AdaptiveMobile Security Blog

By now, it is common knowledge that researcher Joshua Drake has discovered an exploitable flaw in Android’s source code, allowing hackers to remotely access your Android device through a simple text message.

Hackers can send a malicious file through a multimedia message (MMS) to any mobile number through Android’s user-friendly media playback engine, Stagefright. When the malicious file is downloaded onto your mobile device, hackers can remotely gain complete access – wiping the device clean and taking full control.

The issue here is that Android is an operating system, and unlike iOS, is not owned by any one company. The researcher from Zimperium labs contacted Google when the flaw was first detected and issued a fix; however, any patches must go through the manufacturers, leaving 950 million Android users susceptible to this type of attack.

And yet, while this is a serious security concern for Android users worldwide, is it the “heartbleed for mobile” that people are making it out to be?

No publicly confirmed cases.
Reactions to this flaw are erring on the side of extreme – one suggested solution includes blocking all text messages from unknown senders. Through all the media attention, it’s crucial to note that this hack has not been publicly detected outside of the Zimperium labs. A patch has been issued and of the top Android partners, 50% have already confirmed a fix will be in place by their next round of updates – HTC, Nexus, Samsung, Silent Circle.

Same old story?
It is worthwhile to remember that this is not the first time MMS has been used as a distribution mechanism for malicious apps and malware. It’s also not the only way to deliver this type of attack (such as via RCS). Before Android and iOS, Symbian smartphones were very popular. In 2005 a Symbian worm called Commwarrior used MMS to spread itself to hundreds of thousands of subscribers. Commwarrior became a significant problem in mobile networks in the Middle East – in some instances smartphones infected with Commwarrior were responsible for 10% of all MMS traffic. Since 2005, AdaptiveMobile’s Network Protection Platform (NPP) has been detecting and removing malicious MMS attachments. Through the years we’ve noted variations of Commwarrior in existence, though they’ve all exhibited the same traffic pattern and payload. MMS is still well used and as every phone with this functionality could be affected any MMS transmitted application exhibiting irregular sending patterns will be detected by our platform, enabling us to effectively protect our customers.

Mobile operators can protect subscribers.
Although this flaw is in the operating system’s source code, mobile operators are able to protect subscribers through their own security systems and by working to ensure the updates are pushed out in a timely manner. Individual operators have the capability – and responsibility – to effectively protect their subscribers against mobile security threats. By monitoring the networks, it is possible to detect and block any type of suspicious or malicious message.

Expected increase in coverage.
As we lead into two of the world’s largest security conferences – Defcon and Blackhat – we expect to notice an increase in coverage of security flaws or concerns.

It is not clear yet what other apps use libsagefright; and, while the Zimperium blog identifies the default messaging app and Google Hangouts, it is possible that other OTT messaging apps could also be vulnerable depending on how they were written.

These kind of vulnerabilities could also be used by commercial spyware, such as the Hacking Team, and nation-state actors who want to remotely install malicious software onto your phone. According to an analysis by TrendMicro, HackingTeam used a similar tactic through exploiting CVE-2014-3153 local privilege escalation vulnerability in Android devices.

In short, we are expecting to see a number of security flaws rise to the surface over the coming weeks. And while each threat needs to be appropriately addressed and evaluated, it’s important to remember that operators have dealt with situations like this in the past and, as with many threats, are equipped to deal with Stagefright should it become weaponised.

Many thanks to Ciaran Bradley and Cathal Mc Daid for their contribution.

By now, most people are aware that Hacking Team, an Italian-based seller of surveillance technology had their servers hacked and made public here. Wikileaks have taken the available emails and made them searchable.

This gives a unique opportunity for many of us in the security community to have an idea of what surveillance activities are undertaken, so we can better engineer defences against them. While the majority of Hacking Team work revolved around developing spyware for different types of fixed and mobile OS devices, i.e. on-device surveillance, they also seem to have come across a number of situations (and companies) which directly involved surveillance that occurs over the mobile operator's networks themselves - the part of the mobile network that uses the SS7 protocol. We term this activity network surveillance. As we have previously revealed, showing the attacks that have occurred in Ukraine, security in the SS7 network has become of paramount importance for the mobile community, so knowing how these surveillance companies regard and use SS7 is essential. Based on the information that has become available, it seems that there is a wider group of commercial entities selling systems that allow surveillance over SS7 , and that these systems are for offer today.

Tracking the Team

First up, and somewhat most ironically, it seems that Hacking Team themselves took offence to two of their employees being tracked when these details showed up in 2 earlier Wikileaks documents:

Their internal discussion talks about this tracking being done by a script that was set to run on SS7, as it seemed based on telephone number. They also theorise that this could only have been done via an insider contact in Telecom Italia (TIM). The reality though is given the imprecise nature of the lookups (being country only, not Cell-ID), then it is highly doubtful that an insider contact was needed in TIM. Instead, the information lookup could have been done using any one of a number of commercial SRI-SM* lookup companies which were available at the time. The ease of this, and the fact that a surveillance company like Hacking Team were not aware of this beforehand and could do little to protect themselves shows the impact that even simple methods using this network could allow.

Where the Clever Money is at

Another interesting point is that Hacking Team were approached by a representative from a company called CleverSig, looking for funding. While at the time CleverSig explain they are a small start-up, they do say they built and tested their own SS7 geolocation system. Here CleverSig specify that it costs US14k to 16k a month to have access to the SS7 network via an operator's SS7 hub. While this seems sizable, a different way to look at this is that this is just over $22 an hour to have access to a network with connections to 600+ operators, as well as that SS7 connections are seemingly available if required:

It seems that ultimately Hacking Team passed on this investment opportunity for various reasons, (too expensive and did not want 'secret' agreement with mobile operators) and decided to ignore them. But the information does not stop there, CleverSig gives some interesting details in that they compare themselves to a different network surveillance company based in Bulgaria called Circles - a company with very little in the way of media exposure - but who we believe is this company , and which confirms that CleverSig are not an isolated case. Hacking Team seem also to have received specific information on other companies in the network surveillance world. As well as the aforementioned Circles & CleverSig , via a connection in Mexico HackingTeam were also referred to a brochure on a Geolocation system supplied from an Israeli company that their customer used, called GeoMatrix.

What is the Matrix?

As well as the standard geolocation abilities, this brochure outlines some very interesting additional capabilities:

Ability to disconnect mobile phones from network

The last statement (which we have highlighted) shows a capability that has been known theoretically, but has not been seen advertised before for these systems. That is - as well as actually tracking a subscriber, they can also take control of a subscriber's device, and prevent him from receiving call, text messages or using the internet. In effect the surveillance system is going beyond tracking to control, and the control in this case is extensive. As well as preventing them from receiving calls or text messages, another way to think about it is that it would basically make any messaging or voice app (encrypted or otherwise) unusable, and eventually force the person to make an outgoing ordinary call if they need to communicate with somebody. While the company of the provider of this solution is not stated explicitly in the mail, the solution itself resembles known systems advertised publically such as this system offered by Rayzone Group.

