Attacks on Mobile and

Embedded Systems:
Current Trends

)NCLUDEDåINåTHISå7HITEå0APER
 Introduction
 A Brief History of Hacking
 Hacking’s Dangerous Third Wave
-OCANAå#ORPORATION
350 Sansome Street
Suite 1010
San Francisco, CA 94104
415-617-0055 Phone
866-213-1273 Toll Free

 Conclusion info@mocana.com
www.mocana.com
 References and Further Reading
Copyright © 2009
Mocana Corp.

Revised April 30, 2009

Introduction
In today’s world of ubiquitous computing, cyberattacks are becoming more “….last year
virulent, costlier, and larger in scope than ever before. Unlike previous [2008] now
incarnations of hacking, current attacks on computer systems are professionally appears to have
coordinated, multifaceted, and motivated by the promise of profits on a massive
been a turning
scale.
point in the
With millions of new electronic devices connecting to the internet every day, professionalism
hackers are increasingly focused on a new type of target: mobile and embedded
of cyber crime.
systems. Such systems include point-of-sale terminals, wireless routers, smart
phones, networked office machines such as printers, and even the utility
The software
infrastructure. development
skills and
In March 2008, European authorities uncovered a credit card data siphoning
operation using point-of-sale terminals manufactured in China. The scam involved
data mining
conspirators in several countries, including workers at the Chinese factory. capabilities of
Before the point-of-sale readers were sent to Europe, they were hacked with organized crime
a tiny, extra chip behind the motherboard. Once the machines were installed, are believed
their specially programmed chips siphoned off customers’ credit card data—at
to be second
unpredictable and nearly undetectable intervals—and relayed it from Europe to
Pakistan. The thieves made off with at least $50 million before the scheme was
to none. They
discovered [H4]. (whoever that
is) are stealing
Cutting-edge hackers are acutely aware that many of the security procedures
and applications in use today have been designed for PC workstations, and are
vast amounts of
thus unable to thwart attacks on mobile and embedded systems. Smartphones, our data, though
for example, remain notoriously insecure, yet they are gaining popularity as no-one really
platforms for exchanging confidential data and conducting financial transactions. understands
Billions of dollars are at risk as people do more and more of their everyday
the logic in their
banking and shopping on mobile and wireless devices. Even heart pacemakers
have joined the networked world and are now vulnerable to hacking.
targets.“
David Lacy, Computer Weekly, March 4,

Perhaps most ominous of the new hacking trends is the upsurge in cyberattacks 2009 (http://www.computerweekly.com/
blogs/david_lacey/2009/03/apocalypse_
against our utility infrastructure. If hackers continue to attack the so-called “smart soon.html)

grid,” which connects sensors and control systems with sophisticated computers
and networks, they could bring our nation’s commerce to a standstill, endanger
lives, and put our national security at risk.

Attacks on Mobile and Embedded Systems: Current Trends – Free evaluation code at www.mocana.com/evaluate.html 
In this dangerous new interconnected world, we need to take a serious look
at what types of hacking strategies are being employed today, and implement
security solutions that are designed specifically for mobile and embedded
devices. This paper attempts to highlight some of the latest attacks against
embedded systems, including mobile phones, medical devices, and the nation’s
electric infrastructure.

A Brief History of Hacking

Years ago, hacking was an amateur, underground activity, commonly associated
with thrill-seeking pranksters whose main intent was showing off their
computing prowess or expressing their anti-authoritarian sentiments. To be a
hacker was to have “street cred”—at least among the technologically savvy.
Although hackers’ activity was often illegal it was rarely malicious, and they
usually didn’t fit the profile of career criminals.

FIRST WAVE SECOND WAVE THIRD WAVE

Phone Hacking group U.S. GAO reports that in 1995, Increase in attacks
Phreaking “414s” break into hackers tried to break into on mobile devices, em-
Los Alamos Nat’l Defense Dept. files 250,000 times; bedded systems, the
Lab. computers ~65% of tries were successful “internet of things”

U.S. House of Morris First RSA ILOVEYOU

Rep. begins hear- worm / Conference worm infects
ings on computer CERT held millions
security hacking established within hours

1970 1977 1982 1988 1993 2000 2005 2009

TCP/IP— Kevin Mitnick / Paris Hilton’s

Internet Protocol / Increase in attacks T-Mobile USA
amateur hackers / on commercial Sidekick hacked
BBSes enterprises

Federal Computer Systems First DEFCON Dmitry Sklyarov becomes 1st

Protection Act, defining hacking conference person charged with violating
computer crimes & recom- held; becomes the Digital Millenium Copyright
mended penalties, fails to pass an annual event Act (DCMA) at DEFCON &IGUREååå(ACKINGåTIMELINE

