of possible scenarios with the integration of mobile devices for the increased comfort of customers. These examples represent the current situation without mobile devices, the requirements for new services provided to customers and a solution involving small mobile devices. In this solution the threats for wireless communication should not have been forgotten. The first case study shows a solution for a shop with usage of 82

location based services for better information offered to customers. The second example uses wireless LAN to provide internet and intranet access to patients, visitors and hospital staff inside and around the hospital. Another technology WiMAX was used for transmitting large amounts of data within a city. All of these solutions are well-described and possible security threats with their countermeasures were enumerated, discussed and the best chosen. This project work shows that the security provided by mobile devices of today is not enough to stop actual attacks or viruses. Additional applications like firewalls or antivirus programs are necessary to prevent damage of the security mechanism of these devices and networks with which these devices are connected. It is disappointing to see that the operating system’s developers have not used the chance to create completely secure systems. There are also the same problems with the development of wireless protocols. WLAN’s encryption system WEP was broken because of the weakness in the algorithm that was used. The producers of mobile phones with Bluetooth protocol have saved time by testing their protocol implementation and in this way they have overlooked much vulnerability in the Bluetooth protocol stack. Looking forward, many future threats cannot be predicted today as Malware is gathering a tempo slowly. There has not yet been a great worm epidemic for mobile phones. Today the device and application developers of mobile phones still have a chance to prevent such a malware outbreak.

83

Bibliography [1]

Fred Halsall: “Computer Networking and the Internet” Fifth edition, 2005 (Chapter 4 – Wireless networks, Chapter 10 – Security)

[2]

James F. Kurose, Keith W. Ross: “Computer Networking” Second Edition, 2003 (Chapter 5 – Wireless Links, Chapter 7 – Attacks and Countermeasures) Andrew S. Tanenbaum: “Computer networks” Fourth Edition, 2003 (Pages 9-14, 21-23, 68-77, 100-144)

[3]

[4]

Joachim Tisal : “The GSM Network”, GPRS Evolution : One Step Towards UMTS, Second Edition, 2001 (Chapter 2 – Cellular Concepts, Chapter 4 – GSM Network Infrastructure, Chapter 6 – The Network Sub-System, Chapter 12 – GPRS, Chapter 13 – UMTS, Chapter 14 – The WAP Protocol)

[5]

Gunnar Heine, Holger Sagkob: “GPRS : gateway to third generation mobile networks”, 2003

[6]

Emmanuel Seurre, Patrick Savelli, Pierre-Jean Pietri: “GPRS for mobile Internet”, 2003, (Chapter 1 – Introduction to the GSM System, Chapter 2 – GPRS Services, Chapter 3 – Overview of GPRS)

[7]

Jaana Laiho and Achim Wacker, Tomás Novosad: “Radio network planning and optimisation for UMTS”, Second Edition, 2006

[8]

Minoru Etoh: “Next Generation Mobile Systems: 3G & Beyond”, 2005

[9]

Robbert Morrow: “Bluetooth Operation and Use”, 2002 (Chapter 7 – Managing the Piconet, Chapter 8 - Transferring Data and Audio Information, Chapter 9 – Bluetooth Security)

[10]

Andy Dornan: “The Essential Guide to Wireless Communications Applications”, From Cellular System to Wi-Fi, Second Edition, 2002 (Chapter 8 – Inside a Mobile Network, Chapter 9 – Short-Range Wireless Networks, Chapter 10 – Phones or Computers?)

[11]

Cordon A. Cow and Richard K. Smith: “Mobile and Wireless Communications”, 2006

[12]

Steve Rackley: “Wireless Networking Technology”, 2006

[13]

Loutfi Nuaymi: “WiMAX : technology for broadband wireless access”, 2007

[14]

Neil Daswani, Christoph Kern, and Anita Kesavan: “Foundations of Security”, 2007

[15]

Steward S.Miller: “WiFi Security”, Enhance security and maintain privacy of missioncritical data, even when going wireless, 2003 (Chapter 17 – Security Issues for Wireless Applications)

84

[16]

Merritt Maxim, David Pollino: “Wireless Security”, 2002 (Chapter 2 – Wireless Threats, Chapter 7 – Wireless Standards and Technologies)

[17]

Tara M. Swaminatha, Charles R. Elden: “Wireless Security and Privacy”, 2003 (Chapter 1 – Wireless Technologies, Case Studies; Chapter 6 – Cryptography, Chapter 10 – Analyze Attacks and Vulnerabilities)

[18]

Laary L.Peterson, Bruce S. Davie: “Computer Networks” Third Edition, 2003 (Chapter 2 – Wireless (802.11), Chapter 8– Cryptographic Algorithm, Security Mechanisms)

[19]