Ultimately, while Hacking Team were primarily concerned with on-device surveillance, they have had exposure to network surveillance techniques and companies. This shows that the mis-use of SS7 technology for these methods is established and being sold on the market today by a variety of active participants.While Hacking Team may represent may be one of our best views on what on-device surveillance companies do today, this is only part of the whole picture, as their experiences clearly show there is a whole industry concerning in-network surveillance, that the security community should be aware of.

Many thanks to Ciaran Bradley for his contribution.

*SRI-SM = Send Routing Information for Short Message : a specific SS7 packet 'type'

WhatsApp’s introduction to the perils of messaging spam took a new twist on Friday the 21th of August, when a large ‘pump and dump’ spam attack was sent to WhatsApp users in the US. We were alerted to this activity on Friday and sure enough large numbers of users on social media reported receiving variants of the following:

WhatsApp Pump and Dump message promoting the AVRN stock

Pump and What?

Share trading and other sites promptly followed up reporting on the impact of these messages as well on the day. This message - using the latest WhatsApp spammer tactic of adding a user to a group and then removing them - was a ‘pump and dump’ or ‘penny stock’ attack, whose goal is to cause movements in the share price of a penny stock. Featured heavily in the movie the Wolf of Wall Street, penny stocks are a common stock that are normally valued at less than one dollar, and therefore can be highly speculative. The purpose of a pump and dump attack, is as the name of suggests, to pump the stock to be higher using advertising or some form of communications, while the ‘pumpers’ will sell (dump) the stock they acquired before the pump when it gets high enough. These movements – first a large increase while a certain percentage of people may be inclined to buy the stock, and then a large drop as others try to sell off, allow the fraudsters to make money as they typically have acquired shares prior to the pump, and then sell off as it rises.

AVRN itself is the OTCMKTS ticker for Avra Inc, a company that specialises in solutions for the digital currency markets (bitcoin), with several different areas of focus. However according to their latest 10-Q filing at the OTC - they are a company whose financials are exceptionally weak, who have never made any revenue and with total assets of just over $26k. There is also a question on their actual physical location. Their registered location in their 10-Q also seems to be the same Palo Alto, California, address as a Notary Public store called Greemail, while the company HQ address on their website seems to be the same Greenville, South Carolina address as a Advanced Merchant Services branch.

1) Store at 10-Q Registered Address of Avra Inc & 2) Store at Company Website Address of Avra Inc

Previous reports had called out Avra as being promoted heavily in the past, with warnings not to buy. Unfortunately in this particular attempt the pump looks to have been very successful. At one stage on Share prices for AVRN increased by over 640% on the 24th, from their opening price of $0.17 to their height of $1.26, before swiftly dropping off to a close of $0.19. Volume traded during the day was also huge, up to 5,136,600 trades, far in excess of the average of the ~14k per day for the previous 3 months.

AVRN Stock & Volume changes on 21st August

In fact, if we break down the share trading activity for that day, we can see definite signs of when the pump and the dump occur. The OTC – the market on which this stock trades - opens at 9.30am EST, but no activity occurs until 10:03 when some small trading begins. The stock rapidly increases in the morning, reaching a peak around 11:03. Around this period there is some trading that causes a slight drop, and then finally crashing. It is supposed that in this period the fraudsters dump their stock, gaining the maximum value. Everything after this point are trades which cause little change in aggregate to the stock price, even though the volume is much larger. This activity in the later stage of the day is more likely to be those who received the message either buying or selling the stock, and market speculators attempting to trade on the volatility which has essentially ceased. Altogether, the total value that changed hand in this one day (volume x average share price for that minute) was $1.713 million dollars, with the period of the large price increase & decrease (from 10:40 to 11:25) accounting for $636k, and the spike alone on the 11:03 responsible for around $93k. In can be considered that this is probably a good initial ball-park figure for the amount received by the fraudsters, if they were responsible for this trade. No doubt the SEC will investigate all of these trades, and any suspicious activity prior to this in some more detail.

AVRN Value Traded on Friday 21st

A Friend in Russia with Stock Advice

While interesting financially, of more interest to us, is how the attack was conducted. The attack seems to have been begun with messages being sent in the early hours/morning of Friday the 21st , to US WhatsApp users. As covered it used the tactic of adding a user to a group and sending him the message, before removing him from the group, while the name of the group itself is modified. Previously we have covered Whatsapp spam originating from China, India and US OTT numbers. This attack was different in that it originated from Russian mobile numbers (+79). WhatsApp spam from Russian sources have not been a major feature up to now, other than some adult type spam messages, so it seems likely for this attack that the fraudsters decided to work with the same Russian WhatsApp spam sending group or a group very like it, as the same method of adding a number at the start and end of the message is identical- here highlighted with a red box.

Previous WhatsApp spam reported from Russia

The social engineering in the message itself was relatively simple but interesting:

It's will with jpmorgan I remember you wanted to tell you next time i have a good tip. AVRN is going up 300% next week. dont tell me i didnt give you a heads up
hey it's tom at jp morgan I want you to know that AVRN is posed to at least quadruple next week. If there is one stock you want to buy it's this one. Send me a text and thank me later
yo its gary at citigroup you gotta do me a favour and buy shares at AVRN now. That thing is to at least triple fast. Something huge is about to happen.
How goes it its ethan with deutschebank I am just letting you know that AVRN is getting a buyout at any moment now. The shares are gonna be trading for 5 to 10 times higher at least. Buy it now. Make some profits and I expect u to take me to the best dinner in town next week on you
Hey this is jack from morgan stanley. I just got a tip about the stock AVRN... Its gonna double in the next few days. Just wanted to give u a heads up
watsup patrick it's john at morganstanley you wanted to know next time I had an "inside"? Dont tell anyone but AVRN is getting a buy out next week at $1 a share. If u wanna buy do it now.
Hi its ed at goldmansachs I hope the familys good. Listen my "guy" just sent me a msg saying that AVRN is going to a dollar so if u wanna make a move and buyit shud do it now. Txt me later let me know how it goes.
Howdy its kelly wit jefferies I want u to go take a look at AVRN - this stock is going off the chain we all agree here at the office. Its's receiving a buyout offer next week and it should be at 2bucks a share. Txt me after u make ur profit and I might have another good one for u in like two weeks
Hey it’s jose at goldman just letting you know that AVRN is a good buy if you wanna buy it now. My guy told me it’s gonna at least go up 2x by tomorrow

There seem to have been many variants of the message, all revolving around a ‘friend’ in a financial institution advising them they should purchase stock in AVRN, as it is going to increase. One unusual feature was that there was no call to action i.e. a phone number or url in the message. This means that the fraudsters rely on the receiver being interested enough to actively search out the stock itself – reducing their ‘conversion rate’ - but then making the message seem more plausible from this ‘friend’. Overall these tactics seems to have had the desired effect.