Some of the early hackers of the 1970s focused on the telephone system.
Calling themselves [phone] “phreaks,” or “phreakers,” they helped themselves to
free long distance by simulating the sounds of phone signals. In the 1980s, when
personal computers became widely available, phone phreaks and other hackers

Attacks on Mobile and Embedded Systems: Current Trends – Free evaluation code at www.mocana.com/evaluate.html 
began using modems to connect to Bulletin Board Systems (BBSes), where they
exchanged messages about how to break into computers, steal passwords, and
wreak other kinds of electronic havoc. By 1986, hackers had threatened enough
government and corporate computer systems to prompt the U.S. Government
to make hacking a crime. In 1988, foreshadowing the types of attacks that lay
ahead, ArpaNET, the U.S. government’s precursor to the internet, was brought
to a standstill by a hacker’s experimental, self-replicating “worm” program that
spread to 6000 of the network’s computers.

Around the dawn of the commercial internet in the 1990s, a second wave of
hacking, which took on a more overtly criminal sensibility, began to emerge. One
of the most famous of these second-wave attacks was traced to the notorious
serial hacker, Kevin Mitnick, who was eventually arrested for stealing 20,000
credit card numbers.
&IGUREååå+EVINå-ITNICKåAFTERå
Also in the 1990s, a group of hackers broke into Citibank’s computers and HISåRELEASEåFROMå,OMPOC
siphoned off $10 million to their overseas bank accounts [H5].

Since the early 1990s, hackers have developed a rapidly mutating and
increasingly clever repertoire of attack strategies: embedding rogue programs
in legitimate applications, installing keystroke recorders on unwitting users’
computers, spoofing legitimate websites to “phish” for personal data, hijacking
database information through SQL injection attacks, and even enlisting massive
armies of zombie computers (“botnets”) to spew out phishing emails and spam.
Today, all classes of cybercrooks, from small-time con artists out to make a quick
buck to international crime syndicates, are logging into the global cybercrime
marketplace to buy and sell malware kits, stolen credit card numbers, “how-to-
hack” manuals, and criminalized software development services, in a shadow
economy worth over $750 million in 2007 [H2].

Hacking’s Dangerous Third Wave

Now, with the advent of what some technologists call the “internet of
things” (see Figure 3), we are encountering a third wave of hacking—one that
encompasses not only wired computers and networks, but intelligent devices:
wireless phones, routers and switches, printers, SCADA (Supervisory Control
And Data Acquisition) systems, and even medical devices. This new hacking
wave is poised to bypass the amateur “street-cred” phase and move directly to
well-honed, massively coordinated, sophisticated attacks. It is now becoming
clear that hacking’s third wave will almost certainly include terrorist cyberstrikes

Attacks on Mobile and Embedded Systems: Current Trends – Free evaluation code at www.mocana.com/evaluate.html 
against the utility and industrial infrastructure (the “smart grid”)—a danger we
can no longer dismiss as a spy movie scenario.

Electric Toothbrush: Automobile: Computer: Media Player:

Automatically reorders Maps traffic in real Centralized control for Remotely orders
brush heads, shares time; others can remote interface to new songs & video
brushing habits track your location any other device
with your dentist

Alarm Clock: Refrigerator: VoIP phone: Printer: Microwave:

Remote programs, RFID tags reorders Automatic updates, Automatically Automatically sets
custom tones, turns groceries as integration and reorders toner and cook cycle with
on coffee maker needed, and forwarding paper as needed RFID recognition
suggests recipes

COMMUTE COMMUTE

Home / Bed Workplace Home / Bed

Coffee Maker: Oven: Oven HVAC: Controls Building Security: Television:

Custom setting for settings from temperature & Security cameras Immediate “one-click”
each coffee type, computer or phone lights for maximum interact with facial ordering of products
starts when alarm if running late efficiency recognition database seen on commercials
goes off

Smart Scale: Cell Phone: Vending: Exercise Equipment:

Measures and Secure performs Automatically Recognizes individual
sends weight info for identification & reorders supplies user and tracks
progress tracking verification for before it’s empty workout schedule
payments

Figure 3. The Internet of Things

This paper discusses several of these new attack trends:

 Growing attacks on soft infrastructure targets

 Long-predicted threats to cellular network & smartphones manifesting

themselves

 The rush to network medical devices outpaces security

 Ubiquity of easily-hacked RFID technology threatening privacy, driving the

growth of sophisticated identity thefts

 Everyday home and office devices—hackers’ gateway to your network

Attacks on Mobile and Embedded Systems: Current Trends – Free evaluation code at www.mocana.com/evaluate.html 
Trend #1: Growing Attacks on Soft
Infrastructure Targets
Since security for personal computers is getting stronger, hackers are
increasingly looking for “softer” targets. In their sights are the millions of
industrial control and coordination, or SCADA devices, which can be programmed
like computers and have finally become numerous and networked enough to
make it profitable for hackers to attack them. By targeting a city’s infrastructure,
hackers can gain political notoriety, intimidate the public, and extort large
amounts of money from businesses or governments. At a conference in
January 2008, a senior CIA analyst shocked his audience by revealing that
cyberextortionists in another country had “caused a power outage affecting
multiple cities” [S1].

