Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department of Computer Science, Rutgers University
Rise of the Smart Phone HotMobile 2/23/20102
Rise of the Smart Phone 1993 calendar, address book, touch screen on-screen "predictive" keyboard Simon HotMobile 2/23/20102
Rise of the Smart Phone Symbian OS Ericsson R380 HotMobile 2/23/20102
Rise of the Smart Phone Blackberry Windows Pocket PC Treo Treo 180 BlackBerry 5810 HotMobile 2/23/20102
Rise of the Smart Phone iPhone HotMobile 2/23/20102
Rise of the Smart Phone iPhone 3G/3GS Android App Stores HotMobile 2/23/20102
3 Smart Phone Users
HotMobile 2/23/20104 Smart Phone Interfaces A rich set of interfaces is now available GSM GPS Bluetooth AccelerometerMicrophoneCamera
HotMobile 2/23/20105 Smart Phone Apps Contacts Location Banking Over 140,000 apps today
Smart Phone Operating Systems OSLines of Code Linux 2.6 Kernel10 million Android20 million Symbian20 million Complexity comparable to desktops HotMobile 2/23/20106
7 The Rise of Mobile Malware 2004 Cabir spreads via Bluetooth drains battery Receive message via Bluetooth? Yes No
HotMobile 2/23/20107 The Rise of Mobile Malware 2004 first J2ME malware sends texts to premium numbers RedBrowser 2006
HotMobile 2/23/20107 The Rise of Mobile Malware 2004 Kaspersky Labs report: 106 types of mobile malware 514 modifications
HotMobile 2/23/20108 The Rise of Mobile Malware “My iPhone is not jailbroken and it is running iPhone OS 3.0”
HotMobile 2/23/20109 Contributions Introduce rootkits into the space of mobile malware Demonstrate with three proof-of concept rootkits Explore the design space for detection
HotMobile 2/23/ Rootkits App User Space Kernel Space Libraries Kernel Code System Call Table Drivers Process Lists Virus Anti Virus
HotMobile 2/23/ Rootkits App User Space Kernel Space Libraries Kernel Code System Call Table Drivers Process Lists Anti Virus Rootkit Virus
Proof of Concept Rootkits HotMobile 2/23/ Note: We did not exploit vulnerabilities 1. Conversation Snooping Attack 2. Location Attack 3. Battery Depletion Attack Openmoko Freerunner
HotMobile 2/23/ Conversation Snooping Attack Attacker Send SMS Rootkit Infected Dial me “ ” Call Attacker Turn on Mic Delete SMS Rootkit stops if user tries to dial
HotMobile 2/23/ Conversation Snooping Attack Attacker Rootkit Infected Call Attacker Turn on Mic Calendar Notification
Attacker Send SMS Rootkit Infected Send Location “ ” 2. Location Attack Query GPS HotMobile 2/23/ N40°28', W074°26 SMS Response Delete SMS
3. Battery Depletion Attack Rootkit turns on high powered devices Rootkit shows original device status HotMobile 2/23/ Attack :
HotMobile 2/23/ Rootkit Detection App User Space Kernel Space Libraries Kernel Code System Call Table Drivers Process Lists Rootkit Detector Rootkit DOES NOT WORK!
HotMobile 2/23/ Memory Introspection Kernel Sys Call Table Monitor Fetch and Copy Monitor MachineTarget Machine Training Phase
HotMobile 2/23/ Memory Introspection KernelMonitor Fetch Monitor MachineTarget Machine Compare System OK Detection Phase
HotMobile 2/23/ Memory Introspection KernelMonitor Fetch Monitor MachineTarget Machine Compare Rootkit Detected Rootkit mal_write() Detection Phase
HotMobile 2/23/ Monitoring Approaches 1. Hardware Approach Monitor MachineTarget Machine Rootkit Infected NIC with remote DMA support
Smart Phone Challenge Monitor MachineRootkit Infected HotMobile 2/23/ Problem: Need interface allowing memory access without OS intervention (FireWire?)
HotMobile 2/23/ Monitoring Approaches Host Machine Hypervisor Dom0OS 2. VMM-based Approach Detector
Smart Phone Challenge HotMobile 2/23/ Problem: CPU-intensive detection algorithms exhaust phone battery Solution: Offload detection work to the service provider Send Pages Response CPU intensive work
Optimizations for Energy-Efficiency HotMobile 2/23/ Page Table Monitor Fetch Problem: Too many memory pages may have to be transferred
Optimizations for Energy-Efficiency HotMobile 2/23/ Page Table Monitor 1 1 Fetch Solution: Only fetch and scan pages that have been recently modified
HotMobile 2/23/ Related Work (1/2) Rootkit Detection Enforcement of Kernel Data Structure Invariants [Baliga, et al., ACSAC 2008] Virtual Machine Introspection [Garfinkel and Rosenblum, NDSS 2003] Mobile Security and Detection Semantically Rich Application-Centric Security in Android [Ongtang, et al., ACSAC 2009] Detecting Energy-Greedy Anomalies [Kim, et al., MobiSys 2008]
Related Work (2/2) Mobile Malware Cellular Botnets: Impact on Network Core [Traynor, et al., CCS 2009] Exploiting MMS Vulnerabilities to Exhaust Battery [Racic, et al., SecureComm 2006] Exploiting SMS-Capable Cellular Network [Enck, et al., CCS 2005] HotMobile 2/23/201028
Conclusion and Future Work Conclusions: Rootkits are now a threat to smart phones Future Work: Energy efficient rootkit detection techniques Develop a rootkit detector for smart phone HotMobile 2/23/201029
Thank You! HotMobile 2/23/201030