We've Been Here Before

There is also a question of how many people received this message. Well in this case, there is data from other messaging pump and dump attacks that we can turn to help us guess. Pump and dump attacks over other forms of messaging do happen, but are not common for a few reasons - not least in that they tend to draw a lot of attention and are cracked down on very quickly. A recent, relevant attack though was a pump and dump attack over SMS that was facilitated by the Bazuc message-sharing app. This malware, which allowed users to rent out their messaging plan, was the host of a pump and dump sms message for a particular penny stock sent from Bazuc-hosting cellphones in the US in September/October 2013:

Buy Signal Alert – [REDACTED] – [REDACTED] is hot. Get in now and look for potential 3000% gain. http://www.hot-stocks.com/[REDACTED]

We covered this in depth in a previous blog in the past , and in various industry presentations complete with the obligatory Wolf of Wall Street references, but the overall effect was sizable & serious. Within our US carrier customers we detected and blocked messages sent to nearly 100k US mobile numbers. Assuming that roughly the same number of messages were received by other US mobile users (due to activity in other carriers for example) then we can look at whether unblocked spam sent for this stock affected the volumes traded. As messages that are blocked in the carrier network don’t influence a mobile user, then another way to do this is show complaints submitted by mobile users for receiving this spam message (right axis) against volume traded (left axis). This does indicate a loose correlation, at the least signifing that spam activity causes trade increases

Pumped Penny Stock Trading Volumes v Number of Penny Stock Spam Complaints

In this particular case, over 2 million trades for this stock were made on this stock in the month of September/October – much lower that the AVRN case of 5 million in one day - so we could safely assume that AVRNs 5 million+ trades must have meant that high tens of thousands/ low hundreds of thousands of WhatsApp users received this message.

Old Scams, New Stock & Technology, Same Old Result?

Ultimately, as we predicted at the start of the year, WhatsApp is going to receive more and more of these type of attacks. They have already taken some action by allowing users to report spam that they received within groups, but this seemingly did not prevent this attack occurring, and with the money earned by these fraudsters, there is every reason to assume that they will try again. In fact it will be interesting to see if there is another pump-and-dump attacks in the next few weeks, as some of the ‘friends’ in the various messages reported. While various commentators on social media say that they will move from WhatsApp to other messaging apps, this ignores the point that the same thing may eventually arise there. These attack types are not new, only the medium on which they are being sent, therefore all messaging app companies should try to prepare in advance for these type of attacks, and use the expertise and experiences of the wider messaging security industry.

Update: 25-8-15. Added some additional information on Avra Inc in 3rd paragraph of blog

The business mantra for today is outsourcing. It’s a business strategy to outsource jobs; that’s what keeps the balance sheet looking smart. It also helps in focusing on what churns money, search for new avenues and eventually extend business boundaries. And if you think this is a First World phenomenon, you need to think again.

Outsourcing has crossed those boundaries too. And in the domain of unwanted dating attacks this practice is light years ahead. Now, it’s not just a global village story; it has gone beyond to the ‘the girl next door’!

From a deeper perspective spammers are well aware of the affinity of some to cheat and have extramarital affairs. Using this as a bait, they have formed an organized cartel to plunder this opportunity. Now this is not just an Ashley Madison saga. It's much more!

Seems puzzling? Let me explain these nuances to you.

Below are a set of messages sent over a specific period of time to a select set of recipients. They were intercepted by the filters on AdaptiveMobile’s Network Protection Platform (NPP) and marked as spam – thus being blocked from reaching its destination.

a great friendship comes with a sign, this message is a sign you need, show me that you are my special one +677957XXXX @
Hi baby, i really need a vacation, i am thinking that your country would be a great destination, what do you think? +677957XXXX
I have such a terrible day today!!! Can you pls call me to make me feel better? :-( +38160791XXXX
u and you alone your love is the kind of love that no one can chage me out of it thank u your LOVELY LI026216XXXX
You fill my heart with love and my life with happiness! i miss you baby +38160791XXXX @
Its so cold today, i need you to warm me +3554249XXXX
Baby, you are my only one, i need an advice +677957XXXX
Its so cold today, i need you to warm me +23722225XXXX
Avoir un ami comme toi, c?est une vraie chance dans ma vie. +509281XXXX
En amour, il y en a toujours un qui souffre et l'autre qui s'ennuie. Moi je souffre. Appelles moi: +5092817XXXX
Je suis libre et j?attends amicalement un coup de fil. +5092817XXXX
La bonte en parole amene la confiance.La bonte en pensee amene la profondeur.La bonte en donnant amene l'amour. appelez: +5092817XXXX

Figure 1: Target country and affected geographies

These messages were targeted for English and French speaking African countries (as highlighted in the map) and were sent from a range of mobile numbers to a targeted African audience. Given our analysis, we determined the sending numbers originated in the US, Eastern Europe, Haiti and the Solomon Islands.

Keeping a careful watch on the content of the messages and the sender’s mobile numbers helped us understand and anticipate their behavioural patterns. The modus operandi seems to be aimed at eliciting a response from the receiver – just one phone call would be sufficient to entangle the end user. After all, that is what a bait is meant for!

Figure 2: The disconnect country to which the end user is redirected.

Deciding to test the waters myself, I called the number using the necessary precautions. On dialling the phone number given in the message I realized that this call to action number that was thought to originate in the US, Eastern Europe, Haiti and the Solomon Islands was actually outsourced to a disconnected country. I tripped on this secret when a damsel with an unfamiliar accent responded. In the background I could hear the typical chaotic blare of a call centre, but on fine-tuning I discovered that the template used by them, in that vicinity was the same. The accent starkly betrayed the speaker’s origins. This peaked my curiosity and I wanted to find out where I had called. Questioning the speaker I found out that I was trunked to a remote village in Sri Lanka, close to Candy. The speaker, a young college teenager, was posing as a Far East European named Mariya Peterova – in her own words, ‘a white, fair beauty’ wanting to create a liaison with me. Her intention was to come over to my country and spend some “romantic quality time” with me. The conversation got deeper, romantic and bizarre. However I stayed alert to find out what information they actually wanted to extract from me.

I pretended to be an expat African – a millionaire, doing business in Europe. We blah blahed about romancing in some haute European location. Then she blurted the million dollar request: “uh... darling, I want to send you a Facebook request, ok?” then “what’s your WhatsApp ID?” and “at least give me your mobile number?”. I escaped by saying I don’t use social networking, nor was I savvy with it.

When she found that she was not able to make headway, she transferred me to a colleague who sounded equally novice at the game and eventually hung up.

It got me thinking about how that information would help them. It would definitely help in double checking to see if I am who I claim to be – a word of warning to those who register themselves on social networking sites and give out actual personal information. More importantly, spear phishing uses this tactic of identity theft and third party fraud using user data harvested from social networking sites. Once confirmed, this open source information could help in tracking yours truly and those connected to me, which means a perfect setup to ensnare a shoal of fish – more people more opportunities! This master stroke would enrich their database immensely.