Charles P. Pfleeger, Shari Lawrence Pfleeger: “Security in Computing” Third Edition, 2003 (Chapter 2 – The Data Encryption Standard, The AES Encryption Algorithm, Chapter 3 – Nonmalicious Program Errors, Viruses and Other Malicious Code, Chapter 7 – Threats in Networks)

[20]

Tony Bradley: “Essential Computer Security: Everyone's Guide to Email, Internet, and Wireless Security”, 2006

[21]

William Stallings: “Network Security Essentials” Applications and Standards, Second Edition, 2003 (Chapter 2 Symmetric Encryption and Message Confidentiality, Chapter 10 – Malicious Software)

[22]

Michael Howard, David Leblanc, John Viega: “19 Deadly Sins of Software Security” Programming Flaws and How to Fix Them, 2005 (Chapter 8 – Failing to Protect Network Traffic)

[23]

Mark G. Graff and Kenneth R. van Wyk: „Secure Coding“ Principles and Practise, First Edition, June 2003 (Chapter 1 – No Straight Thing, Attacks, Chapter 4 – Implementation, Buffer Overflows)

[24]

William R. Cheswick, Steven M. Bellovin, Aviel D. Rubin: “Firewalls and Internet Security”, Second Edition, 2003 (Chapter 1 – A Security Review of Protocols: Lower Layers, Chapter II – The Threats)

[25]

Chris J.Mitchell: “Security for Mobility”, 2004 (Chapter 1- Cryptography for mobile security, Chapter 9 – Security in personal area networks)

[26]

Dieter Collmann: “Computer Security”, Second Edition, 2006 (Chapter 13 – Network Security, Chapter 16 - Mobility)

[27]

Joerg Roth: „Mobile Computing: Grundlagen, Technik, Konzepte“, 2 Auflage, 2005

[28]

http://www.commsdesign.com/showArticle.jhtml?articleID=192200685 Last download: 16.04.2008 (Introduction to GSM)

[29]

http://www.gsmfavorites.com/documents/introduction/gsm/ Last download: 18.04.2008 (Introduction to cellular communications)

85

[30]

http://en.wikipedia.org/ Last download: 24.05.2008 (Mobile devices, operating systems for small mobile devices)

[31]

http://softwarecommunity.intel.com/articles/eng/3273.htm Last download: 05.05.2008 (Wireless LAN, Bluetooth)

[32]

http://www.viruslist.com/ru/analysis?pubid=180992947 Last download: 08.05.2008 (Bluetooth technology)

[33]

http://computer.howstuffworks.com/spyware.htm Last download: 20.05.2008 (Malware)

[34]

http://www.viruslist.com Last download: 22.05.2008 (Threats in computing)

[35]

http://www.f-secure.com Last download: 17.05.2008 (Known malware for mobile phones)

[36]

http://www.news.com/2100-1017-236728.html Last download: 20.05.2008 (Attacks)

[37]

http://www.securityfocus.com/infocus/1674 Last download: 21.05.2008 (Attacks)

[38]

http://www.stsc.hill.af.mil/crosstalk/2005/10/0510Dwaikat.html Last download: 26.05.2008 (Attacks and countermeasures)

[39]

http://eprint.iacr.org/2007/120.pdf Last Download: 05.06.2008 (WEP encryption for Wireless LAN, weaknesses of WEP)

[40]

http://wi-fi.org/files/wp_8_WPA%20Security_4-29-03.pdf Last download: 15.06.2008 (Wi-Fi, WPA encryption for Wireless LAN)

[41]

http://www.net-security.org/article.php?id=927 Last download: 18.06.2008 (Wireless and Mobile Security Vulnerabilities)

[42]

http://www.wimaxforum.org/technology/downloads/ Last download: 30.04.2008 (WiMAX)

[43]

http://www.viruslist.com/ru/analysis?pubid=180992947 Last download: 18.06.2008 (Bluetooth)

[44]

http://www.johntp.com/wp-content/uploads/2007/04/wimax.gif Last download: 18.06.2008 (WiMAX)

86

Appendix A: Project Experience This section should provide a description on the experience of writing this work. Information gathering and the implementation of the solution were the most important parts of the project work. To complete all the phases of the work in the short time, a precise plan of all actions developed at the beginning of the project work was very helpful. Some things could not have been planned very well because it was impossible to predict all problems which would appear during the project work. Frequent meetings with the supervisor helped me to plan the work for the next period of time. This methodology guaranteed a dynamic evolution of the project work. Due to the unusual nature of the project, it was quite hard to evaluate the results since there was nothing to compare them to. During the project work, I learned much about the security of mobile phones and wireless protocols. As an international student, writing the project in English was a big challenge for me as I am not a native English speaker. This led to stressful days up until the end of the project. The English courses I attended in the first and second terms helped me to achieve a higher level in the English language. I went to the general English lessons available for all students four times a week until the end of April this year. At the end of the first semester an intensive academic writing course was offered for international students to improve writing skills in English. We learned how to write dissertations, to write introductions and conclusions, to use comparison with analysis, to choose correct connectives for linking sentences and to avoid coherence. Another English course “English for Communication”, which only exchange students may take part in was interesting, very comprehensive and useful for developing speaking, listening and understanding. Additionally, I broadened my outlook about British culture in this course. Finally, it was a valuable experience to work on this project. Firstly, I learned a new style of writing dissertations and improved my vocabulary especially in the computing field. Secondly, my interest in mobile communication and computer security has increased and I have gained huge motivation to conduct further research in the development of security systems for mobile phones.