SCADA devices are key players in the “Smart Grid,” the network of sensors and
computerized systems that make up the utility infrastructure of our society. They
monitor and control power generators, refineries, water treatment facilities,
oil pipelines, and electrical power systems. They also comprise an essential
component of our industrial, technology, and communications infrastructure,
controlling building security, manufacturing plants, airport traffic, and military
vessels. As more and more SCADA devices come online, the more our nation’s
health, economy, and security become vulnerable to hacking attacks [S10].

PIPELINE COMPANY
Pipeline
Assets
FIREWALL

FIREWALL

FIREWALL

FIREWALL

PIPES
Control
FIELD
SENSORS
Security Security
Zone Business Zone Control STORAGE
Network Center Pipeline
TANKS

Internet

REFINING COMPANY
Refinery
Control Assets
FIREWALL

FIREWALL

FIREWALL

FIREWALL

COKING
UNIT
CRACKING
Security Security UNIT
&IGUREååå4YPICALå3#!$!å
Zone Business Zone Control STORAGE
Refinery
Network Center TANKS SYSTEM

Attacks on Mobile and Embedded Systems: Current Trends – Free evaluation code at www.mocana.com/evaluate.html 
Existing SCADA devices are often decades old and operate with legacy computer
hardware. They tend to be configured with off-the-shelf networking software and
have weak internal security protections. Although guarded by a hard shell on the
outside, with locks, gates, security personnel, industrial facilities may still contain
a soft center—their computerized control systems—an easily penetrable core
which now is exposed to the outside world through the internet.

Corporation Workplace
Planning/ Corporate
Scheduling Network

Operator Operator
Workstation Workstation
Supervisory Control
Control Network

Regulatory Field Area

Control RTU/PLC RTU/PLC RTU/PLC
Network

Sensor Actuator Sensor Actuator Sensor Actuator

Physical Infrastructure &IGUREååå4YPICALåCONTROLå

SYSTEMåARCHITECTUREå"ERKELEYå
2ESEARCH

In the past, the majority of SCADA attacks were perpetrated by insiders who
had access to the controls: disgruntled ex-employees or saboteurs. Now,
experts are seeing more and more attacks originating from external sources,
even from residents of foreign countries. In 2004, a British Columbia Institute
of Technology (BCIT) analysis of 24 control system security incidents instigated
by outsiders showed that 36 percent came in through the Internet. Eric Byres,
a BCIT research faculty member, noted that “an awful lot are coming in through
other ways, including dial-up modems, VPN (virtual private network) connections,
remote wireless systems and trusted third party connections” [S2]. One recent
report notes the potential involvement of smart phones in SCADA attacks,
especially as “ubiquitous computing” becomes the norm. An outsider with a
cell phone could manage to access SCADA devices via the phone’s internet
connection [S6].

One of the problems with assessing the prevalence of SCADA attacks is that
they are rarely reported in any detail, for fear of encouraging further attacks and
compromising national security. Companies and governments understandably do

Attacks on Mobile and Embedded Systems: Current Trends – Free evaluation code at www.mocana.com/evaluate.html 
not want any information about SCADA breaches to fall into the wrong hands, so … A careful
they fail to share information freely. According to Alan Paller, Director of Research
statistical
for the SANS Institute, “… A careful statistical analysis of validated control
system incidents at 22 major corporations indicates that … the incidents are
analysis of
far more widespread than commonly believed, the targets more wide ranging validated control
and the attackers are not who we think they are. Even more ominous, the data system incidents
shows that getting into most control systems is surprisingly easy” [S11]. For at 22 major
example, in March of 2008, a nuclear power plant was accidentally shut down
corporations
because a computer used to monitor chemical and diagnostic data rebooted after
a software update. In another incident in 2008, a teenager in Poland rigged a TV
indicates that
remote control to control the switch tracks of trams. There were four derailments … the incidents
and twelve resultant injuries [S4]. are far more
Most frighteningly, attacks against SCADA devices are being carried out by
widespread
enemy nations as part of a greater “cyberwarfare” strategy to sabotage the than commonly
U.S. economy and infrastructure. In the U.K., government agencies report that believed, the
attacks against infrastructure targets have increased dramatically. In June 2008, targets more
the UK’s National Infrastructure Security Co-Ordination Centre issued a public
wide ranging
advisory about a series of targeted attacks against the UK central government
and commercial organizations “for the purpose of gathering and transmitting
and the attackers
otherwise privileged information”[H8]. are not who we
think they are.
Alan Paller, Director of Research for the
Trend #2: Long-Predicted Threats SANS Institute

