Threats and risks to mobile phones in Japan Symantec Security Response Kaoru Hayashi Agenda

• Market and Technologies

• Current Threats

• Future Threats

• Success Factors

• Appendix

Symantec Confidential 2 Market

Carrier Subscribers Browser Phone Subscribers Mobile Phone NTT DoCoMo 49,779,300 45,003,400 au 20,538,600 19,157,700 Vodafone 14,988,200 12,786,400 TuKa 3,526,200

PHS WillCom 3,366,900 NTT DoCoMo 1,040,800 ASTEL 74,900

Total 93,314,900 76,947,500 73% 60% Total Population in Japan:127,620,000

Symantec Confidential 3 I’m going to speak about….

• FOMA ƒ NTT DoCoMo’s mobile phones ƒ 15,878,300 subscribers

• Except for M1000 model ƒ This is quite different from other FOMA phones ƒ Picking this up later

Symantec Confidential 4 Gathering Information

• NTT DoCoMo does not release details of information about their technologies, including Hardware, Operating System, API….

• But several companies release information. For example…. ƒ NTT DoCoMo has never publicly announced the use of OMAP processor ƒ Texas Instruments press release: “TI 3G Technology Included in All New Models of NTT DoCoMo's FOMA(R) 901i and 700i Series of 3G Mobile Phones”

Symantec Confidential 5 Relation

Road Map Panasonic Basic Specification NEC OS, Middleware… MITSUBISHI SHARP Carrier OEM Fujitsu and more…

Se ll Vendors / Su pp ort

Users Symantec Confidential 6 Technologies

• Hardware

• Operating System

• Software

• Services and Networks

Symantec Confidential 7 Technologies - Hardware

• 2 CPUs – Communication and Application ƒ OMAP (based on ARM) for application

• Felica – contactless IC Card ƒ Mainly used for Electronic Cash

Symantec Confidential 8 Technologies - Operating System

ƒ Based on Symbian version 6.1 ƒ UI is original

• Linux ƒ Based on Montavista Linux ƒ Part of source codes are released with GPL

• BREW ƒ Will be released soon

Symantec Confidential 9 Technologies - Operating System

F901iC based on Symbian P901i based on Linux

Symantec Confidential 10 Technologies - Software

• Native application ƒ Run on Operating System directly ƒ Mail, Browser, Media Player and other ƒ No information published ƒ Needs to have special contract with NTT DoCoMo

• Java application (i-appli) ƒ Run on KVM (K Virtual Machine) ƒ DoJa library based on Java 2 Micro Edition ƒ All APIs are published ƒ Anyone can write and distribute ƒ Strong restriction

• Trusted i-appli (i-appli DX) ƒ More flexibility ƒ Not all Information published ƒ Needs to have contract with NTT DoCoMo

Symantec Confidential 11 Technologies - Services and Networks

• Data communication service “i-mode”

i - mode Cent er

i- mode Net work Int ernet

Gat eway

Cont ent s Provider

Symantec Confidential 12 Current Threats

• Does SymbOS/Cabir infect FOMA phones?

• Does Java-based malware run?

• Possibilities of i-appli malware

• Current Security Risk

• SPAM and Phishing

Symantec Confidential 13 Current Threats – Does SymbOS/Cabir infect FOMA phones?

• No series 60 ƒ UI is original

• Less support ƒ Only one model, F900iT implements Bluetooth ƒ Dial-up Networking Profile (DNP), Headset Profile (HS) and Hands- Free Profile (HFR) ƒ No File Transfer Profile (FTP) and Object Push Profile (OPP)

Symantec Confidential 14 Current Threats – Does SymbOS/Cabir infect FOMA phones?

• Unable to install/execute native software ƒ Only data files, such as address, sound, movie, and picture files are supported ƒ No File Manager or shell to execute

1. Download by Browser 6. Download by i-appli

2. Email Attachment

5. USB connection

3. Mini SDCard 4. IrDA

Symantec Confidential 15 Current Threats – Does Java-based malware run?

• JAVA/StrangeBrew, JAVA/NoCheat and all other threats do not run

• They target Windows Java platform

• J2ME and DoJa does not fully support all Java APIs

• i-appli needs to inherit IApplication or MApplication CLASS

Symantec Confidential 16 Current Threats - Possibilities of i-appli malware

• No malware reported since 2001

• Because of strong restrictions

Symantec Confidential 17 Current Threats - Possibilities of i-appli malware

• File I/O - ScratchPad

i- appli 1 i- appli 2

Scrat chPad Scr at chPad for i - appli 1 for i - appli 2

J ava Applicat ion Manager (J AM)