After decoding what transpired one can easily figure out what they are up to. It seems to be a whole new game plan – one more established and complex than surmised earlier. There is a group that sets the snare, others that offshore the gathered intelligence from the ensnared and the rest who take it to the logical conclusion of abusing harvested user data. Such campaigns are not meant to befriend you, but to gauge the depth of your pocket or to harness intelligence for a competitor.

But from a security point of view, the alleged dating spam messages emanating from each of the said countries seem to have originated from a cartel for the following reasons:

The message pattern and structure used in luring the recipient is similar in logic.
The message content overlaps with each other.
Many messages seems to be directing the callers to the same number range.
Most interestingly, the target geographical region is the same - Africa.

All these points converge to ground zero - Africa.

Is Africa then the new hunting ground for Adult phishing? Or is Africa turning out to be a test-bed for spammers?

An intriguing African Safari beacons the telecom evolution in Africa.

AdaptiveMobile advises caution in responding to unknown friend invites or requests in all forms, be it unsolicited SMSs or social networks. Remember to not click on any unknown or unfamiliar links or call any unknown or unfamiliar numbers.

In recent months there has been a significant increase in user complaints about receiving Viber spam. Analysing the latest spam messages, we can see they are consistent in their language and in their call to action: click on a link to watch a video tutorial. The messages, shown below with the corresponding destination website, use financial motivation to encourage the user to click on the link. As is evident through these two examples, the attacker offers a substantial amount of money (between €450 and €550) and then drives the victim to a website which boasts the opportunity to earn even more money. This is a common tactic amongst OTT messaging attacks.

The websites themselves are noteworthy in that the attackers have obviously tried to build the credibility of their page by including logos from reputable news outlets as a reference point for their product, including SkyNews, Bloomberg and BusinessWeek. They also include logos from McAfee Secure and VeriSign Trusted in an attempt to validate the security of their website. The attackers are well-versed in societal norms and are abusing the strength of these brands to lure victims into a false sense of security.

Comparable to our last analysis of Viber spam, the sending messages are still coming from the same operator in China, and they’re attacking users in countries all over the world. We’ve also detected WhatsApp spam coming from regions in China and India.

The Viber app launched in 2010 has over 249 million monthly active users from its 606 million registered users worldwide. Twitter shows users voicing their concerns and frustrations about the incessant spam messages again and again.

(Sample Tweets from users: @Dee83x and @burkes_backyard)

Presently available in 36 languages, the app’s global presence is rising; however, with an increase in global presence comes an increase in responsibility.

Ensuring that users are protected from spam messages is stated to be Viber’s top priority. A statement on their website support page says just that; in addition the page provides a number of ways to help protect users from receiving spam messages.

This, however, is only the start; while Viber works to decrease spam, they also need to stop users from leaving the application and heading for the competition.

In an attempt to maintain their user base Viber is continuously pushing out updates to the application – the only change in their latest release being an attempt to decrease the amount of spam messages users are receiving.

And reportedly, Viber is also testing a new function in select markets which allows users to choose whether or not they would like to view the message before blocking it. If they do choose to view to view the message, the user can decide whether to Add to Contacts, Report Spam or Block Contact.

But what if this isn’t enough?

In July, we wrote about the influx of OTT spam and the evolution of spammers from across the world. OTT applications have become the logical next step when hackers want to ‘cross-over’ from targeting SMS users to the growing base of people using these applications and these criminal groups are continuously fine-tuning their messaging abuse tactics to increase their ‘hit-rate’. These attackers approach spam like a business, focusing on the total addressable market. As the market evolves, so does their target audience.

Viber already offers one solution to this growing issue, which is to go into the message and block the contact in an effort to shut down any further messages. This however is a short-term response and attackers can simply use new accounts - they are always looking for new ways to circumvent defences. For example, as we highlighted in previous WhatsApp blog posts, a newer abuse tactic to deal with defences there has spammers creating a group, adding a selection of sequential numbers to the group (in an effort to hit as many users as possible) and then deleting the group – essentially making contact blocking irrelevant. Right now this tactic is specific to WhatsApp but as spammers evolve, they will continue to come up with tactics like these to circumvent any defences in place.

A new suggestion has come to the forefront by users and is quickly gaining momentum. The recommendation is to only let contacts message you; however, introducing a setting that makes it possible to ‘block unknown numbers’ is a bold move for a company in the communications industry.

(Sample Tweets from users: @jzzskijj and @BrennyK23)

We need to consider the implications should Viber install this new feature. From a design perspective, this function extremely limits the ease at which people can use the application. By forcing users to add a contact to their address book before receiving a message or call, Viber is limiting users’ ability to connect with any one of the 606 million registered users.

The main objective of a messaging application is to enable users worldwide to send messages and calls with simplicity. Developing a more complicated process is not likely to be taken well by users and means that Viber cedes the ability for subscribers to communicate without already being contacts.

As users repeatedly take to social media to voice their concerns, Viber – and other OTT messaging applications – will need to make a firm decision. The concept of limiting talking to other subscribers is a backward step in the evolution of communication and any system that wants to be truly open needs to consider alternatives before imposing such a measure. The ideal – but much more difficult solution – is to address this spam problem by building in better defences. Protecting users against any type of attack should be their number one priority and OTT applications are now facing a business decision with serious consequences.

Viber is faced with a dilemma and needs to determine where they stand to gain the most – a loyal base of current users or a growing list of less spam-tolerant users.

Should they implement recommendations from their current subscribers at the expense of making it more difficult for new users to join, or should they invest the financial and personnel resources into upping their security defences? The time to act is quickly approaching and OTT applications need to decide: is design more important than security?

(Tweet from @jcruzzfotodotcom)

Special thanks to Cathal Mc Daid, Ciaran Bradley, Barry Scallan and Colm Keena for their contribution to this blog.

Since late August, we’ve been monitoring the development of a new siege of Android malware in China. So far, we have seen multiple new variants of AndroidOS.SmsThief, disguising themselves as photo or document viewer apps, as well as repackaging itself as other popular applications. Different AV vendors have identified these variants under the names Android.Trojan.SmsSpy and Trojan.Android/AutoSMS.

Although a bulletin was released by Chinese officials around the same time, this campaign appears to be still going strong more than a month later. Samples captured along the course are constantly evolving and the message can manifest itself as a number of different applications. Combined with the evidence that this is exhibiting qualities of a long-term monitoring malware, this is a highly sophisticated sample.

We’ve detected 8 variants of the malware active throughout China, but only 3 of these samples have been uploaded onto VirusTotal.

One of the samples of malware that has been detected by numerous anti-virus programs.