87

Appendix B: Interim Report MSC INTERIM PROJECT REPORT All MSc students must submit an interim report on their project to the CSO by 9am Tuesday 12th June. Note that it may require two or three iterations to agree a suitable report with your supervisor, so you should let him/her have an initial draft well in advance of the deadline. The report should be a maximum of 10 pages long and be attached to this header sheet. It should include: • • • • • • • •

the overall aim of the project the objectives of the project the minimum requirements of the project and further enhancements a list of deliverables resources required project schedule and progress report proposed research methods a draft chapter on the literature review and/or an evaluation of tools/techniques

The report will be commented upon both by the supervisor and the assessor in order to provide you with feedback on your approach and progress so far.

Student:

Svetlana Panfilova

Programme of Study:

Erasmus

Title of project:

Security analysis of mobile phones

Supervisor:

Karim Djemame

External Company (if appropriate): Web address of project log

Signature of student:

Date:

88

28.05.2008

Supervisor's comments on the Interim Report

Assessor's comments on the Interim Report 89

90

Summary Mobile phone is a portable telephone that allows mobile wireless communication. It also has another name „Cellular phone". The name comes from the division of the mobile-net area in cells. Today the mobile phones are able to run various kinds of applications such as • Personal-Information-Management (PIM): calendar, address book, remainder, notebook • Telephone applications: telephone, quick dialling list, phone book • Online-applications: web browser and e-mail • Photography: photo and video software • Multimedia applications: voice recording or music and video player • Games Mobile telephony offers a convenient way for people to communicate with each other and access the internet and other networks. This class of business grows rapidly in the number of mobile cellular subscribers around the world. The number of mobile subscribers overtook the number of fixed lines in 2002. More and more mobile devices including mobile phones are used in today’s computing, and even more will be used in the future. These mobile phones will enable the user to do more and more of his or her daily work being mobile. But there are new risks that come from the mobility. The wireless communication via Bluetooth and wireless LAN, through the uncontrolled spread of the radio waves, makes attacks on the confidentiality and the integrity of the data possible. The possibility to execute software makes the mobile phones vulnerable to viruses and other malware. The number of malware grows constantly. This can cause giant economic damages to mobile phone owners and companies where mobile devices have an access to the corporate network. To contend against these threats a perfect knowledge of the threats and a well-planed security policy as for the usage of mobile devices as well for the network deployment are required.

Table of content Introduction............................................................................................................................. 1. Mobile Device ..................................................................................................................... 1.1 Laptop ........................................................................................................................... 1.2 Personal Digital Assistant (PDA) ................................................................................... 1.3 Smartphone.................................................................................................................... 1.4 Mobile phone (Cellular Phone) ...................................................................................... 1. 5 Future of mobile phones................................................................................................ 2. Mobile phones operating systems ........................................................................................ 2.1 Symbian OS................................................................................................................... 2.2 Windows Mobile ........................................................................................................... 2.3 Symbian OS versus Windows Mobile ............................................................................ 3. Cellular wireless protocols for communication .................................................................... 3.1 Circuit switching and packet switching .......................................................................... 3.2 Multiplexing .................................................................................................................. 3.2.1 Time Division Multiplexing .................................................................................... 3.2.2 Frequency Division Multiplexing ............................................................................ 3.2.3 Code Division Multiplexing .................................................................................... 3.3 GSM.............................................................................................................................. 3.4 GPRS............................................................................................................................. 3.5 UMTS............................................................................................................................ 91

