Abstract
As employees bring mobile devices into the workplace, many companies have been encouraging their use for business purposes. As a result, data leakage accidents have been increasing, which can weaken companies’ competitiveness and can even threaten their survival. Therefore, many companies have recently adopted data leakage/loss prevention (DLP) solutions to avoid such leakages. However, these solutions and their study are limited to dedicated data channels such as SMS/MMS, HSPA and WIFI, but other types of channels, such as, voice call channels can be used to bypass and inactivate the DLP. In this paper, our attack model focuses on the malicious use of digital communication over these voice call channels by showing the possibility to deliver the text files, pictures and malicious codes. Furthermore, we also use post processing such as spell checking and image restoration for the maximum effectiveness of our attack scenario. Overall, we show the feasibility of voice call channels as new malicious attack channels.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
World Bank. (2013). No black-out in Japan Despite of Fukushima disaster. http://data.worldbank.org/indicator/.
Balebako, R., Jung, J., Lu, W., Cranor, L. F., & Nguyen, C. (2013). Little brothers watching you: Raising awareness of data leaks on smartphones. In Symposium on usable privacy and security (SOUPS).
KPMG LLP. (2012). Data loss barometer: A global insight into lost and stolen information. http://www.kpmg.com/EE/et/IssuesAndInsights/ArticlesPublications/Documents/Data-Loss-Barometer.pdf.
Enck, W., Octeau, D., McDaniel, P., & Chaudhuri, S.: A study of android application security. In USENIX security symposium.
B. X. CHEN,(The New york Times). (2013). U.S. Government issues warning about security on android phones. http://bits.blogs.nytimes.com/2013/08/28/u-s-government-issues-warning-about-security-on-android-phones/.
(ComputerWeekly), S. P. (2013). Top seven data loss issues. http://www.computerweekly.com/feature/Top-seven-data-loss-issues.
Cloud Security Alliance. (2012). Security guidance for critical areas of mobile computing. https://downloads.cloudsecurityalliance.org/initiatives/mobile/Mobile_Guidance_v1.pdf.
K. Walker (CSA Research News). (2012). Data Loss from missing mobile devices ranks as top mobile device threat by enterprises. https://cloudsecurityalliance.org/media/news/data-loss-mobile-ranks-top-threat-enterprises/.
Kao, I.-L. (2011). Securing mobile devices in the business environment. IBM Global Technology Services, Thought Leadership White Paper. http://www-935.ibm.com/services/uk/en/attachments/pdf/Securing_mobile_devices_in_the_business_environment.pdf.
Fujitsu. (2013). Brochure, fujitsus managed mobile for android smartphones and tablets. http://www.fujitsu.com/downloads/AU/Fujitsu-Android-brochure.pdf.
MOBILEIRON. (2012). White paper, McAfee enterprise mobility management: What to look for in an end-to-end solution. http://www.mcafee.com/us/resources/white-papers/wp-emm-end-to-end-solution.pdf.
Sonawane, N. (2013). Mobile DLP: Making android security a reality. http://www.mobileiron.com/en/smartwork-blog/mobile-dlp-making-android-security-reality. White paper.
Symantec Corporation (2013). Symantec data Loss prevention for mobile. http://www.ndm.net/dlp/Symantec/symantec-data-loss-prevention-for-mobile.
McAfee. (2008). FOCUS 2008, The message within—Using McAfee DLP to detect hidden steganographic content. http://www.slideshare.net/bfanelli/mcafee-security-conference-focus-2008d.
RedTeam, S. C. (2012). Steganography and corporate spying. http://www.redteamsecure.com/labs/post/2/Steganography-and-Corporate-Spying.
Owusu, E., Han, J., Das, S., Perrig, A., & Zhang, J. (2012). ACCessory: Password inference using accelerometers on smartphones. In Proceedings of the twelfth workshop on mobile computing systems & applications (p. 9). ACM.
Zeng, Y., Shin, K. G., & Hu, X. (2012). Design of SMS commanded-and-controlled and P2P-structured mobile botnets. In Proceedings of the fifth ACM conference on security and privacy in wireless and mobile networks (pp. 137–148). ACM.
Schlegel, R., Zhang, K., Zhou, X., Intwala, M., Kapadia, A., & Wang, X. (2011). Soundcomber: A stealthy and context-aware sound trojan for smartphones. In 18th Annual Network & Distributed System Security Symposium (NDSS). The Dana on Mission Bay, San Diego, California.
Katugampala, N. N., Al-Naimi, K. T., Villette, S., & Kondoz, A. M. (2004). Real time data transmission over GSM voice channel for secure voice & data applications. In 2nd IEE Secure Mobile Communications Forum: Exploring the Technical Challenges in Secure GSM and WLAN.
Kotnik, B., Mezgec, Z., Svečko, J., & Chowdhury, A. (2009). Data transmission over gsm voice channel using digital modulation technique based on autoregressive modeling of speech production. Digital Signal Processing, 19(4), 612–627.
Dhananjay, A., Sharma, A., Paik, A., Chen, J., Kuppusamy, T. K., Li, J., & Subramanian, L. (2010). Hermes: Data transmission over unknown voice channels. In Proceedings of the sixteenth annual international conference on mobile computing and networking (pp. 113–124). ACM.