The malware is delivered through SMS. As is common with worms, the SMS is typically sent “from” a friend – someone whose device has already been infected. The content of these phishing messages can vary as hackers try to trick victims from many different angles:

1. Messages pretending to be a friend looking to share a photo:

2. These are from a colleague wanting to share a work-related document:

3. These are threats to disclose a private photo:

4. This is a message from a teacher regarding the child’s accomplishments in school. It directs them to a document supposedly outlining the accomplishments:

When the recipient clicks on the link it’s redirected to an application available for download. Because China doesn’t have an official app purchasing store, like Google Play, apps can be downloaded from any source. The user deems the application safe or unsafe based on the trust of how they received the link. This makes it that much easier for attackers to send messages from a familiar number and convince recipients to download the application.

One sample that uses the lure of a photo to drag in victims repackages itself as a photo viewer application for Android (this usage of the lure of photos is a well-known technique for SMS worms that we have encountered before). It tricks the user to download the app through a link in the message.

During installation, it asks for permission to access information about your contacts, read and send SMS messages and also requests administrative access once it starts up.

Because of the source of the message, users assume that this is a normality and proceed with granting permission to the app.

Note: a legitimate application with such function will rarely ask for this amount of information from a user. Especially Administrative Access as this is only required by apps with very specific functionality.

Once the malware starts up on your device, it removes itself from App Drawer, and fades into the background. Without notice, the malware opens up and remotely accesses and extracts the information in your contact list, as well as accessing every text message.

The scale of this infection is unknown, but we can confirm that the campaign is very active. Almost every day we’re detecting a new download link and new variations of the malware. The malware uses email as one of its primary methods to upload information. The information from the infected device is submitted to a mailbox to which the attacker has access. The information of the mailbox is hardcoded within the malware.

We know the samples began using accounts from 163.com – one of the most popular Chinese email services – but have seen a move to qq.com during our monitoring of the outbreak.

Several Command numbers have been used in the different known samples as the malware forwards incoming SMS over to the C&C number, as well as receiving remote commands from them.

Because of the way this malware is designed, it looks as though the attacks are primarily targeted towards Chinese subscribers.

Once the application is downloaded, the malware tries to register with the C&C using the device ID.

While it’s running, it actively monitors the SMS the device received in background:

And from then on every SMS and call is intercepted and forwarded on to the C&C number – allowing hackers to read every text message.

Each time the infected device receives an SMS, the malware confirms whether this is a normal SMS message, or a command from the C&C number. If the received message is confirmed to be from the C&C number, the commands are then actioned if contained in SMS content.

(The first line of Chinese below means: “------- (it) is Master -------“)

The commands have varying degrees of effect, but they have been detected issuing actions such as:

1. Send message to contacts.
2. Adding number into monitoring list
3. Switch mode between monitoring all traffic to specific numbers

The societal implications of this malware is significant. By using a very specific information-gathering technique, the attackers are developing a database of phone numbers, device IDs, as well as demographic information.

With this, and using the infected device, they able to send an undetectable message to any of your contacts, and read every message that is delivered, which often contains sensitive info, such as banking details. There have already been media reports indicating that this type of malware has caused significant financial loss. One article details how a Chinese resident clicked on a link from his phone and downloaded the malware. Hackers then received his online banking authentication code via SMS and transferred money from his four different accounts to a total damage of 20,000 RMB.

It is rare to see the malware to have such a sophisticated control and monitoring function, and the future evolution of samples is being monitored very closely.

As always, AdaptiveMobile advises caution when installing apps – don’t click on an unknown link and don’t download apps from an unknown source.

If your device is infected with malware, you can remove it by following these instructions:

Go to Settings - Security - Device Administrator and untick the app from the box.

Then go to Settings - Apps and find the app. Once there you should have the choice to stop the application from running and uninstall it.

Special thanks to Yicheng Zhou for original research and contribution to this blog.

MD5

5fa3c46cb5b3a93ca1fca9580a47f88c        1XP.apk
497ddb415ff19a6cfa6bded10816def6     4-1.apk
2331b60ecb45593b88604524ba8ec90b    相片.apk
7a966c24b83c27a4022948cfe19934c0       1.apk
abc6fbba2f7e584b083606f43b15c8c0      相片.apk
47accaa5b62974d7cb2f60a404cbe770      相片31 (1).apk
af36f4ad38e358d7182a122556f52711      相片 (1).apk
47aa50fad3a5641889ec9e6c5e726682     fabu.apk

One constant theme when it comes to spam is that it tries to co-ordinate with current events, in order to increase the chance that it will be acted upon. These current events can be topical news events or known upcoming holiday/seasonal or sports events. This behaviour is seen on any types of messaging bearers that experiences spam. In the last few months there have been a series of spam campaigns in the shape of picture messages being sent on Kik messenger that have shown very strong seasonal attributes, and are worth reviewing.

The sequence of Kik picture spam messages we have collected in the last 2 months is as follows:

In order, these were received on:

Halloween: Amazon
Early Nov: iPad
Mid Nov: iTunes
Thanksgiving: McDonalds
Cyber Monday: BestBuy
Dec 7th,18th: Subway
Christmas Day: Wendy's
New Year's Day: GoPro

You can see that the spam attack involves a picture message that uses a well-known brand, in order to encourage the recipient of the spam to go to the link. The link needs to be easily memorable as it is not normally possible for the spam receiver to click on a link received on a Kik picture message. You can also see that picture spam is not only tied to holiday events, but can be sent on other periods as well. Once a link is clicked, the spam recipient is taken to a webpage that is dependent on their bowser location, but are typically given a screen that encourages them to click and answer a question to win a 'prize', and sign up to receive message, costing the recipient money. some example screens that the user is given are below:

This geolocation of pages tactic is normally used to get a maximum reach of spam, and to allow the spammers to deliver advertising for multiple 'customers'.

Another interesting fact is that this attack is very consistent, and many more brands that the above have been involved. All of the original URLs contained in the Kik image spam resolve to a Russian IP address, and if we examine this IP's activity we can see that, as well as the above brands,this IP address has potentially been involved with many more brand attacks using: Samsung, Foot Locker, Walmart, fitbit, Sony, Sixflags, Starbucks, Popeyes, Kohl, Home Depot, Uber, HP, Kroger & Chipotle. The date of registration is also interesting. Sometimes the Kik spam is sent out in advance of the domain being registered, either by mistake or more likely to generate demand. This occurred with the Subway attack where a spam message with the domain was received on the 7th of December, but the domain was only created on the 15th - this also coincided with another spam attack received a few days later. Other times the URL is created immediate prior to the spam attack - such as the most recent GoPro attack. This domain was created on the 31st, and the spam message containing the domain received on the 1st of January 2016.

While not very technically sophisticated, the effort that goes into creating the individual picture messages & obtaining easily memorable web pages per holiday event is indicative of a specialist, determined effort - as well as the continued attraction of co-ordinating spam with holiday period. In effect this type of spam indicates a widening of the spam activity on Kik, which up to now has normally been of the adult type but which is still on-going. Its also highly probable than this Brand spam trend will continue for the foreseeable future, meaning that Kik users are likely to continued to be targeted by this picture spammer.