to Cellular Network & Smartphones

Manifesting Themselves
Researchers are predicting that 2009 will be a significant year for mobile attacks
[H10]. With the rise of unlimited data plans, open networks, readily downloadable
applications, and the lack of strong security, hackers, spammers, and phishers
are now beginning to recognize the profit potential of mobile phones [M4].
Adding to the allure of mobile hacking for cybercriminals are the fraud
opportunities presented by the burgeoning mobile financial services market.
The number of active users of mobile banking and related financial services
worldwide is expected to rise from 20 million in 2008 to 913 million in 2014 [M4].

The latest mobile phones are also the most vulnerable to attack. Smartphones,
such as the Apple iPhone and the Google Android phone, now come with
“real” browsers with JavaScript engines, exposing them to traditional browser
attacks, such as Cross-Site Scripting (XSS), Clickjacking, phishing, and other

Attacks on Mobile and Embedded Systems: Current Trends – Free evaluation code at www.mocana.com/evaluate.html 
malicious techniques. These phones are also vulnerable to “man-in-the-middle”
attacks, in which a hacker could come between the phone and a web server and
offer malware in the guise of a legitimate update to one of the user’s trusted
applications. Other vectors for smartphone attacks include email, attachments,
web pages, MMS, Facebook, WiFi, and Bluetooth [M3].

As the iPhone and other smart phones continue to gain market share at a rapid
rate, hackers will increasingly focus their efforts on mobile devices. However,
it is doubtful that this new wave of hacking will go through an extended phase
of nuisance hacking as was the case with PCs, instead skipping straight to
for-profit hacking. Although the first iPhone or Android malware writers might
be motivated by street cred like earlier hackers, professional criminals are sure
to follow quickly. According to researchers, the newest of the 420 smartphone
viruses identified since 2004 have reached a state of sophistication that took
computer viruses about two decades to achieve [M6]. Figure 6, from McAfee
[M2], illustrates how mobile security threats have been increasing since the
introduction of popular smartphones.

60%

50%

40%

30%

20%

10%
2008
2007
2006

2008
2007
2006

2008
2007
2006

2008
2007
2006

2008
2007
2006

2008
2007
2006

2008
2007
2006

2008
2007
2006

0%
spam attacks

Phishing attacks

service attacks
Virus/spyware

Voice or text

Third party

Loss of user data

in any form

Privacy and
Network or service
capacity issues

infections

application/content
problems

from devices

regulatory issues

Denial of

Figure 6. The increase in security issues experienced by mobile device users

from 2006 to 2008; % of respondents. McAfee Mobile Security Report 2009

Attacks on Mobile and Embedded Systems: Current Trends – Free evaluation code at www.mocana.com/evaluate.html 
Several features of smartphones make them particularly tempting targets. For
one, mobile users tend to be less guarded than computer users about clicking on
links, enabling SMS phishers (“SMishers”) to gain information or send malware
via a link in a legitimate-looking text message. In addition, mobile phones are a
treasure trove of personal information, such as phone numbers and addresses,
which criminals can extract and sell in the ID fraud marketplace. And, to make
things even easier for cybercrooks, location-enabled smartphones let spammers
personalize malware for each user by mentioning their locale; for example,
by prompting them to click on information about a disaster that supposedly
occurred in their area [M5].

Although not yet as pervasive as PC malware, cell phone malware is beginning

to proliferate, particularly in Asia where cell phones greatly outnumber PCs.
+975%
Mobile malware spreads primarily by two methods: MMS and Bluetooth. In
January 2008, Trend Micro researchers discovered a new Symbian virus that
uses both Bluetooth and MMS messages to infect other phones. Disguised
as an innocuous-looking multimedia file, the malicious program is actually a
mobile application installer. Once activated, it creates new files and sends them
as MMS messages to all the victim’s contacts. Since mobile users are more
2005 2008
trusting than PC users about messages from unknown senders, this malware
has the potential to spread very rapidly throughout a smartphone network. &IGUREååå$EVICEåATTACKSå
REPORTEDåBYåMOBILEåOPERATORSå
The most worrisome trend in mobile hacking is the spectre of a mobile botnet ;-C!FEE=

—that infamous army of zombified computers programmed to follow a hacker’s

bidding. In the chilling words of one expert, “No one should be surprised
if we see the first major threat of the migration of botnets from traditional
computing devices to mobile platforms. Some smart phones already have more
memory and higher processing power than laptops from just a few years ago. A
constantly moving and adapting mobile botnet presents a compelling business
proposition for hackers and an interesting real-world case study in chaos theory”
[M1].

