Taming Mr Hayes: Mitigating Signaling Based Attacks on Smartphones
Download
Report
Transcript Taming Mr Hayes: Mitigating Signaling Based Attacks on Smartphones
Taming Mr Hayes: Mitigating Signaling
Based Attacks on Smartphones
Colin Mulliner, Steffen Liebergeld, Matthias Lannge, and Jean-Pierre
Seifert
Technische Universitat Berlin and Deutsche Telekom Laboratories
Outline
Introduction
Background
Threats
Design
Implementation
The AT Command Filter
Conclusions
Introduction
Mobile botnets hijack mobile phone to produce signaling
traffic sent from mobile phones to the cellular network
core. – DDoS
Rooted smartphones disable protection mechanisms.
Applications may launch intentional malicious activity
and accidental harmful operations.
Introduction
Protect the cellular network infrastructure from malicious
smartphones
Virtual modem
Device-side protection system
Android-based
AT-command filter
The OS is separated from the baseband
Safe-to-root virtualized Android
Background
Cellular Network Architecture
Background
Cellular Signaling
Signaling traffic MSC and HLR
Voice call, SMS, and updating account settings
Packet-data SGSN, GGSN, and HLR
Packet Data Protocol (PDP)
ME establishes a PDP context by sending a GPRS-attach
message to SGSN.
Background
Smartphone Architecture
Baseband
Processor
Application
Processor
Threats
Hijacked Phones and Mobile Botnets
PDP Context Change
Premium Rate SMS Trojans
Rooted Phones
Threats
Hijacked Phones and Mobile Botnets
ikee.B iPhone botnet infects about 22,000 devices
HTTP-based C&C channel
Traynor et al. issue the AT command to configure and
enable call-forwarding settings in order to cause a high load
on the HLR.
Mobile botnets use SMS messages for C&C.
Threats
PDP context activation and de-activation leads to high
network load on the GGSN and SGSN.
On Android, it’s possible to force an PDP context change
every 2 seconds. 43,200 PDP activation per day.
Pre-paid SIM cards may cause DoS attacks.
Threats
Premium Rate SMS Trojans
FakePlayer-A
The same problem applies to voice calls to premium
numbers
android.permission.SEND_SMS
Threats
Rooted Phones
Simply install a modified firmware on the device
Exploiting known security flaws
EX: DroidDream
Design
Virtualize
Isolated
Assume the device’s
DMA feature can be
restricted to safe
memory locations.
IO-MMU
Design
Micro Kernel as Secure Foundation
Modern third-generation micro kernels implement objectcapabilities
POLA (principle of least authority)
Design
Virtualized Android
Smartphone CPUs are not natively virtualizable.
The overhead of running a monolithic OS on top of a micro
kernel is between 5 and 10 percent.
Enforce Android to access the baseband by not giving it
access to the baseband’s IO memory.
Safe-to-root
A commercial version requires a bootloader that is capable
of restricting updates to the Android partition.
Design
Virtual Modem
Baseband driver
Virtual serial interface
AT command filter
Virtual network interface
IP filter
NAT
Implementation
Intel x86-based smartphone
Moorestown platform (SOC)
Atom core
ST-Ericsson U300 – baseband
Fiasco.OC micro kernel
A L4 micro kernel
Implementation
L4Android
Based on L4Linux
L4Android kernel ABI is compatible with Android
Implementation
System Setup
L4Android
L4Linux
Implementation
L4Linux
Booting and initializing the baseband
Running baseband driver
Implementation
Modifications to Android RIL
libreference-ril.so
libsect-ril.so
They built their own abstraction library
The AT Command Filter
AT Command and Man-machine Interface (MMI)
MMI
##002#
Phone app
AT Command
AT+CCFC=0,4
The AT Command Filter
AT+CGDCONT
Configure a PDP context
AT+CGACT
Activated a configured PDP
AT*EPPSD
PDP context control for our ST-Ericsson baseband
AT+CMGS
Send an SMS message
ATD+<number>;
Initiates a voice call to given number
AT+CCFC
Configure, activate, and de-activate callforwarding settings
AT+CFUN
Configuration of the baseband state
The AT Command Filter
PDP Context Setup on the STE Baseband
The AT Command Filter
Special Problem
Special case APN
APN for MMS
Command side effects
If the baseband is switched between 2G and 3G, the
PDP context is disconnected and reconnected
The AT Command Filter
Filtering AT Commands
AT_CCFC_interval = 60 (seconds)
AT_CCFC_threshold = 5 (# commands)
The AT Command Filter
SMS Filter
Short code detector
Short code (4-6 digits): Premium rate numbers
Block all SMS to short codes
Future work: secure GUI for legit SMS to short codes
Binary Message Payload Detector
Non-printable characters
Base64 encoding
The AT Command Filter
Blocking Commands
To not confuse the application logic in the RIL, our filter
would inject the error message into the stream that carries
the responses from the baseband to the RIL
Some commands are never blocked
Switch to flight mode (AT+CFUN=4)
PDP context deactivation (AT*EPPSD)
Emergency calls (ATD 911;)
The AT Command Filter
Profiling Benign AT Command Usage
Count the number of commands used
Command
# When
Why
AT+CFUN
2 Boot
Flight mode. Normal mode.
AT+CFUN
1 Use
Switch to GSM-only.
AT+CDGMNT
1 Boot
Set PDP configuration.
AT*EPPSD
1 Boot
Activate PDP context.
AT+CMGS
1 Use
Send a SMS message.
ATD
1 Use
Issue a voice call.
AT+CCFC
3 Use
Query forwarding settings.
AT+CCFC
2 Use
Set a call-forwarding.
Evaluation
Setting
nanoBTS - openBSC
Faraday Cage
Evaluation
Limiting the Call-forwarding Attack [ref]
2,500 TPS (Transactions per second) for low traffic network
30,000 TPS for high traffic network
AT+CCFC takes 4.7 seconds 12 commands per minute
4.7 seconds * 2,500 TPS = 11,750 hosts
Threshold = 5 commands / minutes
Evaluation
Evaluation
Limiting PDP Context Changes
Switch the baseband mode between GSM-only, 3G-only,
and GSM+3G
The threshold for PDP context changes, pt
The threshold for AT*EPPSD commands, et
The threhold for AT+CFUN commands, ct
Pt = et + ct
Without any limit, 30 changes per minute is the maximum
possible
Evaluation
Evaluation
SMS Trojan
FakePlayer-A premium SMS Trojan
Number 3353
Evaluation
SMS Controlled Botnets
Binary Payload Detector
Blocking text messages will be complicated since they
would need to be analyzed thoroughly before one is able to
safety block them
Conclusions
Virtual modem
Future work
VPN Gateway
Advanced IDS/IPS
Policy Update Infrastructure
Secure GUI
Hardware Virtualization