In the meantime, and as always, when receiving an unsolicited message do not respond, click on, or go to any link if you are uncertain of its source, and have a Happy (and safe) New Year!

AdaptiveMobile will be sharing its vision for “Securing Mobile” at Mobile World Congress 2016 in Barcelona, 22-25 February. As society moves to a hyper-connected future, network infrastructure evolution is accelerating, with the additional demand for application driven services creating a diverse market and an appetite for more storage. Without a clear understanding of the threats facing networks and the right active, comprehensive security controls in place, spammers, scammers, hackers and intelligence agencies will continue to exploit network vulnerabilities – with increasingly serious consequences. Given the current mobile threat landscape, security can no longer be the afterthought, but a critical strategic investment – one that is enabling the multi-billion dollar ecosystem of products and services reliant on the integrity and security of the networks and devices to do business. Our team of security experts will be at the AdaptiveMobile Meeting Suite, Hall 2 Stand 2B28MR, where we will be showcasing the very latest additions to our portfolio, including SS7 Protection, which is shortlisted for ‘Best Mobile Security or Anti-Fraud Solution’ at the prestigious Global Mobile Awards 2016.

Securing network, revenues and subscribers

The first comprehensive security overlay for mobile operator signalling infrastructure, AdaptiveMobile SS7 Protection secures mobile operator core networks against privacy and fraud attacks that exploit loopholes in the SS7 signalling protocol, blocking known and emerging threats to restore confidence in the network for consumers and regulators alike. We will also be showcasing our newly launched Messaging App Security, which enables messaging applications to secure their user base from increasing volume and sophistication of threats. And, our executive team will be able to share new insight on RCS gained through partnerships with three tier one operators to secure RCS traffic in North America.

Live demos as well as animated visualisations will show our security innovations in motion, focusing on SMS threats, Grey Routes, Parental Controls and SS7 attacks, addressing the major security questions of the day, including:

Given the increasing sophistication of the messaging threat landscape, how can mobile operators protect their subscribers at the network level?
Is IoT secure, or will we see a new wave of security threats that challenge consumer uptake and confidence connected devices in the smart home? Where does responsibility lie for IoT security?
As RCS ‘takes off’, how can carriers proactively secure services and protect users?
How can mobile messaging applications protect themselves from security threats such as phishing spam and reassure their users that new revenue-generating services such as in-app purchasing are safe and secure?
What can operators do to recapture in excess of $3.5 million US dollars per month in missed revenue opportunities?
And most fundamentally of all, is the core of the mobile network itself compromised?

Building New Security Architecture: GSMA Panel

On Thursday 25 February in Hall 4 AdaptiveMobile’s CTO Ciaran Bradley will be adding industry-leading insight to the cyber security debate speaking as part of the session ‘Building new security architecture for a hyper connected future’. Ciaran will outline the latest developments in mobile security and contribute analysis on the implications of a connected future. The panel will take place on Thursday 25 February as part of the New Security & Encryption Paradigms session beginning at 2.15pm.

Securing Mobile

AdaptiveMobile is now Ireland’s second largest telecoms software company, protecting one fifth of the world’s mobile subscribers – over 1.4 billion subscribers worldwide. The Company’s industry-leading Threat Intelligence Unit continues to identify, mitigate and protect against the latest mobile security threats. From global SS7 attacks to new grey routes exploitation; from Android malware Selfmite and Gazon to Apple’s iPhone message crash; AdaptiveMobile provides industry-leading analysis and defence to protect operators and their enterprise and consumer subscribers. As the only mobile security company offering products designed to protect all services on both fixed and mobile networks, we uniquely enable the industry to remain one step ahead of abuse and exploitation and protect against individuals and organisations that pose a threat to either personal or national security.

To request a meeting with AdaptiveMobile executives at MWC 2016, send an email to sales@adaptivemobile.com or fill in the online form here: http://www.adaptivemobile.com/mwc2016

Mobile World Congress 2016 takes place 22-25 February at Fira Gran Via and Fira Montjuïc, Barcelona, Spain. We look forward to seeing you there!

We’re releasing more information this week from our research into SS7 attacks that we have detected live in mobile operator networks over the last year. As covered before, these are misuses of the SS7 network for various aims, including tracking, information gathering, communications interception, fraud and so on. Our previous research has shown that this activity is impacting every region of the world. In this blog I’m going to give some information on what are some of the most complex - and potentially the most interesting - types of SS7 attacker, those we define as advanced location tracking platforms. Their functions and operation have never been publically made known before, and are of a generation beyond those which were raised when the security of SS7 networks was first publically discussed.

This information is from our work with mobile operators around the world who are concerned about their subscriber’s privacy and the security of their network. From our analysis SS7 Location attack techniques range from large numbers of relatively simple attacks, which can be blocked relatively easily, to much smaller numbers of quite complex attacks which are much more difficult to block. It is the sources of these complex, hard to stop attacks that are of most interest today, that is because they indicate a high degree of technical proficiency and - as we will show – must have had sizable investment in them to bring them to the level they are at today. The best way to show this sophistication level, is to give examples of 4 of the most active and sophisticated tracking platforms we have encountered to date. Their names below are designations that AdaptiveMobile use internally, but each are entities that are tracking people around the world today.

Examples of Advanced SS7 Tracking Platforms

SS7-Surveillance//WODEN

This system’s main technique is to use a combination of first sending a SS7 packet called SRI (Send Routing Information) commands to the tracked subscriber’s mobile network to first get information on a subscriber, and then uses a follow-up command called PSI (Provide Subscriber Information) to retrieve the Cell-ID (location) of a subscriber. This method of ‘staggering’ commands, to gain enough information to allow location tracking matches research which has been previously presented on techniques in this area, however in real-life the attacks are more complex as some information harvesting fails, but also multiple queries are on-going. As well as that we see evidence that the platform itself scans the target networks constantly using SRI-SM (Send Routing Information for SM), looking to improve its information of their network. The following is a time series diagram that shows this activity over several hours, with the different colours representing different subscribers being tracked:

Its complexity and interest to us is both the packet combination it uses, and the fact that its origin points are registered to all of the major mobile operators in a Western Europe country. To explain, that means that the tracking platform is registered with SS7 SCCP layer Global Titles (the rough equivalent of IP addresses in SS7 networks) that assigned to the different operators in that country. However this does not mean that the operators themselves are directly responsible for the platforms. The platform does exist in this country, but the addresses assigned to it may not be under the control of the operators in question. As for its activity, this platform tracks subscribers from other countries around the world, but seems particularly active sending requests to the Middle-East.

SS7-Surveillance//ASMAN

This system is one of two distributed global decentralised systems that we will discuss. What that means is that like WODEN, ASMAN has multiple source addresses from which it launches tracking attacks. Where it differs is that these are not source SS7 addresses in the same country, but source SS7 addresses in multiple countries - all working in unison to track mobile phone subscribers. This indicates access to a specialist, decentralised global network. Its 'primary' address from which it launches tracking is based in the Middle-East, but it has backup platforms in Africa, Europe & Asia.