4. Wireless data transfer protocols ........................................................................................... 4.1 WLAN........................................................................................................................... 4.1.1 Wireless Network Topologies ................................................................................. 4.1.2 Wi-Fi System .......................................................................................................... 4.2 Bluetooth ....................................................................................................................... 4.2.1 System architecture ................................................................................................. 4.2.2 Bluetooth protocol stack.......................................................................................... 4.3 Infrared.......................................................................................................................... 4.4 WiMAX......................................................................................................................... 4.5 Analysis of Wireless Protocols....................................................................................... 5. Malicious Programs ............................................................................................................. 5.1 Viruses .......................................................................................................................... 5.2 Worms........................................................................................................................... 5.3 Trojan Horses ................................................................................................................ 5.4 Spyware......................................................................................................................... 5.5 Hoax.............................................................................................................................. 6. Known mobile Malware ...................................................................................................... 6.1 Viruses .......................................................................................................................... 6.1.1 WinCE.Duts............................................................................................................ 6.1.2 Cxover .................................................................................................................... 6.2 Worms........................................................................................................................... 6.2.1 Beselo ..................................................................................................................... 6.2.2 HatiHati .................................................................................................................. 6.3 Trojan Horses ................................................................................................................ 6.3.1 Redbrowser............................................................................................................. 6.3.2 Blankfont ................................................................................................................ 6.3.3 Bootton ................................................................................................................... 6.4 Spyware......................................................................................................................... 6.4.1 FlexiSpy.................................................................................................................. 6.4.2 Mopofeli ................................................................................................................. 7. Attacks ................................................................................................................................ 7.1 Sniffing.......................................................................................................................... 7.2 Spoofing ........................................................................................................................ 7.3 Denial of service ............................................................................................................ 7.4 Man in the middle attack................................................................................................ 7.5 Vulnerability Scanning .................................................................................................. 7.6 Network Enumeration .................................................................................................... 7.7 Attacks on People .......................................................................................................... 8. Known security vulnerabilities of mobile devices ................................................................ 8.1 Bluetooth attacks on mobile phones ............................................................................... 8.1.1 BlueSnarfing: (Sniffing)......................................................................................... 8.1.2 BlueBugging: (Spoofing) ....................................................................................... 8.1.3 Bluetooth DoS attacks............................................................................................. 8.1.4 BlueJacking ............................................................................................................ 8.1.5 BlueChop................................................................................................................ 8.2 WLAN Attacks .............................................................................................................. 8.2.1 Rogue Access Points: (Man in the middle attack) .................................................... 8.2.2 Wireless Zero Configuration ................................................................................... 8.2.3 War Driving ............................................................................................................ 9. Current security problems in wireless networks ................................................................... 9.1 WLAN weaknesses........................................................................................................ 92

9.1.1 WEP encryption weakness ...................................................................................... 9.1.2 WEP – CRC 32 weakness ....................................................................................... 9.1.3 Short Initialization Vector ....................................................................................... 9.2 Bluetooth weaknesses .................................................................................................... 9.2.1 Encryption .............................................................................................................. 9.2.2 Random number generator ...................................................................................... 9.2.3 Unit key .................................................................................................................. 9.2.4 Key length .............................................................................................................. 9.2.5 PIN – Code ............................................................................................................. 9.2.6 Driver exploits ........................................................................................................ 9.3 Weaknesses in operation systems................................................................................... 9.4 Weaknesses of mobile internet....................................................................................... 10. Countermeasures against vulnerabilities in mobile devices ................................................ 10.1 Countermeasures for WLAN........................................................................................ 10.1.1 WPA ..................................................................................................................... 10.1.2 WPA 2 .................................................................................................................. 10.2 Countermeasures for Bluetooth .................................................................................... 10.3 Virtual private network (VPN) ..................................................................................... 10.4 Securing the network and operating systems ................................................................ 10.4.1 Antivirus Programs ............................................................................................... 10.4.2 Firewalls ............................................................................................................... 10.5 Overview of security countermeasures ......................................................................... 11. A case study – electronic market........................................................................................ 11.1 Actual state .................................................................................................................. 11.2 Requirements ............................................................................................................... 11.3 Solution ....................................................................................................................... 12. A case study - Hospital ...................................................................................................... 12.1 Actual state .................................................................................................................. 12.2 Requirements ............................................................................................................... 12.3 Solution ....................................................................................................................... Conclusion

Introduction This section introduces the general overview of the project, specifying the project aim and objectives, problem definition, minimum requirements, methodology, the product of the project and evaluation of the product, background reading and project schedule. Further, in the next sections it will be illustrated how the set aim was achieved.

Project Aim and Objectives The aim of the project work is to present the state of the art of security issues for mobile phones and to find solutions for these problems and problems that could come in the future. The project will emphasise on security risks and find solutions to avoid them. The found solutions will be used to secure different kinds of networks which use modern mobile devices. These solutions are described in two case studies with complex applications for mobile phones and other devices that use wireless communication protocols.

93

Problem Definition Mobile telephony offers a convenient way for people to communicate with each other and access the internet and other networks. The number of mobile subscribers overtook the number of fixed lines in 2002. By the end of 2008, more than half the world’s population is expected to have access to mobile phones. Mobile phones will enable the user to do more and more of his or her daily work being mobile. However, there are new risks that come from the mobility. The wireless communication via Bluetooth and wireless LAN, through the uncontrolled spread of the radio waves, makes attacks on the confidentiality and the integrity of the data possible. The possibility to execute software makes the mobile phones vulnerable to viruses and other malware. The number of malware grows constantly. This can cause giant economic damages to mobile phone owner and companies where mobile devices have an access to the corporate network. To contend against these threats it requires a perfect knowledge of the threats and a well-planed security policy as for usage of mobile devices as well for the network deployment.

