1、 I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n ITU-T X.1213 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (09/2017) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Cyberspace security Cybersecurity Security capability requirements for countering smartphone-
2、based botnets Recommendation ITU-T X.1213 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI
3、NETWORKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometri
4、cs X.1080X.1099 SECURE APPLICATIONS AND SERVICES (1) Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols (1) X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.118
5、0X.1199 CYBERSPACE SECURITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES (2) Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1319 Smart grid security X.1330X.1339 Certified mail X.1340X.1349
6、 Internet of things (IoT) security X.1360X.1369 Intelligent transportation system (ITS) security X.1370X.1389 Distributed legder technology security X.1400X.1429 Security protocols (2) X.1450X.1459 CYBERSECURITY INFORMATION EXCHANGE Overview of cybersecurity X.1500X.1519 Vulnerability/state exchange
7、 X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 CLOUD COMPUTING SECURITY Overview of cloud computing security X.1600X.1601 Cloud com
8、puting security design X.1602X.1639 Cloud computing security best practices and guidelines X.1640X.1659 Cloud computing security implementation X.1660X.1679 Other cloud computing security X.1680X.1699 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1213 (09/2017)
9、 i Recommendation ITU-T X.1213 Security capability requirements for countering smartphone-based botnets Summary Recommendation ITU-T X.1213 analyses the background and potential security threats of smartphone-based botnets, and provides security capability requirements. Along with the rapid developm
10、ent of mobile Internet devices and the widespread use of smartphones, surveys from worldwide organizations show that botnets, formerly targeting mostly personal computer (PC)-based networks, are now being replicated very quickly on smartphones. Currently, countries and regions with differing conditi
11、ons and ecosystems have varying levels of constraints on the propagation of smartphone-based botnets. Analytical reports from various security companies and investigative organizations show noticeably different statistical data on the severity of the propagation of smartphone-based botnets. The pote
12、ntial threat of smartphone-based botnets is increasing very quickly in some regions and could possibly spread worldwide and turn from a regional issue into a serious global issue. Compared with PCs and servers, smartphones have less processing power, storage space and battery life. However, the adve
13、rsarial influence of smartphone-based botnets could have greater repercussions on users for the following reasons: 1) smartphones often store very important personally identifiable information (PII) and 2) if attacks on smartphones or on the operators infrastructure occur, user experience may degrad
14、e significantly due to the prevalence of, and user dependence on, smartphones. History Edition Recommendation Approval Study Group Unique ID* 1.0 ITU-T X.1213 2017-09-06 17 11.1002/1000/13261 Keywords Botnet, command and control (C b) from which identification or contact information of an individual
15、 person can be derived; or c) that is or can be linked to a natural person directly or indirectly. 3.2 Terms defined in this Recommendation None. 4 Abbreviations and acronyms This Recommendation uses the following abbreviations and acronyms: 2G Second Generation of mobile telecommunication 2FA Two F
16、actor Authentication 3G Third Generation of mobile telecommunication 4G Fourth Generation of mobile telecommunication API Application Programming Interface C an ability to continuously expand the functions and capabilities of the phone via the installation of third-party applications; wireless netwo
17、rk access capability including the capability to access mobile Internet through a mobile operators communication network. In recent years, the population of smartphone users has continued to rapidly grow. While providing convenience to peoples lives, security threats to smartphones are also increasi
18、ng. Rec. ITU-T X.1213 (09/2017) 3 6.1 Overview of security considerations Considering the rapidly growing population of smartphone users, smartphone-based botnets must be effectively suppressed and controlled to prevent them from becoming a significant factor that influences societal stability and t
19、hreatens public security. For mobile operators, large-scale botnets could severely impair the effective utilization of the operators network and lower the quality of service (QoS) provided to users, thus leading to user dissatisfaction and loss of subscribers. For users, whose smartphones are hacked
20、 and controlled via botnets, their potential loss can be significant as much of their most important personally identifiable information (PII), such as contact lists and online payment information, is often stored on their smartphones. Therefore, the work of countering smartphone-based botnets is bo
21、th forward-looking and practical. Operators should increase their security awareness in this field to: suppress the rapid growth of botnets, decrease the loss of subscribers, and reduce user complaints, etc. 6.2 The evolution of botnet threats on smartphones The emergence of smartphone viruses can b
22、e traced back to 2004 when Cabir, the first smartphone-based worm, was discovered. In 2009, the malware iKee.B began to possess botnet characteristics and could take control of infected iPhones and send back a users PII to the bot master. In 2011, a representative mobile botnet, Android.Geinimi, was
23、 found. It could conceal communication methods, had abundant attack modules and was considered highly harmful. The widespread use of smartphones has been accompanied by extraordinary growth in smartphone-based malware, which mostly use certain smartphone functions as a propagation medium. After bein
24、g downloaded and installed on a smartphone, malware will frequently and secretly, display advertisements, induce extra smartphone traffic, and deduct fees, etc., causing losses to smartphone users. Moreover, smartphone users may also encounter issues such as: being directed to phishing websites, hav
25、ing their smartphone infected by viruses or Trojans, disclosing or stealing their contact lists and/or address books, or stealing accounts and passwords. Of these crimes, disclosure of PII, personal accounts and passwords happens most frequently. In recent years, smartphone malware has grown exponen
26、tially. Malware is the main cause of botnet virus propagation as an increasingly larger proportion of malware uses remote-controlled backdoor methods or functions, which are a distinctive feature of smartphone-based bots. The primary purpose of botmasters is to reap profits from PII theft and malici