The system itself is quite similar to the others, using PSI packets to track subscribers, along with other SS7 operations to scan and generate information needed beforehand. One hallmark of this system is that victims can be tracked via a variety of means, it seems from the network behaviour we have observed that they can be set up to be tracked once a day, with a very regular time period, or else tracked more intensively, by either involving another set of periodic daily request from a different address, or a dedicated sequence of lookups.

Above you can see a variety of subscribers being tracked over many days in 2015 and 2016. It is clearly evident that some subscribers are attempting to be tracked everyday, while others only receive occassional attention.

SS7-Surveillance//MANNAN

This platform - MANNAN - is a global system, like ASMAN, with multiple origin points to choose from. Its scale however is much bigger - it has access to the SS7 network from sites in nearly every continent in the world. It is also remarkable for its co-ordination, over less than one 3 minute period we tracked a co-ordinated tracking attack using PSI packets from multiple countries, attempting to locate mobile subscribers.

This co-ordination marks MANNAN out as being incredibly complex, as the means to setup, maintain and control multiple SS7 network elements to act simultaneously in different parts of the world requires significant investment and constant work. Its ‘host’ telecom network operators tend to be based in smaller countries where access may be easier to obtain, and the wide world-wide spread ensures that any subscriber of interest in a target country can be queried from multiple points, until one of them succeeds. So far this is the biggest and most complex location tracking system we have detected, but not the most active, being only infrequently called upon.

In this time series graph of one subscriber, we can see an interest period in which the subscriber is attempted to be tracked from a source in Western Europe, before a 'cascading' sequence of attacks come from multiple continents.

SS7-Surveillance//HURACAN

The final platform covered, this system, based in a country in the Americas, is notable for its wide range of attacks and sheer volume of attacks while active. Not only does it execute sophisticated location tracking via PSI and PSL (Provide Subscriber Location) commands, it also does a variety of other types of attacks including interception of subscriber communications via packets called ISD (Insert Subscriber Data), a type of attack theorized but not widely detected in real life until now.

This command instructs the subscriber in question to make a ‘call out’ to a specific network element when communication starts from the subscriber, allows communications interception to happen. Interestingly the order of attacks from this platform varies, in the below example we first detected an ISD interception request being attempted, before multiple PSIs were sent in order to retrieve the Cell-ID & before a PSL command to get more precise location again (GPS co-ordinates can be returned by this method). We have tracked the HURACAN platform sends attacks in large bursts to multiple target operators around the world, especially in the Americas and in the Middle-East.

The above shows the HURACAN platform, over a number of days, attempt to both track and intercept communications from a subscriber. This subscriber was just one of several dozen that this platform was trying to track in the target country over this time period.

Analysis / Quo Vadis

From our analysis, it is clear that this industry has been active for many years, many of these systems behaviours and interactions with the SS7 network are not straightforward and indicate first-hand experience of accessing their target operators over a long period. There are also signs that the platforms are continuing to evolve, to avoid being detected or to improve their efficiency. It is also highly probable that the public research in this area has forced the platform suppliers to try new methods to avoid any attempts to put in place basic protections.

One thing to realise is that these platforms are not tracking the ‘average’ mobile phone user. Instead their function seems to be to perform surveillance on specific, presumably high-profile or high-interest mobile phone users around the world. From our experience the country where you live is also a factor, if you live in a country or in a region that is experiencing geopolitical instability then there is higher frequencies of external surveillance via SS7 means. However countries in more ‘stable’ regions also show incidents of tracking.

Another thing to realise, is that while these tracking platforms may be assigned SS7 addresses within the number range assigned to mobile operators in a country, it cannot be said that these mobile operators are directly involved. In many cases mobile operators may simply be the unwilling host for these systems on their network, or not even be aware these systems are using addresses assigned to them. This was the information stated in the Russian/Ukraine SS7 incidents from 2014, where multiple people in Ukraine were tracked from Russia via SS7 surveillance techniques. During this incident MTS Russia reported that the address was not under their control, despite it being nominally assigned to them. While it may not be the case for all types of SS7 attacks, the source operators from which these location attacks are launched from, may be just as much a victim as the target operators whose subscribers receive these location attacks.

Finally there is the question of the tracking platform’s ultimate origins and users. On this point we simply have to make some assumptions. While criminal uses via hacked SS7 systems are possible, the scale and focused nature of the system would argue against this. This leads us to the conclusion that the systems have been built and installed deliberately in order to track people around the world, and therefore serve the same espionage functions as the systems used in the Russian/Ukraine SS7 incidents from 2014. We have no direct evidence to prove this, but the scale, complexity, tactics, resemblance to known systems of this nature and the source and destinations all indicate a global focused surveillance effort that has been on-going for some time. And these examples are just some of the most complex, there are several dozen other tracking platforms of varying sophistication that we have encountered, and many more may be active.

What is more certain though, is that it is possible to defend SS7 networks. With our customers and our industry partners in the GSMA we have been leading efforts in this area to define the threats and standardize defences against these types of attacks. These efforts will only continue and strengthen as more information about these attackers and their techniques are discovered and shared.

There was an interesting segment on the CBS TV program 60 minutes last night*. In this specific segment, the program covered what is possible through the misuse of the SS7 network protocol. What was demonstrated included tracking and interception of a phone that was leant to US Congressman Ted Lieu, as well as a discussion of what else was possible by attacking the SS7 network.

One discussion of interest was the use of these techniques by intelligence agencies, as it was stated in the program that:

The ability to intercept cellphone calls through the SS7 network is an open secret among the world's intelligence agencies -- -including ours -- and they don't necessarily want that hole plugged

This is a topical comment, but there are several sources of evidence pointing to the fact that intelligence agencies may be using SS7 techniques to track and monitor people:

One, is that interception/tracking has already been detected and reported by Government state agencies, namely the Ukrainian secret service (SBU) as part of their investigation into suspicious, Russian-originated activity on their phone networks. This was in response to recent, political-themed call interceptions that had occurred on Ukrainian mobile networks. As an outcome of this, new legislation was submitted that one media source stated will allow Ukrainian security services to legally listen in turn to subscribers of foreign mobile operators
A second is based on the activity that we have seen ourselves in our work with mobile operators worldwide in building defences to secure their networks. During the course of this, we uncovered several very sophisticated, global networks, engaged in the attempted tracking and interception of individuals in sensitive positions. As we have argued, the scale/sophistication and the objectives behind these lends themselves to believing that much of this is of an espionage/ spying function
But a third is the fact that we have some background material that has been released in various leaks, showing that some intelligence agencies have been collecting information to support attacks. One key piece of information, is that in late 2014, as part of the Snowdon revelations, there was the disclosure of a project called Auroragold within the NSA.