Minimum requirements The first minimum requirement of this work is to identify security problems of mobile phones. The second one is to present solutions for these problems. The third requirement is to make one case study where mobile phones are used and to apply known security solutions to secure the networks where these mobile phones are participating.

Methodology Research methods in this project work are specified as follows: • Identify possible security threats • Study relevant research papers and books about security of mobile phones and wireless networks • Analyse solutions against known and future security vulnerabilities • Use identified solutions to secure networks in two case studies where mobile phones are participating

The product of this work The product of this project work is a security analysis of wireless networks and two case studies. This project work describes mobile phones and especially the security problems of mobile phones. Firstly, it illustrates mobile devices and mobile phones. There are many devices that can be called "mobile devices". They distinguish in the size, functionality and computing power. A definition of laptops, PDAs, smartphones and mobile phones is given. The smaller the devices are, the more mobile they get. Besides their small size, they become less computing power. However, their computing power is enough to run and spread malware.

94

In the second section, two leading operating systems for small mobile devices are described. The most widespread operation systems for mobile devices today are Windows CE (Pocket PC, Windows Mobile), Symbian OS, Palm OS and Linux. Windows Mobile is usually used for PDAs and Symbian is the dominating operation system for smartphones and mobile phones. Thirdly, the main wireless protocols that are used are shown, some of them for voice transfer, some others – for data transmission. A cellular radio network supports mobility; the user can make calls from anywhere within the field of coverage of the network and whilst the user is on the move. The cellular networks are based on the sub-division of the geographical area covered by the network into smaller areas, called cells. In each of the cells, a fixed station acts as a transmitter-receiver serving all the mobile stations situated within the cell boundary. Protocols like GSM (Global System for Mobile Communication), GPRS (General Packet Radio Services) and UMTS (Universal Mobile Telecommunications System), based on the cellular principle of communication, are described in the third section. The forth section describes wireless protocols like WLAN, Bluetooth, Infrared and WiMAX. These protocols are used for intercommunication of the most mobile devices. In the next sections, the existing malware and attacks are demonstrated. A definition of malware is given. It is a general term used to refer to viruses, trojans, zombies, logic bombs, trap doors and worms. While some malware programs may only display messages or images, many may be destructive - they can destroy files, reformat the hard drive, cause trouble by consuming storage space and memory or reduce speed of the operating system. Unlike malware, which runs on a target computer, an attack is executed from a remote computer. An attack is an attempt to destroy the integrity, availability and confidentiality of a computer system. The 8th and 9th sections focus on some of the known security vulnerabilities in wireless networks. Security attacks on information systems have become a standard occurrence. Attacks have become more complex. However, nobody needs special knowledge to make attacks because everybody can download programs, which execute the attacks automatically. Possible countermeasures against the malware and network attacks are named in chapter 10. In this chapter countermeasures against the weaknesses are illustrated: first, countermeasures against wireless threats, then general countermeasures for computer systems to prevent network attacks and malware spreading. The main target of the project work is concentrated on identification of mobile phones vulnerabilities and how these threats can be avoided. In the last part two case studies will be illustrated. They describe how the mobile phones and other small mobile devices could be used and integrated into existing networks. The security risks of this integration will be analysed and their protection will be provided. The first case study is about an electronic market using mobile phones with integrated customer services. An electronic market wants to modernise its stores to be more modern and to offer their customers more comfort while buying goods in their stores. The customer should search for the necessary equipment on the shelf within a certain time. It should be easier to find significant information about the equipments. If the customer only wants to compare prices, he should have the possibility to take home the information about the device and to have more time to make decision about equipment. The customer should be able to select desired equipment, enter his delivery home address and chose himself the payment way without the help of the shop assistance. The second case study is about a hospital with modern mobile service for patient treatment. The big hospital complex in Hamburg wants to update its infrastructure for qualitative treatment of patients and faster rendering the first medical aid, to shorten the ways of hospital employees from work place to the sickroom of patient and to reduce the amount of paper used in the hospital. 95

In each case study, potential solutions are identified and analysed. The overall result shows that the solutions achieve the defined minimum requirements. The report ends with an analysis of the future threats and conclusions for the project.