Attacks on Mobile and Embedded Systems: Current Trends – Free evaluation code at www.mocana.com/evaluate.html 
Trend #3: The Rush to Network Medical
Devices Outpaces Security
One truly scary attack trend is the growing offensive against medical devices.
A large number of medical devices, such as heart pacemakers, implantable
cardioverter-defibrillators (ICDs), bedside monitors, MRI machines, and portable
drug-delivery pumps, have a CPU and an IP address that enable them to transmit
and receive information, but also expose them to attacks.

Medical devices, which far outnumber hospital PC workstations, are usually

the softest targets on a hospital network, lacking firewalls, malware protection,
strong encryption, or even recent security or OS updates. Medical devices are
increasingly leveraging IP and common OS platforms that enable them to utilize
large libraries of software and communicate more easily. But in the rush to
establish common platforms and network these devices, security concerns have
been poorly addressed.

Mocana’s CEO, Adrian Turner, says, “The same types of attacks that have
traditionally targeted sectors such as consumer electronics are being directed at
medical devices, with potentially fatal consequences. Attacks we’re beginning to
see directed at medical devices include:

 Sniffing (also called snooping) or eavesdropping.

 Theft of sensitive information.

 Data destruction.

 Zombification. A zombie is a device attached to the Internet that has been

compromised by a hacker, virus, or Trojan horse, and can be remotely used,
without the owner’s knowledge, to perform malicious tasks [D4].

 Bricking. This usually refers to damage to system software or firmware, which

would require a complete system wipe and reinstall in order to regain use
of the device. In the case of medical devices, this could entail sending the
product back to the manufacturer.

In a paper published last year by the Medical Device Security center about
pacemakers and ICDs, researchers described how they were able to hack into an
ICD and intercept private data transmissions [D3]. They revealed that ICDs could
be hacked to alter patient data or reset how shocks are administered. Tadayoshi
Kohno, a lead researcher on the project at the University of Washington, who has
studied vulnerability to hacking of networked computers and voting machines,
says that “the risks to patients now are very low, but I worry that they could
increase in the future” [D1].

Attacks on Mobile and Embedded Systems: Current Trends – Free evaluation code at www.mocana.com/evaluate.html 
Trend #4: Ubiquity of Easily-Hacked RFID
Technology Threatening Privacy, Driving the
Growth of Sophisticated Identity Thefts
One of the most common attacks on wireless networks is “war driving,” in which
hackers drive around a neighborhood, hunting for unsecured wireless nodes.
In the latest twist on war driving, a security expert cruised around Fisherman’s
Wharf, armed with a cheap RFID scanner and a low-profile antenna, and
managed to clone half a dozen electronic, wallet-sized passports in an hour.

This “war cloning” experiment was so successful, says the researcher, because
the type of RFID in the Homeland Security’s version of a passport emits a real
radio signal, which could conceivably be tracked from a couple of miles away.
Although no criminal hacks of passports or e-licenses have been detected to
date, this insecure technology poses a strong risk for identity theft and invasion
of privacy [R1].

In another RFID hack, anyone with $8 worth of equipment bought on EBay can
sniff the credit card number, cardholder name, and other personal information off
an RFID-equipped, “smart” credit card—without physically coming into contact
with the card. The problem with these “contactless credit cards,” says inventor
Pablos Herman, is that the data is decrypted at the point of sale by a machine
rather than at the card company’s secure data center [R3].

Trend #5: Everyday Home and Office Devices—

Hackers’ Gateway to your Network
In today’s hypernetworked corporate environment, more and more office
machines are equipped with an IP address—which means that even a seemingly
harmless and mundane peripheral, such as a shared printer, can pose a
dangerous security risk. Hackers are increasingly exploiting long-forgotten
or ignored printers, faxes, and scanners to bypass firewalls and penetrate a
network. If, as one amateur hacker has shown, it’s possible to gain access to an
unsecured printer using just Google and a web browser, imagine what a hacker
could do with access to a fax machine and an outside phone line. [P1] No matter
how ordinary, every device on a network needs good security!

Attacks on Mobile and Embedded Systems: Current Trends – Free evaluation code at www.mocana.com/evaluate.html 
Conclusion
Clearly, we’ve come a long way from the days of phone phreaks and Kevin
Mitnick. The latest attack trends threaten not only our privacy, our data, and
our money, but our national security and even our lives. When the possibility
of hackers controlling people’s pacemakers is a topic of serious research, we
know we’re in a new world, one that holds the great promise of connectivity and
ubiquitous computing, but also the potential for criminality and disruption on a
grand scale.