LaDue, C. K., Sapozhnykov, V. V., & Fienberg, K. S. (2008). A data modem for GSM voice channel. IEEE Transactions on Vehicular Technology, 57(4), 2205–2218.
Ali, B. T., Baudoin, G., & Venard, O. (2013). Data transmission over mobile voice channel based on M-FSK modulation. In Wireless communications and networking conference (WCNC), 2013 IEEE (pp. 4416–4421). IEEE.
Mezgec, Z., Chowdhury, A., & Kotnik, B. (2009). Implementation of pccd-ofdm-ask robust data transmission over gsm speech channel. Informatica, 20(1), 51–78.
Järvinen, K., Bouazizi, I., Laaksonen, L., Ojala, P., & Rämö, A. (2010). Media coding for the next generation mobile system LTE. Computer Communications, 33(16), 1916–1927.
Birkehammar, C., Bruhn, S., Eneroth, P., Hellwig, K., & Johansson, S. (2006). New high-quality voice service for mobile networks. Ericsson Review. https://www.ericsson.com/ericsson/corpinfo/publications/review/2006_03/files/2_amrwb.pdf.
Heuberger, A. (2012). Full-hd voice: Redefining everyday communications. http://www.iis.fraunhofer.de.
O’Shaughnessy, D. (1988). Linear predictive coding. IEEE Potentials, 7(1), 29–32.
Yeh, C. I., Kwon, D. S., Whang, S. K., & Kim, W. W. (2004). An AGC design of mobile cellular systems. In Vehicular technology conference, 2004. VTC2004-Fall. 2004 IEEE 60th (Vol. 3, pp. 2134–2137). IEEE
Chang, H. M. (1996). ”CrossTalk”: Technical challenge to VAD-like applications in mixed landline and mobile environments. In Proceedings of third IEEE workshop on interactive voice technology for telecommunications applications 1996 (pp. 77–80). IEEE.
Arias-Castro, E., & Donoho, D. L. (2009). Does median filtering truly preserve edges better than linear filtering? The Annals of Statistics, 37(3), 1172–1206. http://www.jstor.org/stable/30243665.
Chang, C. C., Hsiao, J. Y., & Hsieh, C. P. (2008). An adaptive median filter for image denoising. In Second international symposium on intelligent information technology application, 2008. IITA ’08 (Vol. 2, pp. 346–350). doi:10.1109/IITA.2008.259.
Pratt, W. K. (2001). Digital image processing: PIKS inside (3rd ed.). New York, NY: Wiley.
Roberts, S. J. (1999). Novelty detection using extreme value statistics. IEE Proceedings—Vision, Image and Signal Processing, 146(3), 124–129. doi:10.1049/ip-vis:19990428.
Norvig, P. (2009). Natural language corpus data. In T. Segaran & J. Hammerbacher (Eds.), Beautiful data: The stories behind elegant data solutions (pp. 219–242). O'Reilly Media, Inc.
Zhuang, L., Zhou, F., & Tygar, J. D. (2009). Keyboard acoustic emanations revisited. ACM Transactions on Information and System Security, 13(1), 3:1–3:26. doi:10.1145/1609956.1609959.
Navarro, G. (2001). A guided tour to approximate string matching. ACM Computing Surveys, 33(1), 31–88. doi:10.1145/375360.375365.
CISCO. (2008). Data leakage worldwide white paper: The high cost of insider threats. http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/whitepaperc11506224.html.
Devarajan, G., & LeBert, D. (2011). VDLDS—All your voice are belong to us. http://www.defcon.org/images/defcon-19/dc-19-presentations/Devarajan-LeBert/DEFCON-19-Devarajan-LeBert-VDLDS.pptx.pdf.
Michael, K. D. (2010). Changing the development paradigm of information communication. http://www.koreaittimes.com/pdf/2010-12_all.pdf.
Peterson, W. W., & Brown, D. T. (1961). Cyclic codes for error detection. Proceedings of the IRE, 49(1), 228–235. doi:10.1109/JRPROC.1961.287814.
Hosseinzadeh, D., Krishnan, S., & Khademi, A. (2006). Keystroke identification based on gaussian mixture models. In 2006 IEEE international conference on acoustics, speech and signal processing, 2006. ICASSP 2006 proceedings (Vol. 3, pp. III–III). doi:10.1109/ICASSP.2006.1660861.
Hasan, R., Saxena, N., Haleviz, T., Zawoad, S., & Rinehart, D.: Sensing-enabled channels for hard-to-detect command and control of mobile devices. In Proceedings of the 8th ACM SIGSAC symposium on information, computer and communications security, ASIA CCS ’13 (pp. 469–480). New York, NY, USA: ACM. doi:10.1145/2484313.2484373.
Acknowledgements
This research was supported by the Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT and Future Planning (NRF-2013R1A1A1012797).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Lee, S., Ha, Y., Yoon, S. et al. The Vulnerability Exploitation Conveying Digital Data Over Mobile Voice Call Channels. Wireless Pers Commun 96, 1145–1172 (2017). https://doi.org/10.1007/s11277-017-4229-9
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11277-017-4229-9