Evaluation of the product The aim of the project work was to emphasise on the security risks for mobile phones, determine countermeasures against them and find solutions for secure communication. Mobile networks bring more security risks than traditional wired network because of spreading the radio waves everywhere, so that it enables eavesdropping the communication. A part of vulnerabilities like WEP (Wired Equivalent Privacy, encryption algorithm to secure IEEE 802.11 wireless networks) weaknesses are based on bad standard specification by designing. The reason for other threats is an inaccurate implementation of protocols, like several Bluetooth vulnerabilities. Moreover, the people as the weak part of the whole network system should not be forgotten. Many attacks or viruses would not be so successful if the human victims would not help them to spread fast. The most operating systems for mobile devices are new developments and created especially for small mobile devices (PDAs, smartphones, mobile phones) particularly with regard to their weaknesses. The theoretically acquirable security level with these operating systems is very high, the security model of the operation systems is designed to provide a robust, protected environment for mobile devices. Nevertheless, most producers of mobile devices often reduce the security level to make the usage of the devices more comfortable for the users. Viruses are the arising threat since mobile phones spread around the world and appear in a huge amount. It was demonstrated that all kinds of malware (trojans, viruses and worms) for all operating systems already exist. There are defences against all known threats, but the progress of the malware and attacks could bring new dangerous problems, which we do not know yet. Today’s security systems should foreseen these dangers and immediately react on them. While this work was being written, it became clear that only a combination of countermeasures mentioned above, could secure a huge network against attacks. This work illustrates two case studies of possible scenarios with integration of mobile devices for higher comfort of customers. These examples represent the current situation without the mobile devices, the requirements for new services provided to the customers and a solution involving small mobile devices. It should not have been forgotten in this solution about the threats for wireless communication. The first case study describes an electronic market, which uses mobile phones to navigate the customers to the needed equipment and to provide information about these devices directly to the phones. This solution could be implemented everywhere in the world. Nothing used in the solution is country specific or depends on the place where the market stands. All of the needed technologies are available today. The needed devices are relatively cheap and could be bought in every computer shop. The investment for developing the application for the shop must be made only once. The next shops, which will use this technology, can use the same application. This will make the spreading of this solution very easy. The second case study uses the wireless LAN technology. This technology exists already for a long time. The devices for WLAN are widely available and there is no problem to buy them. The patient data, which is carried in the mobile phone, requires a common format. This format must be developed and many doctors have to use this technology. The used WiMAX (the Worldwide Interoperability for Microwave Access) connection can only work if some hospitals are in the near of the described hospital. The range of a WiMAX connection is about 20km. To establish a connection to a hospital, which is far away a retransmission station, is 96

needed. This causes additional costs. Especially if the hospital is on an island, the costs for building a retransmission station in the sea can be very high. This means that this solution works only in big cities. Small cities have mostly only one hospital. Other solutions must be used there like normal internet or satellite based communication. All of these solutions save money or make the life much easier. The investments expended in the beginning will redeem very fast because of the increase of customers. Of course, some money could be saved if not all of the recommended protections against security risks would be implemented. But if the attackers are successful, the reputation of the facilities, which are described in the case studies, will decrease and they will lose many customers. This project work presents that the security, has been provided only by today’s mobile devices, is not enough to stop actual attacks or viruses. Additional applications like firewalls or antivirus programs are necessary to prevent the damage of the security mechanisms of these devices and networks with which these devices are connected. It is disappointing to see that the operating system’s developers have not used the chance to create completely secure systems. There are also the same problems with the development of wireless protocols. WLAN’s encryption system WEP was broken because of the weakness in the used algorithm. The producers of mobile phones with Bluetooth protocol have saved time by testing their protocol implementation and on this way, they have overlooked many vulnerabilities in the Bluetooth protocol stack. Looking forward, many future threats cannot be predicted today. Malware for small mobile devices is growing with a slow pace. There was not a great worm epidemic for mobile phones yet. Today the device and application developers of mobile phones still have a chance to prevent such a malware outbreak.

Deliverables The following list details the deliverables for the project. • Project report • Case studies illustrating solutions found in the project work

Background reading: 1. 2. 3. 4.

Mobile devices Mobile applications Cellular communication and wireless protocols Vulnerabilities in mobile phones and countermeasures against these threats 5. Security solutions for mobile computing

Literature review: So far, the literature review has focused on the following: 1) What is the motivation for writing about mobile phones? One of the main trends of communication is that: Phones are beginning to incorporate more computing features, which may enable them to replace not only laptops and personal digital assistants (PDAs), but personal stereos and eventually even televisions. [9]