To defend against the new wave of attacks, we need a strategy that is equal
to the adversary—multilayered, complex, and well-organized—and is focused
on the mobile and embedded devices that make up the “internet of things.”
The alternative to protecting these devices (mobile botnets and compromised
water systems; out-of-sync heart pacemakers and stolen identities) presents an
unacceptably high risk.

Attacks on Mobile and Embedded Systems: Current Trends – Free evaluation code at www.mocana.com/evaluate.html 
References and Further Reading
(ACKINGåANDåTHEå5NDERGROUNDå%CONOMY

[H1] Cisco, Inc. Cisco 2008 Annual Security Report, December 2008, URL: http://www.
cisco.com/go/securityreport.

[H2] Marc Fossi, Eric Johnson, Dean Turner, et al., Symantec report on the underground
economy, November 2008, URL: http://eval.symantec.com/mktginfo/enterprise/
white_papers/b-whitepaper_underground_economy_report_11-2008-14525717.
en-us.pdf, accessed: 2009-4-6. (Archived by WebCite® at http://www.webcitation.
org/5gELyrFgr)

[H3] Merrick Furst, Richard M. George, George Heron, et al., Georgia Tech Information
Security Center Emerging Cyber Threats Report for 2009, October, 2008.

[H4] Siobhan Gorman, “Fraud Ring Funnels Data From Cards to Pakistan”
Wall Street Journal, October 11, 2008, URL: http://online.wsj.com/article/
SB122366999999723871.html, accessed 2009-3-20. (Archived by WebCite® at
http://www.webcitation.org/5gF1zAfd1)

[H5] “Is Hacking Always Bad?” Hacking Alert.com, URL: http://www.hackingalert.

com/hacking-articles/history-of-hacking.php, accessed 2009-3-20. (Archived by
WebCite® at http://www.webcitation.org/5gELyrFhH)

[H6] “Malware Trends: What Will Attack Us in 2009?” H-Desk.com, Nov 25, 2008,
URL: http://www.h-desk.com/articles/Malware_Trends__What_Will_Attack_Us_
in_2009__a45_f0.html, accessed: 2009-4-6. (Archived by WebCite® at http://www.
webcitation.org/5gELyrFhl)

[H7] Networking and Information Technology Research and Development Program

(NITRDP), Networking and Information Technology Research and Development,
Supplement to the President’s Budget for Fiscal Year 2009, February 2008.

[H8] Pinsent Masons LLP, “Hack Attacks Shift to Applications,” November 23, 2005,
URL: http://www.out-law.com/page-6374, accessed: 2009-4-6. (Archived by
WebCite® at http://www.webcitation.org/5gELyrFhS)

[H9] Sophos, Sophos Security Threat Report: 2009, 2008.

[H10] Trend Micro, Inc., Trend Micro 2008 Annual Threat Roundup and 2009 Forecast,
2008.

[H11] ZScaler, 2009 Web Security Predictions, January 6, 2009. URL: http://research.
zscaler.com/2009/01/web-security-predictions.html, accessed: 2009-4-6. (Archived
by WebCite® at http://www.webcitation.org/5gELyrFhc)

Attacks on Mobile and Embedded Systems: Current Trends – Free evaluation code at www.mocana.com/evaluate.html 
-OBILEå(ACKINGå4RENDS

[M1] Bill Brenner, “Mobile Malware: What Happens Next? CSO, November 13, 2008,
URL: http://www.cso.com.au/article/267157/mobile_malware_what_happens_
next?pp=1, accessed: 2009-4-6. (Archived by WebCite® at http://www.webcitation.
org/5gELyrFij)

[M2] McAfee and Informa Telecoms and Media, Mobile Security Report 2009, 2009,
URL: http://www.mcafee.com/us/local_content/reports/mobile_security_
report_2009.pdf, accessed: 2009-4-2 (Archived by WebCite® at http://www.
webcitation.org/5gExlvgs2)

[M3] Elinor Mills, “Mobile: The holy grail at security conference,” CNet News, March
20, 2009, URL: http://news.cnet.com/security/?keyword=smartphones, accessed
2009-3-20. (Archived by WebCite® at http://www.webcitation.org/5gELyrFi4)

[M4] “Mobile hackers cash in on lack of protection offered by networks,” SC Magazine,

April 2, 2009, URL: http://www.scmagazineuk.com/Mobile-hackers-cash-in-on-lack-
of-protection-offered-by-networks/article/129941/, accessed 2009-3-20. (Archived
by WebCite® at http://www.webcitation.org/5gELyrFiZ)