The main purposes of Auroragold is the collection of information on mobile operators. How this is achieved is through the interception and collection of what are called IR.21s, which are basically documents that mobile operators use to exchange with each, so their subscribers can interact and roam between networks, and allow networks to correctly bill each other.

The various leaked documents show that Auroragold focused on obtaining these documents in a variety of ways, and then making that information available internally. It was stated that the Aurorgold project gets this information in order for them to understand the current state of the networks, and predict trends for the future. However they also state that this information is of benefit to other SIGDEV (Signals Development) agencies within the NSA, protocol exploitation elements and partners.

Of interest to us, and why we focus on this, is that these IR.21s contain information on the configuration of SS7 networks within each operator - it order for other operators to bill and communicate successfully with it. Therefore collecting this information would be of use for any element seeking to exploit the SS7 protocol. It’s only a part of the story, and much more than an IR.21 is needed to execute a successful attack, but having this information helps gives a better picture of any network that an agency would want to attack. i.e. what mobile network elements are available, what types of subscriber and network numbers they use and so on. As we have seen from our own experience, attackers already 'scan' target operators for new network elements, and having the information contained in IR.21s helps them focus these attacks somewhat. When it comes to espisonage every piece of information helps in executing successful attacks, and the authors of the slides clearly understood that exploitation elements would want to use their information. It stands to reason that this information would be used by SS7 exploitation systems if available.

The Norwegian Connection

Another comment from the 60 Minutes segment was that the average person is unlikely to be affected by this exploits or hacks. That is correct at a broad level. In our investigations it is not the ‘normal’ person that is being specifically targeted and hacked. But this does not mean they cannot be affected. This was demonstrated in a round-about, but spectacular fashion in the largest mobile network in Norway roughly 2 months ago.

On the morning of the 19th of February, over 1 million mobile subscribers of the Telenor Norway network found themselves with no cellular coverage for a period of 3 and a half hours, due to Telenor being the victim of an unexpected external SS7 'event'. As Telenor explained to the Norwegian regulator (Nkom) and to the public in a release on the 15th of April, they had received packets over the SS7 network from external sources that had caused a key part of their network – their HLR (Home Location Register) network element - to enter an ‘infinite loop’ due to the receipt of an unexpected packet format. The HLR is really the core database of the mobile network, and it being stuck in this infinite loop meant that activity ceased on the entire network for the over 1 million mobile subscribers it was responsible for.

According to the report that Telenor issued, the source of these SS7 packets was an operator in Luxembourg, who had been executing SS7 vulnerability analysis (determining if there was leakage of subscriber information) of other telecom operators in conjunction with a security consultancy. Whatever about the questionable nature of doing this analysis against another telecom operators and their critical infrastructure in the first place without their consent, it certainly did not have the result that was expected. It was made clear in the subsequent statements that the technical fault on the Telenor side was due to the Ericsson supplied-HLR, which did not deal with the received packets correctly. Whatever the reasoning, or what was at fault, what this did show vividly is the wide-scale collateral damage that resulted from an unintentional SS7 event, and thus what could happen in the event of a deliberate and malicious attack on a network. As mentioned in the 60 segments program, all phones, regardless of type, rely on a functioning SS7 network, and if this is successfully attacked, critical elements of a nation’s infrastructure are at risk. In this case based on Telenor's total subscriber counts, about one third of an entire network's users did not have a phone service for many hours. Many of our examples on SS7 attacks that we have shown are stealthy location tracking or call interception attempts on potential high profile targets, but Denial-of-service attacks are also possible in theory, and as we have seen (inadvertently) in practice

Finally, one thing that was not covered in the 60 minute program, are the efforts that the mobile community is working on to address these flaws. It should be aware by people that there is an on-going activity within the mobile community to address these types of threats, and it is an effort that AdaptiveMobile has been leading since the beginning. It requires expertise and care, not only to deal with sophisticated adversaries that exploit these networks, but also to ensure that no ill effects comes upon networks in determining and implementing security. With so many people dependent on their mobile phone to communicate and work, building in security into the mobile network becomes more important every day.

*Disclaimer: AdaptiveMobile provided reference information to the producers of 60 Minutes/CBS for the purposes of explaining security in SS7 networks

Having set up petcams in my home to remotely monitor my new puppy’s behaviours with my 4G smart device when I am out, I was reminded about Shodan, the search engine that looks for IoT devices such as webcams and makes their streams available for viewing by anyone on the internet.

https://www.shodan.io/

Shodan collects data mostly on web servers (HTTP) as well as FTP, SSH, Telnet, SNMP, SIP, and Real Time Streaming Protocol (RTSP). The latter can be used to access webcams and their video stream.

Now fortunately I am not the type to go with default passwords so am pretty sure no one hacked into my PTZ cameras and peered around my house uninvited. But the point remains that today, most of the consumer devices that sit on the Internet under the IoT, M2M or Embedded Device umbrella are not designed to defend against the sophisticated hacks or threats that may attempt to compromise them.

See Kapersky’s comments entitled Internet of Crappy Things

And while Shodan is possibly a dangerous tool, it is a good example of what could happen when devices with weak security are allowed to permeate and pervade our lives.

So what of the bigger promises of IoT, is it really the next technology trend that could change the world?

Forbes have collected the latest IoT forecasts and predictions from Forrester, Machina Research, WEF, Gartner and IDC:

http://www.forbes.com/sites/gilpress/2016/01/27/internet-of-things-iot-predictions-from-forrester-machina-research-wef-gartner-idc/#7426650c6be6

Gartner predicts spending on IoT services will reach of $235 billion in 2016, up 22% from 2015.

IDC predicts that by 2018, 66% of networks will have an IoT security breach.

Will security concerns slow IoT adoption? Will IoT security become a significant component of security budgets?

With IoT applications spanning smart cities, intelligent buildings, agriculture, environment, utilities, medical, automotive and more, there is clearly a need to design security in from the start.

The overall security problem stems from the fact that these IoT devices:

May tend to go unchecked by humans for long periods of time
Are often designed for a long life but with limited upgrade potential
May be non-mobile and so difficult to access, service or repair
Are often less technically sophisticated than other smart devices so have less scope to build in security

So, with threats ranging from door and car hacking, through medical data being intercepted, right up to national security, and many if not most devices currently not designed from the outset to be secure from sophisticated threats, perhaps reducing the reliance on the devices own security and pursuing a network based approach is the way to go.

This too will overcome some of the immediate issues of IoT device security standardization currently emerging, such as Underwriters Labs refusing to freely share their new IoT cybersecurity standard

http://arstechnica.co.uk/security/2016/04/underwriters-labs-refuses-to-share-new-iot-cybersecurity-standard/

Whilst IoT device security remains a difficult nut to crack, Operators able to secure embedded devices directly on their networks today will undoubtedly be able to attract a large portion of the 50 Billion IoT devices that Cisco predict will connect by 2020.

https://newsroom.cisco.com/press-release-content?articleId=1621819

…maybe by then IoT device level security will be less of a threat to us all.