Presentation is loading. Please wait.

Presentation is loading. Please wait.

Taming Mr Hayes: Mitigating Signaling Based Attacks on Smartphones Colin Mulliner, Steffen Liebergeld, Matthias Lannge, and Jean-Pierre Seifert Technische.

Published byWilfrid Richard Modified over 8 years ago

Similar presentations

Presentation on theme: "Taming Mr Hayes: Mitigating Signaling Based Attacks on Smartphones Colin Mulliner, Steffen Liebergeld, Matthias Lannge, and Jean-Pierre Seifert Technische."— Presentation transcript:

1 Taming Mr Hayes: Mitigating Signaling Based Attacks on Smartphones Colin Mulliner, Steffen Liebergeld, Matthias Lannge, and Jean-Pierre Seifert Technische Universitat Berlin and Deutsche Telekom Laboratories

2 Outline  Introduction  Background  Threats  Design  Implementation  The AT Command Filter  Conclusions

3 Introduction  Mobile botnets hijack mobile phone to produce signaling traffic sent from mobile phones to the cellular network core. – DDoS  Rooted smartphones disable protection mechanisms. Applications may launch intentional malicious activity and accidental harmful operations.

4 Introduction  Protect the cellular network infrastructure from malicious smartphones  Virtual modem  Device-side protection system  Android-based  AT-command filter  The OS is separated from the baseband  Safe-to-root virtualized Android

5 Background  Cellular Network Architecture

6 Background  Cellular Signaling  Signaling traffic  MSC and HLR  Voice call, SMS, and updating account settings  Packet-data  SGSN, GGSN, and HLR  Packet Data Protocol (PDP)  ME establishes a PDP context by sending a GPRS-attach message to SGSN.

7 Background  Smartphone Architecture Baseband Processor Application Processor

8 Threats  Hijacked Phones and Mobile Botnets  PDP Context Change  Premium Rate SMS Trojans  Rooted Phones

9 Threats  Hijacked Phones and Mobile Botnets  ikee.B iPhone botnet infects about 22,000 devices  HTTP-based C&C channel  Traynor et al. issue the AT command to configure and enable call-forwarding settings in order to cause a high load on the HLR.  Mobile botnets use SMS messages for C&C.

10 Threats  PDP context activation and de-activation leads to high network load on the GGSN and SGSN.  On Android, it’s possible to force an PDP context change every 2 seconds.  43,200 PDP activation per day.  Pre-paid SIM cards may cause DoS attacks.

11 Threats  Premium Rate SMS Trojans  FakePlayer-A  The same problem applies to voice calls to premium numbers  android.permission.SEND_SMS

12 Threats  Rooted Phones  Simply install a modified firmware on the device  Exploiting known security flaws  EX: DroidDream

13 Design  Virtualize  Isolated  Assume the device’s DMA feature can be restricted to safe memory locations.  IO-MMU

14 Design  Micro Kernel as Secure Foundation  Modern third-generation micro kernels implement object- capabilitiesobject- capabilities  POLA (principle of least authority)

15 Design  Virtualized Android  Smartphone CPUs are not natively virtualizable.  The overhead of running a monolithic OS on top of a micro kernel is between 5 and 10 percent.  Enforce Android to access the baseband by not giving it access to the baseband’s IO memory.  Safe-to-root  A commercial version requires a bootloader that is capable of restricting updates to the Android partition.

16 Design  Virtual Modem  Baseband driver  Virtual serial interface  AT command filter  Virtual network interface  IP filter  NAT

17 Implementation  Intel x86-based smartphone  Moorestown platform (SOC)  Atom core  ST-Ericsson U300 – baseband  Fiasco.OC micro kernel  A L4 micro kernel

18 Implementation  L4Android  Based on L4Linux  L4Android kernel ABI is compatible with Android

19 Implementation  System Setup L4AndroidL4Linux

20 Implementation  L4Linux  Booting and initializing the baseband  Running baseband driver

21 Implementation  Modifications to Android RIL  libreference-ril.so  libsect-ril.so  They built their own abstraction library

22 The AT Command Filter  AT Command and Man-machine Interface (MMI) ##002# MMI Phone app AT Command AT+CCFC=0,4 AT Command AT+CCFC=0,4

23 The AT Command Filter AT+CGDCONT Configure a PDP context AT+CGACT Activated a configured PDP AT*EPPSD PDP context control for our ST-Ericsson baseband AT+CMGS Send an SMS message ATD+ ; Initiates a voice call to given number AT+CCFC Configure, activate, and de-activate call- forwarding settings AT+CFUN Configuration of the baseband state