[M5] Sarah Perez, “First Came Geo-Awareness, Then Came Geo-Aware Malware,”
ReadWriteWeb, March 17, 2009, URL: http://www.readwriteweb.com/archives/
first_came_geo-awareness_then_came_geo-aware_malware.php, accessed 2009-
3-20. (Archived by WebCite® at http://www.webcitation.org/5gELyrFiE)

[M6] Pu Wang, Marta C. González, César A. Hidalgo, Albert-László Barabási,

“Understanding the Spreading Patterns of Mobile Phone Viruses,” ScienceExpress
Report, April 2, 2009, URL: http://www.sciencexpress.org, accessed 2009-3-20.
(Archived by WebCite® at http://www.webcitation.org/5gELyrFiO)

-EDICALå$EVICEå!TTACKå4RENDS

[D1] Barnaby J. Feder, “A Heart Device Is Found Vulnerable to Hacker Attacks,”

New York Times, March 12, 2008, URL: http://www.nytimes.com/2008/03/12/
business/12heart-web.html, accessed: 2009-4-6. (Archived by WebCite® at http://
www.webcitation.org/5gExlvgsU)

[D2] Maria Fontenazza, “Hackers May Prey on Medical Devices,” Medical Device Link,
Medical Device and Diagnostic Industry, URL: http://www.devicelink.com/mddi/
archive/09/03/011.html, accessed: 2009-4-6. (Archived by WebCite® at http://www.
devicelink.com/mddi/archive/09/03/011.html)

[D3] Daniel Halperin, Thomas S. Heydt-Benjamin, Benjamin Ransford, et al. Pacemakers

and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power
Defenses, May 2008, URL: http://www.secure-medicine.org/icd-study/icd-study.
pdf, accessed: 2009-4-6. (Archived by WebCite® at http://www.webcitation.
org/5gELyrFit)

Attacks on Mobile and Embedded Systems: Current Trends – Free evaluation code at www.mocana.com/evaluate.html 
[D4] Ryan Singel, “WiFi Pacemaker Hack Leads to Real Life Zombie Armies?” Wired,
March 12, 2008, URL: http://blog.wired.com/27bstroke6/2008/03/wifi-pacemaker.
html, accessed: 2009-4-6. (Archived by WebCite® at http://www.webcitation.
org/5gExlvgsg)

3#!$!å!TTACKå4RENDS

[S1] Ted Bridis, “CIA: Hackers demanding cash disrupted power - Electrical utilities in
multiple overseas cities affected” MSNBC.com, January 18, 2008, URL: http://
www.msnbc.msn.com/id/22734229/, accessed: 2009-4-6. (Archived by WebCite®
at http://www.webcitation.org/5gExlvgt2)

[S2] Eric Byres, David Leversage, and Nate Kube, Security incidents and trends in
SCADA and process industries, May 2007, URL: http://www.mtl-inst.com/images/
uploads/datasheets/IEBook_May_07_SCADA_Security_Trends.pdf.

[S3] Alvaro A. Cárdenas, Saurabh Amin, Shankar Sastry, UC Berkeley, Research

Challenges for the Security of Control Systems, 1999. URL: http://www.usenix.
org/event/hotsec08/tech/full_papers/cardenas/cardenas_html/, accessed: 2009-4-6.
(Archived by WebCite® at http://www.webcitation.org/5gExlvgtK)

[S4] Glenn Derene, “How Vulnerable is U.S. Infrastructure to a Major Cyber Attack?”
Popular Mechanics, April, 2009, URL: http://www.popularmechanics.com/
technology/military_law/4307521.html, accessed: 2009-4-6. (Archived by WebCite®
at http://www.webcitation.org/5gExlvgtT)

[S5] Grant Gross, “Expert: Hackers penetrating control systems,” InfoWorld Security
Central, March 19, 2009, URL: http://www.infoworld.com/d/security-central/
expert-hackers-penetrating-control-systems-084, accessed: 2009-4-6. (Archived by
WebCite® at http://www.webcitation.org/5gELyrFjb)

[S6] Wes Iverson, “Hackers Step Up SCADA Attacks,” Automation World, November
1, 2004, URL: http://www.automationworld.com/news-957, accessed: 2009-4-6
(Archived by WebCite® at http://www.webcitation.org/5gExlvgsq)

[S7] David Lacy, “Apocalypse Soon?” Computer Weekly, March 4, 2009, URL: http://
www.computerweekly.com/blogs/david_lacey/2009/03/apocalypse_soon.
html, accessed: 2009-4-6. (Archived by WebCite® at http://www.webcitation.
org/5gELyrFjm)

[S8] Nathan McFeters, “Hacking SCADA for terrorism and destruction,” Zero Day
(ZDNet), June 12, 2008, URL: http://blogs.zdnet.com/security/?p=1268, accessed:
2009-4-6. (Archived by WebCite® at http://www.webcitation.org/5gELyrFjS)

[S9] National Cyber Security Research and Development Challenges, Institute for
Information Infrastructure Protection (I3P), A Report to the Senate Committee on
Homeland Security and Governmental Affairs, 2009.