Symantec Confidential 18 Current Threats - Possibilities of i-appli malware

• Network connections ƒ Only HTTP and HTTPS ƒ No FTP, POP,SMTP and other protocols ƒ Only access web site where the i-appli is downloaded from

www.symantec.com X

www.virusbtn.com

Symantec Confidential 19 Current Threats - Possibilities of i-appli malware

• Unable access to native data ƒ Address book ƒ Bookmark ƒ Mail box

Symantec Confidential 20 Current Threats - Possibilities of Trusted i-appli malware

• Trusted i-appli (i-appli DX) ƒ Refer to the address book ƒ Send / Receive Email ƒ Access any web sites ƒ Access data on IC card ƒ Needs to be official content provider and obtain 11 digit signature

Symantec Confidential 21 Current Threats - Possibilities of Trusted i-appli malware

• XObject ƒ Sensitive data (name, email address, phone number) ƒ None of APIs can export the object

• Sending Email ƒ MailAgent class is provided ƒ Permission required for every mail sent

Symantec Confidential 22 Current Threats – Current Security Risk

• Browser with Proxy ƒ Default browser only supports cHTML and XHTML ƒ Third party vendors release “HTML fully support browser” www.symantec.com ƒ No information about logging X www.online.bank.zzz

Web / Proxy server 2005-10-7 2:25:33 192.168.0.10 www.symantec.com/index.htm 2005-10-7 2:26:43 192.168.0.10 www.online.bank.zzz/account.asp

Symantec Confidential 23 Current Threats – SPAM and Phishing

• Spam ƒ 900 millions email every day From: [email protected] ƒ 95% of email blocked To: [email protected] ƒ One click frauds Subject: See my picture! • Few thousands of victims • 660 million Yen damage Cute Girl … Click here (4.7 million EURO) http://xxx.xxx.xxx/xxx?id=a87sbdsak90sdo1hj

Dear [email protected],

Thank you for registration. [email protected] a87sbdsak90sdo1hj You are charged with 5000 yen. [email protected] dadoi8adf12msdf3d Please pay the fee for following account. [email protected] 7faoi9d74098dfandi [email protected] 0aoidufaod812s90f9 : : Symantec Confidential 24 Current Threats – SPAM and Phishing

• Phishing ƒ Display screen is small ƒ No URL bar in the browser window ƒ No one knows where visiting

Symantec Confidential 25 Future Threats

• Attack against native software

• Risks of electric cash

• Attack against i-mode network

• Wireless LAN spoofing

Symantec Confidential 26 Future Threats

• Attack against native software ƒ Size of software increased 15 times in the five years from 1999 ƒ Error occurring in the software is also increased ƒ Denial of service attacks or execution of arbitrary code

• Sony PSP Photo Viewer TIFF File Handling Buffer Overflow ƒ Discovered at Sep 26 2005

Symantec Confidential 27 Future Threats

• Risks of electric cash ƒ All high-end models implement contactless IC Card, Felica ƒ Trusted i-appli gets cash from server ƒ Cash is encrypted on Felica ƒ Closing mobile phone on Reader for using cash

Elect ronic Cash Server

1. Request for Elect ronic Cash

2. Download Elect ronic Cash

3. St or e Elect r onic Cash Cont act - less IC Card Reader

Symantec Confidential 28 Future Threats

• Attack against i-mode network ƒ Network is built solidly ƒ But information was leaking from one of employee’s machine ƒ 800 addresses and keys of NTT DoCoMo mobile phone access points ƒ By a variant of W32/Antinny

Symantec Confidential 29 Future Threats

• Wireless LAN sniffing ƒ N900iL model implements Wi-Fi ƒ For Voice over IP (VoIP) and Internet connection ƒ Sniffing conversation and data is likely to increase

Symantec Confidential 30 Success Factors

• Proprietary system with open technologies

• Publish minimum information

• Fully control all architecture

• Security is priority over flexibility

Security Risks are Business Risk

Symantec Confidential 31 Appendix

• FOMA M1000 ƒ First from NTT DoCoMo ƒ Shipped in August ’05 ƒ Based on Motorola A1000 ƒ Symbian OS version 7.0 with UIQ ƒ Opera Browser ƒ Bluetooth support ƒ SDK is provided ƒ No connection with i-mode ƒ No i-appli environment ƒ Under researching

Symantec Confidential 32 Appendix

• Trusted Mobile Platform ƒ Developed by NTT DoCoMo, Intel and IBM ƒ Hardware, Software and Protocol ƒ No phones based on the specification yet ƒ http://www.trusted-mobile.org

• Trusted Computer Group ƒ Plan to release “hardware-based security standards for mobile phone” ƒ https://www.trustedcomputinggroup.org/groups/mobile

Symantec Confidential 33 Questions?

• Contacts ƒ Email: [email protected]

Symantec Confidential 34 Thank you!