97

2) What is the benefit of cellular communication protocols? One of the advantages of a mobile cellular network is the ability for a user to move from one cell to another. While the call is in progress, the wireless phone conversation is not interrupted moving through different cells. The name of this process is handoff. It is performed quickly enough that callers do not notice it. [10] 3) Why are wireless communication protocols preferred to wired network protocols? The rate of the transmission data via Wireless LAN is higher than via cellular communication protocols. Another benefit of WLAN is that the communication can be established wireless from several different locations without requiring a physical plug into the network and enables the mobility. [11] An advantage of such wireless protocols like IrDA and Bluetooth that they are always free of cost. [8] These protocols are mostly used for establishment of the connection with peripheral devices in a shot distance. Moreover, it is usually used on small mobile devices for comfortable interchange of the data. WiMAX is a new technology of wireless communication. It includes the features of cellular wireless protocols, and wireless data transfer protocols. It provides handoff and a high speed of data transfer based on the IP.[12] 4) What common kind of threats exists in wired and mobile computing systems? Malware is a general term used to refer to a wide variety of malicious programs. It includes threats such as viruses, worms, Trojan horses, spyware, and any other malicious programs.[19] Another kind of threats is attacks. An attack is an attempt to destroy the integrity, availability and confidentiality of a computer system including mobile devices. The attacker tries to eavesdrop the network communication or tries to crack an encryption system. Unlike malware which runs on a target computer an attack is executed from a remote computer.[20] In wide area cellular networks, the wireless medium cannot be controlled at all. Current wireless networking technology offers little to control the coverage area. This enables attackers in the immediate vicinity of a wireless network to perform a number of attacks that are not found in traditional wired networks. [15] The greatest problem is that the private information of subscribers can be stolen on mobile phones and announced. It must be avoided. Hence, it is important to foreseen the risks as far as possible in advance and to find possible countermeasures for confidential wireless communication via mobile devices. 5) What is encryption? Why is the encryption significant? Cryptography has its roots in communications security. Communications security addresses the situation described in Figure 1. Two entities A and B communicate over an insecure channel. The antagonist is an intruder who has a full control over this channel, being able to read their messages, delete messages and insert messages. The two entities A and B trust each other. They want a protection from the intruder. Cryptography gives them the means to construct a secure logical channel over an insecure physical connection. [25] The communication via wireless networks is vulnerable to attacks. Thus, it is a great need to use encryption of the data transmission in wireless network systems to protect against the eavesdropping and changing the information.

A

B

intruder Figure 1 “Communications Security”

98

After background reading, some basic necessary knowledge about wireless protocols, possible vulnerabilities in wireless networks, encryption and security mechanism of wireless communication were prepared, and it was very useful for producing of the solutions “an electronic market” and “the hospital”, which were described before.

Project Schedule: This project schedule is divided into five phases: 1. Information gathering – This phase started in the beginning of January 2008. The background reading includes information about mobile phones, which cellular and wireless communication protocols they use, and a comparison of all kinds of protocols using the scheme. 2. First Version of the project – After reading a lot of literature about small mobile devices, Wireless LAN, Bluetooth and operating system weaknesses in mobile phones were found, the countermeasures against these threats were investigated, and described in the first version of the project work. 3. Review of the first version and improving of project work – Additional countermeasures against the attacks were added like Virtual Private Network. The conceptual designs of two case studies based on the real situation were prepared. 4. Evaluation of the solutions – Two case studies “An electronic market” and “The hospital” were represented with description of secure techniques on mobile wireless network using mobile phones. 5. Final version of the project – The main idea of the project, to find the solutions for useful utilization of mobile phones in the real situation with providing a good security against possible threats, was realised.

Figure 2 “Project Schedule”

Project Management The results (countermeasures against found vulnerabilities and the case studies) achieved in this project work will be possible because of a precise plan developed at the beginning of the project work. At the beginning of the project the main phases (like information gathering or evaluation of the solutions) of the project work were identified. It was not possible to predict 99

the progress of the project in the beginning, because one cannot foresee all problems. Periodic meetings were arranged to summarise the status of the work and to select possible directions for the next short-range period. This methodology guaranteed a dynamic evolution of the project work. The working on this project increased my knowledge related to the security of mobile phones, understanding of available security techniques to secure wireless devices. Finally, it has been a valuable experience to work on this project and has motivated to make further research in the development of security systems for mobile phones.

Bibliography [1]

Fred Halsall: “Computer Networking and the Internet” Fifth edition, 2005 (Chapter 4 – Wireless networks, Chapter 10 – Security)

[2]

James F. Kurose, Keith W. Ross: “Computer Networking” Second Edition, 2003 (Chapter 5 – Wireless Links, Chapter 7 – Attacks and Countermeasures)

[3]

Andrew S. Tanenbaum: “Computer networks” Fourth Edition, 2003 (Pages 9-14, 21-23, 68-77, 100-144)

[4]

Joachim Tisal : “The GSM Network”, GPRS Evolution : One Step Towards UMTS, Second Edition, 2001 (Chapter 2 – Cellular Concepts, Chapter 4 – GSM Network Infrastructure, Chapter 6 – The Network Sub-System, Chapter 12 – GPRS, Chapter 13 – UMTS, Chapter 14 – The WAP Protocol)

[5]

Gunnar Heine, Holger Sagkob: “GPRS : gateway to third generation mobile networks”, 2003

[6] Emmanuel Seurre, Patrick Savelli, Pierre-Jean Pietri: “GPRS for mobile Internet”, 2003 (Chapter 1 – Introduction to the GSM System, Chapter 2 – GPRS Services, Chapter 3 – Overview of GPRS) [7]

Jaana Laiho and Achim Wacker, Tomás Novosad: “Radio network planning and optimisation for UMTS”, Second Edition, 2006