[S10] “The Return of SCADA vulnerability,” Industrial IT, February 9, 2008, URL:
http://www.industrialit.com.au/Article/The-return-of-the-SCADA-security-

Attacks on Mobile and Embedded Systems: Current Trends – Free evaluation code at www.mocana.com/evaluate.html 
 vulnerability/437404.aspx, accessed: 2009-4-6. (Archived by WebCite® at http://
www.webcitation.org/5gELyrFjw)

[S11] SANS Institute, “Special Webcast: Cyber Attacks Against SCADA and Control
Systems—Real World Trends and Real World Solutions,” September 7, 2008,
URL: https://www.sans.org/webcasts/show.php?webcastid=90748. (Archived by
WebCite® at http://www.webcitation.org/5gExlvgtB)

2&)$å(ACKINGå4RENDS

[R1] Kelly Jackson Higgins, “Drive-By ‘War Cloning’ Attack Hacks Electronic Passports,
Driver’s Licenses: researcher demonstrates the ease of scanning and cloning new
Homeland Security-issued ID cards,” Dark Reading, February 2, 2009, URL: http://
www.darkreading.com/security/privacy/showArticle.jhtml?articleID=213000321,
accessed 2009-4-6. (Archived by WebCite® at http://www.webcitation.
org/5gELyrFkE)

[R2] Joel Hruska, “Internet tubes dripping with ‘raw sewage’ of DDoS attacks,” Ars
Technica, April 3, 2008 http://arstechnica.com/news.ars/post/20080403-internet-
tubes-dripping-with-raw-sewage-of-ddos-attacks.html , accessed 2009-3-20.
(Archived by WebCite® at http://www.webcitation.org/5gELyrFkW)

[R3] Joanne Kelleher, “Another RFID Hack—Contactless Credit Cards,” RFID Security,
March 25, 2008, URL: http://www.securerf.com/RFID-Security-blog/?p=47,
accessed 2009-4-22. (Archived by WebCite® at http://www.webcitation.
org/5gExlvgtc)

0RINTERåANDå%VERYDAYå$EVICEå(ACKINGå4RENDS

[P1] David Strom, “Beware of Network Printer Hacks,” David Strom’s Web Informant,
May 30, 2008, URL: http://strom.wordpress.com/2008/05/30/beware-of-network-
printer-hacks/, accessed 2009-4-22. (Archived by WebCite® at http://www.
webcitation.org/5gExlvgt)

Attacks on Mobile and Embedded Systems: Current Trends – Free evaluation code at www.mocana.com/evaluate.html 
About Mocana
Mocana secures the “Internet of Things”: the ubiquitous devices of our lives,
our infrastructure, and the enterprise networks to which they connect. As Mocana Solutions
connected devices proliferate—they already outnumber workstations on the NanoBoot™
Secure preboot verification
Internet by about 5 to 1—attacks on these “soft targets” are rising exponentially. for firmware
Mocana’s solutions ensure that wired and wireless devices, servers, networks, NanoUpdate™
and their services all scale securely. Customers include Dell, Cisco, Avaya, Secure firmware updates

Nortel Networks, Harris, Honeywell, Symbol, and Radvision, among others. The NanoWall™
Embedded system firewall
company was recently named one of Red Herring’s GLOBAL 100—one of the NanoSSH™
“Top 100 Privately-Held Companies in the World” for 2008, and also won Frost High-performance
SSH client and server
& Sullivan’s Technology Innovation of the Year award. For more information, visit
NanoSSL™
www.mocana.com. Super-small SSL client and
server
NanoSec™
Device-optimized IPsec,
Downloads and Contacts IKEv1/v2, MOBIKE
NanoEAP™
 For details about the Mocana Device Security Framework, visit http://www. EAP supplicant and
mocana.com/device-security-framework.html. 802.11 extensions
NanoCert™
 For your 90-day free trial, visit www.mocana.com/evaluate.html. Certificate management
for client devices
 For pricing and purchase information, email sales@mocana.com or call NanoDTLS™
866-213-1273. Embedded DTLS client
NanoDefender™
Intrusion detection
for devices
DSF for Android™
Quick-development
security toolkit for
Google Android handsets

VPNC
CERTIFIED
Basic
Interop

Tech AES
Interop
Choice IKEv2 Basic
2008 Interop
IPv6
Interop

Attacks on Mobile and Embedded Systems: Current Trends – Free evaluation code at www.mocana.com/evaluate.html