24 The AT Command Filter  PDP Context Setup on the STE Baseband

25 The AT Command Filter  Special Problem  Special case APN  APN for MMS  Command side effects  If the baseband is switched between 2G and 3G, the PDP context is disconnected and reconnected

26 The AT Command Filter  Filtering AT Commands  AT_CCFC_interval = 60 (seconds)  AT_CCFC_threshold = 5 (# commands)

27 The AT Command Filter  SMS Filter  Short code detector  Short code (4-6 digits): Premium rate numbers  Block all SMS to short codes  Future work: secure GUI for legit SMS to short codes  Binary Message Payload Detector  Non-printable characters  Base64 encoding

28 The AT Command Filter  Blocking Commands  To not confuse the application logic in the RIL, our filter would inject the error message into the stream that carries the responses from the baseband to the RIL  Some commands are never blocked  Switch to flight mode (AT+CFUN=4)  PDP context deactivation (AT*EPPSD)  Emergency calls (ATD 911;)

29 The AT Command Filter  Profiling Benign AT Command Usage  Count the number of commands used Command#WhenWhy AT+CFUN2BootFlight mode. Normal mode. AT+CFUN1UseSwitch to GSM-only. AT+CDGMNT1BootSet PDP configuration. AT*EPPSD1BootActivate PDP context. AT+CMGS1UseSend a SMS message. ATD1UseIssue a voice call. AT+CCFC3UseQuery forwarding settings. AT+CCFC2UseSet a call-forwarding.

30 Evaluation  Setting  nanoBTS - openBSC  Faraday Cage

31 Evaluation  Limiting the Call-forwarding Attack [ref][ref]  2,500 TPS (Transactions per second) for low traffic network  30,000 TPS for high traffic network  AT+CCFC takes 4.7 seconds  12 commands per minute  4.7 seconds * 2,500 TPS = 11,750 hosts  Threshold = 5 commands / minutes

32 Evaluation

33  Limiting PDP Context Changes  Switch the baseband mode between GSM-only, 3G-only, and GSM+3G  The threshold for PDP context changes, p t  The threshold for AT*EPPSD commands, e t  The threhold for AT+CFUN commands, c t  P t = e t + c t  Without any limit, 30 changes per minute is the maximum possible

34 Evaluation

35  SMS Trojan  FakePlayer-A premium SMS Trojan  Number 3353

36 Evaluation  SMS Controlled Botnets  Binary Payload Detector  Blocking text messages will be complicated since they would need to be analyzed thoroughly before one is able to safety block them

37 Conclusions  Virtual modem  Future work  VPN Gateway  Advanced IDS/IPS  Policy Update Infrastructure  Secure GUI  Hardware Virtualization

Download ppt "Taming Mr Hayes: Mitigating Signaling Based Attacks on Smartphones Colin Mulliner, Steffen Liebergeld, Matthias Lannge, and Jean-Pierre Seifert Technische."

Similar presentations

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department.

Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core Patrick Michael Lin, Machigar Ongtang, Vikhyath.

On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core Patrick Michael Lin, Machigar Ongtang, Vikhyath.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
By : Versha Thakur Shravani Aishwarya

By : Versha Thakur Shravani Aishwarya
Automated Remote Repair for Mobile Malware Yacin Nadji, Jonathon Giffin, Patrick Traynor Georgia Institute of Technology ACSAC’ 11.

Automated Remote Repair for Mobile Malware Yacin Nadji, Jonathon Giffin, Patrick Traynor Georgia Institute of Technology ACSAC’ 11.
Vivek-Vijayan University of Tennessee at Chattanooga.

Vivek-Vijayan University of Tennessee at Chattanooga.
Introduction to Operating Systems CS-2301 B-term 20081 Introduction to Operating Systems CS-2301, System Programming for Non-majors (Slides include materials.

Introduction to Operating Systems CS-2301 B-term Introduction to Operating Systems CS-2301, System Programming for Non-majors (Slides include materials.
Chung Man Ho Willims Chow Man Kei Gary Kwok Pak Wai Lion.

Chung Man Ho Willims Chow Man Kei Gary Kwok Pak Wai Lion.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.

Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.
Figure 1.1 Interaction between applications and the operating system.

Figure 1.1 Interaction between applications and the operating system.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.

Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.
Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.

Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.
Senior Design May 12-08 AbstractDesign Alex Frisvold Alex Meyer Nazmus Sakib Eric Van Buren Our project is to develop a working emulator for an Android.

Senior Design May AbstractDesign Alex Frisvold Alex Meyer Nazmus Sakib Eric Van Buren Our project is to develop a working emulator for an Android.
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.

Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.

CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.
Tanenbaum 8.3 See references

Tanenbaum 8.3 See references

Similar presentations

Ads by Google