[8]

Minoru Etoh: “Next Generation Mobile Systems: 3G & Beyond”, 2005

[9]

Robbert Morrow: “Bluetooth Operation and Use”, 2002 (Chapter 7 – Managing the Piconet, Chapter 8 - Transferring Data and Audio Information, Chapter 9 – Bluetooth Security)

[10] Andy Dornan: “The Essential Guide to Wireless Communications Applications”, From Cellular System to Wi-Fi, Second Edition, 2002 (Chapter 8 – Inside a Mobile Network, Chapter 9 – Short-Range Wireless Networks, Chapter 10 – Phones or Computers?) 100

[11]

Cordon A. Cow and Richard K. Smith: “Mobile and Wireless Communications”, 2006

[12]

Steve Rackley: “Wireless Networking Technology”, 2006

[13]

Loutfi Nuaymi: “WiMAX : technology for broadband wireless access”, 2007

[14]

Neil Daswani, Christoph Kern, and Anita Kesavan: “Foundations of Security”, 2007

[15]

Steward S.Miller: “WiFi Security”, Enhance security and maintain privacy of missioncritical data, even when going wireless, 2003 (Chapter 17 – Security Issues for Wireless Applications)

[16]

Merritt Maxim, David Pollino: “Wireless Security”, 2002 (Chapter 2 – Wireless Threats, Chapter 7 – Wireless Standards and Technologies)

[17]

Tara M. Swaminatha, Charles R. Elden: “Wireless Security and Privacy”, 2003 (Chapter 1 – Wireless Technologies, Case Studies; Chapter 6 – Cryptography, Chapter 10 – Analyze Attacks and Vulnerabilities)

[18]

Laary L.Peterson, Bruce S. Davie: “Computer Networks” Third Edition, 2003 (Chapter 2 – Wireless (802.11), Chapter 8– Cryptographic Algorithm, Security Mechanisms)

[19]

Charles P. Pfleeger, Shari Lawrence Pfleeger: “Security in Computing” Third Edition, 2003 (Chapter 2 – The Data Encryption Standard, The AES Encryption Algorithm, Chapter 3 – Nonmalicious Program Errors, Viruses and Other Malicious Code, Chapter 7 – Threats in Networks)

[20]

Tony Bradley: “Essential Computer Security: Everyone's Guide to Email, Internet, and Wireless Security”, 2006

[21]

William Stallings: “Network Security Essentials” Applications and Standards, Second Edition, 2003 (Chapter 2 Symmetric Encryption and Message Confidentiality, Chapter 10 – Malicious Software)

[22]

Michael Howard, David Leblanc, John Viega: “19 Deadly Sins of Software Security” Programming Flaws and How to Fix Them, 2005 (Chapter 8 – Failing to Protect Network Traffic)

[23]

Mark G. Graff and Kenneth R. van Wyk: „Secure Coding“ Principles and Practise, First Edition, June 2003 (Chapter 1 – No Straight Thing, Attacks, Chapter 4 – Implementation, Buffer Overflows)

[24]

William R. Cheswick, Steven M. Bellovin, Aviel D. Rubin: “Firewalls and Internet Security”, Second Edition, 2003 (Chapter 1 – A Security Review of Protocols: Lower Layers, Chapter II – The Threats)

101

[25]

Chris J.Mitchell: “Security for Mobility”, 2004 (Chapter 1- Cryptography for mobile security, Chapter 9 – Security in personal area networks)

[26]

http://www.commsdesign.com/showArticle.jhtml?articleID=192200685 (Introduction to GSM)

[27]

http://www.gsmfavorites.com/documents/introduction/gsm/ (Introduction to cellular communications)

[28]

http://en.wikipedia.org/ (Mobile devices, operating systems for small mobile devices)

[29]

http://softwarecommunity.intel.com/articles/eng/3273.htm (Wireless LAN)

[30]

http://www.viruslist.com/ru/analysis?pubid=180992947 (Bluetooth technology)

[31]

http://computer.howstuffworks.com/spyware.htm (Malware)

[32]

http://www.viruslist.com (Threats in computing)

[33]

http://www.f-secure.com (Known malware for mobile phones)

[34]

http://www.news.com/2100-1017-236728.html (Attacks)

[35]

http://www.securityfocus.com/infocus/1674 (Attacks)

[36]

http://www.stsc.hill.af.mil/crosstalk/2005/10/0510Dwaikat.html (Attacks and countermeasures)

[37]

http://eprint.iacr.org/2007/120.pdf (WEP encryption for Wireless LAN, weaknesses of WEP)

[38]

http://wi-fi.org/files/wp_8_WPA%20Security_4-29-03.pdf (Wi-Fi, WPA encryption for Wireless LAN)

[39]

http://www.net-security.org/article.php?id=927 (Wireless and Mobile Security Vulnerabilities)

102