27、ous fee deductions. Currently, the most common malware includes: PII theft, malicious fee deduction, rogue behaviour, performance deterioration and malicious propagation. 6.3 Protection for smartphones Harassing calls, short message service (SMS) spam, and other security events resulting from web br
28、owsing, file downloading, mobile payment, etc., are the main security issues facing smartphone users. These threats are mainly mitigated by security software installed on smartphones. The two main functions of smartphone security software are phone management and security protection. The phone manag
29、ement function includes memory clean-up, standby time extension, automatic-booting program management, SMS management, phone number management, etc. The purpose of the phone management function is to make the smartphone run more smoothly and to improve device usage efficiency. The security protectio
30、n function mainly includes data traffic monitoring, blocking harassing calls, regular scanning, regular deletion of viruses, etc. The purpose of the security protection function is to protect smartphones from security threats. The installation of security software could help protect smartphones from
31、 certain botnets and malware at the user terminal side, but as the skills of smartphone attackers improve and their attacking approaches diversify, smartphones will continue to face increasing security threats. Along with 4 Rec. ITU-T X.1213 (09/2017) boosting security protection at the terminal sid
32、e, operators also need to provide more security protection at the network side. The coordination and cooperation of both sides will greatly enhance the capability of smartphones to withstand attacks from botnets. 7 Characteristics of smartphone-based botnets The characteristics of smartphones and mo
33、bile networks are being exploited by smartphone-based botnets that use the Internet to spread malware on a large scale. By analyzing the characteristics of smartphones and mobile networks, as well as the purpose of botmaster attacks, the characteristics of smartphone-based botnets could be summarize
34、d and potential security threats can be recognized. 7.1 Personally identifiable information on bots Smartphone-based botnets are comprised of a large number of smartphone-based bots. Unlike traditional personal computers (PCs), much PII and privacy information is centrally stored on smartphones, mak
35、ing smartphone-based botnets a greater threat to smartphone users who could suffer a great amount of data loss. The functions integrated by smartphones include: personal information management, schedule and agenda, diary, task arrangements, multimedia applications, webpage browsing, etc. The abundan
36、ce of personal information stored in smartphone applications make smartphones a primary target of attackers. Moreover, a smartphones global positioning system (GPS) enables the acquisition of user location information which is another type of PII. Once this information is acquired by attackers, a us
37、ers PII could be disclosed. 7.2 Various means of propagation First, smartphone-based botnets could maliciously spread through infected applications which users typically find and download from app stores or mobile phone forums that do not require secure authentication. Second, smartphone-based botne
38、ts could spread through Bluetooth, wireless fidelity (WiFi), universal serial bus (USB) and other peripheral interfaces of smartphones. Third, smartphone-based botnets could spread through hypertext transfer protocol (HTTP), SMS, multimedia messaging service (MMS), quick response code (QRcode), etc.
39、 Various propagation media make smartphone-based botnets relatively easy to spread, which correspondingly places higher demands on security protections. 7.3 Openness Open mobile operating systems provide smartphones with a great number of application program choices, but at the same time these progr
40、ams also expose smartphones to more potential threats and hackers. The openness allows hackers to embed viruses or Trojans into extended applications, facilitating easier propagation of smartphone-based botnets. Smartphones have multiple types of peripheral interfaces including: Bluetooth, near fiel
41、d communication (NFC) and USB. Any of these peripheral interface connections could be utilized by attackers. Moreover, smartphones generally support second, third, or fourth generation (2G, 3G or 4G) of mobile network access as well as WiFi access, through which users can access the Internet. These
42、functions have unique application and commercial value, but also provide many attacking channels to attackers. 7.4 Targeted infection Smartphone-based botnets usually aim at certain types of targets, infecting them through direct copying or by tricking users into downloading malware or Trojans. Atta
43、ckers can also target Rec. ITU-T X.1213 (09/2017) 5 smartphones that run the same operating systems for infection. This method greatly increases the efficiency of the attack while at the same time decreasing the cost of the attack. 7.5 Concealment Smartphone-based botnets are becoming more complex.
44、Some botnets are capable of concealing their attacking behaviours by deleting all traces of installation after successfully infecting a smartphone. Some botnets can erase their network connection and outbox traces after they send the users PII via Internet access. Others can even order customized se
45、rvices from specific service providers and automatically block verification messages from mobile operators. Some smartphone Trojans and malware, which steal PII or cause malicious fee deductions, do not launch their attacks immediately after they have been successfully installed. Instead, they will
46、launch attacks according to the time periods set by the malware or by utilizing the idle times of the infected smartphones. Today, a larger and larger proportion of malware have remote-controlled backdoors as a basic function, which is one of the distinctive features of smartphone-based bots. Many b
47、otnets propagate through malicious programs embedded in popular mobile applications. When a user downloads and installs applications from app stores or mobile phone forums without secure authentication mechanisms, the malicious programs concealed in the applications will be triggered. 7.6 Commercial
48、 interests Unlike most traditional malware, whose purpose is to sabotage, the purpose of smartphone-based botnets is often profit-driven. For example, smartphone-based botnets profit from stealing a users PII or from initiating malicious fee deductions; thus forming a dark industry of Internet fraud
49、. Commercial profits are motivating attackers to invest more resources into developing smartphone-based botnets and promoting the development of an Internet fraud industry. This means that smartphone-based botnets will create more security threats to users, and it will be increasingly difficult to protect against such threats. 7.7 Ever-changing network connections The high-mobility characteristics of smartphones lead to ever-changing network connections, which results in increased variability of smartphone-based botnets. Smartphones
