1 / 37

Taming Mr Hayes: Mitigating Signaling Based Attacks on Smartphones

Taming Mr Hayes: Mitigating Signaling Based Attacks on Smartphones. Colin Mulliner , Steffen Liebergeld , Matthias Lannge , and Jean-Pierre Seifert Technische Universitat Berlin and Deutsche Telekom Laboratories. Outline . Introduction Background Threats Design Implementation

peigi
Download Presentation

Taming Mr Hayes: Mitigating Signaling Based Attacks on Smartphones

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Taming Mr Hayes: Mitigating Signaling Based Attacks on Smartphones Colin Mulliner, Steffen Liebergeld, Matthias Lannge, and Jean-Pierre Seifert TechnischeUniversitat Berlin and Deutsche Telekom Laboratories

  2. Outline • Introduction • Background • Threats • Design • Implementation • The AT Command Filter • Conclusions

  3. Introduction • Mobile botnets hijack mobile phone to produce signaling traffic sent from mobile phones to the cellular network core. – DDoS • Rooted smartphones disable protection mechanisms. Applications may launch intentional malicious activity and accidental harmful operations.

  4. Introduction • Protect the cellular network infrastructure from malicious smartphones • Virtual modem • Device-side protection system • Android-based • AT-command filter • The OS is separated from the baseband • Safe-to-root virtualized Android

  5. Background Serving GPRS Support Node Base Station Gateway GPRS Support Node • Cellular Network Architecture Home Location Register Mobile Switching Center

  6. Background • Cellular Signaling • Signaling traffic  MSC and HLR • Voice call, SMS, and updating account settings • Packet-data  SGSN, GGSN, and HLR • Packet Data Protocol (PDP) • ME establishes a PDP context by sending a GPRS-attach message to SGSN.

  7. Background Application Processor • Smartphone Architecture Baseband Processor

  8. Threats • Hijacked Phones and Mobile Botnets • PDP Context Change • Premium Rate SMS Trojans • Rooted Phones

  9. Threats • Hijacked Phones and Mobile Botnets • ikee.B iPhone botnet infects about 22,000 devices • HTTP-based C&C channel • Traynor et al. issue the AT command to configure and enable call-forwarding settings in order to cause a high load on the HLR. • Mobile botnets use SMS messages for C&C.

  10. Threats • PDP context activation and de-activation leads to high network load on the GGSN and SGSN. • On Android, it’s possible to force an PDP context change every 2 seconds.  43,200 PDP activation per day. • Pre-paid SIM cards may cause DoS attacks.

  11. Threats • Premium Rate SMS Trojans • FakePlayer-A • The same problem applies to voice calls to premium numbers • android.permission.SEND_SMS

  12. Threats • Rooted Phones • Simply install a modified firmware on the device • Exploiting known security flaws • EX: DroidDream

  13. Design • Virtualize • Isolated • Assume the device’s DMA feature can be restricted to safe memory locations. • IO-MMU

  14. Design • Micro Kernel as Secure Foundation • Modern third-generation micro kernels implement object-capabilities • POLA (principle of least authority)

  15. Design • Virtualized Android • Smartphone CPUs are not natively virtualizable. • The overhead of running a monolithic OS on top of a micro kernel is between 5 and 10 percent. • Enforce Android to access the baseband by not giving it access to the baseband’s IO memory. • Safe-to-root • A commercial version requires a bootloader that is capable of restricting updates to the Android partition.

  16. Design • Virtual Modem • Baseband driver • Virtual serial interface • AT command filter • Virtual network interface • IP filter • NAT

  17. Implementation • Intel x86-based smartphone • Moorestown platform (SOC) • Atom core • ST-Ericsson U300 – baseband • Fiasco.OC micro kernel • A L4 micro kernel

  18. Implementation • L4Android • Based on L4Linux • L4Android kernel ABI is compatible with Android

  19. Implementation • System Setup L4Android L4Linux

  20. Implementation • L4Linux • Booting and initializing the baseband • Running baseband driver

  21. Implementation • Modifications to Android RIL • libreference-ril.so • libsect-ril.so • They built their own abstraction library

  22. The AT Command Filter • AT Command and Man-machine Interface (MMI) MMI AT Command AT+CCFC=0,4 ##002# Phone app

  23. The AT Command Filter AT+CMGS=17 > 0001000c81101521436587000004d4f29c0e Not used on ST-Ericsson basebnad AT+CCFC=1,1,”4915112345678”, 129, 0 AT+CFUN=4

  24. The AT Command Filter • PDP Context Setup on the STE Baseband AT+CGDCONT=1,“ip”, “internet.t-mobile”,””,0,0 OK AT*EPPSD=1,1,1 <?xml version=“1.0”?> <connection_parameters> <ip_address>10.165.132.86</ip_address> <subnet_mask>255.255.255.255</subnet_mask> <mtu>1500</mtu> <dns_server>193.189.244.255</dns_server> <dns_server>193.189.244.206</dns_server> </connection_parameters> OK *EPSB

  25. The AT Command Filter • Special Problem • Special case APN • APN for MMS • Command side effects • If the baseband is switched between 2G and 3G, the PDP context is disconnected and reconnected

  26. The AT Command Filter • Filtering AT Commands • AT_CCFC_interval = 60 (seconds) • AT_CCFC_threshold = 5 (# commands)

  27. The AT Command Filter • SMS Filter • Short code detector • Short code (4-6 digits): Premium rate numbers • Block all SMS to short codes • Future work: secure GUI for legit SMS to short codes • Binary Message Payload Detector • Non-printable characters • Base64 encoding

  28. The AT Command Filter • Blocking Commands • To not confuse the application logic in the RIL, our filter would inject the error message into the stream that carries the responses from the baseband to the RIL • Some commands are never blocked • Switch to flight mode (AT+CFUN=4) • PDP context deactivation (AT*EPPSD) • Emergency calls (ATD 911;)

  29. The AT Command Filter • Profiling Benign AT Command Usage • Count the number of commands used

  30. Evaluation • Setting • nanoBTS - openBSC • Faraday Cage

  31. Evaluation • Limiting the Call-forwarding Attack [ref] • 2,500 TPS (Transactions per second) for low traffic network • 30,000 TPS for high traffic network • AT+CCFC takes 4.7 seconds  12 commands per minute • 4.7 seconds * 2,500 TPS = 11,750 hosts • Threshold = 5 commands / minutes

  32. Evaluation

  33. Evaluation • Limiting PDP Context Changes • Switch the baseband mode between GSM-only, 3G-only, and GSM+3G • The threshold for PDP context changes, pt • The threshold for AT*EPPSD commands, et • The threhold for AT+CFUN commands, ct • Pt= et + ct • Without any limit, 30 changes per minute is the maximum possible

  34. Evaluation

  35. Evaluation • SMS Trojan • FakePlayer-A premium SMS Trojan • Number 3353 AT+CMGS=15 00010004813335999996b71cce56bb01 number: 3353 short number >3353< detected, could be premium filterd: filter returned:0 filterd: blocking 00010004813335999996b71cce56bb01

  36. Evaluation • SMS Controlled Botnets • Binary Payload Detector • Blocking text messages will be complicated since they would need to be analyzed thoroughly before one is able to safety block them

  37. Conclusions • Virtual modem • Future work • VPN Gateway • Advanced IDS/IPS • Policy Update Infrastructure • Secure GUI • Hardware Virtualization

More Related