Taming Mr Hayes: Mitigating Signaling Based Attacks on Smartphones Colin Mulliner, Steffen Liebergeld, Matthias Lannge, and Jean-Pierre Seifert Technische Universitat Berlin and Deutsche Telekom Laboratories
Outline Introduction Background Threats Design Implementation The AT Command Filter Conclusions
Introduction Mobile botnets hijack mobile phone to produce signaling traffic sent from mobile phones to the cellular network core. – DDoS Rooted smartphones disable protection mechanisms. Applications may launch intentional malicious activity and accidental harmful operations.
Introduction Protect the cellular network infrastructure from malicious smartphones Virtual modem Device-side protection system Android-based AT-command filter The OS is separated from the baseband Safe-to-root virtualized Android
Background Cellular Network Architecture
Background Cellular Signaling Signaling traffic MSC and HLR Voice call, SMS, and updating account settings Packet-data SGSN, GGSN, and HLR Packet Data Protocol (PDP) ME establishes a PDP context by sending a GPRS-attach message to SGSN.
Background Smartphone Architecture Baseband Processor Application Processor
Threats Hijacked Phones and Mobile Botnets PDP Context Change Premium Rate SMS Trojans Rooted Phones
Threats Hijacked Phones and Mobile Botnets ikee.B iPhone botnet infects about 22,000 devices HTTP-based C&C channel Traynor et al. issue the AT command to configure and enable call-forwarding settings in order to cause a high load on the HLR. Mobile botnets use SMS messages for C&C.
Threats PDP context activation and de-activation leads to high network load on the GGSN and SGSN. On Android, it’s possible to force an PDP context change every 2 seconds. 43,200 PDP activation per day. Pre-paid SIM cards may cause DoS attacks.
Threats Premium Rate SMS Trojans FakePlayer-A The same problem applies to voice calls to premium numbers android.permission.SEND_SMS
Threats Rooted Phones Simply install a modified firmware on the device Exploiting known security flaws EX: DroidDream
Design Virtualize Isolated Assume the device’s DMA feature can be restricted to safe memory locations. IO-MMU
Design Micro Kernel as Secure Foundation Modern third-generation micro kernels implement object- capabilitiesobject- capabilities POLA (principle of least authority)
Design Virtualized Android Smartphone CPUs are not natively virtualizable. The overhead of running a monolithic OS on top of a micro kernel is between 5 and 10 percent. Enforce Android to access the baseband by not giving it access to the baseband’s IO memory. Safe-to-root A commercial version requires a bootloader that is capable of restricting updates to the Android partition.
Design Virtual Modem Baseband driver Virtual serial interface AT command filter Virtual network interface IP filter NAT
Implementation Intel x86-based smartphone Moorestown platform (SOC) Atom core ST-Ericsson U300 – baseband Fiasco.OC micro kernel A L4 micro kernel
Implementation L4Android Based on L4Linux L4Android kernel ABI is compatible with Android
Implementation System Setup L4AndroidL4Linux
Implementation L4Linux Booting and initializing the baseband Running baseband driver
Implementation Modifications to Android RIL libreference-ril.so libsect-ril.so They built their own abstraction library
The AT Command Filter AT Command and Man-machine Interface (MMI) ##002# MMI Phone app AT Command AT+CCFC=0,4 AT Command AT+CCFC=0,4
The AT Command Filter AT+CGDCONT Configure a PDP context AT+CGACT Activated a configured PDP AT*EPPSD PDP context control for our ST-Ericsson baseband AT+CMGS Send an SMS message ATD+ ; Initiates a voice call to given number AT+CCFC Configure, activate, and de-activate call- forwarding settings AT+CFUN Configuration of the baseband state
The AT Command Filter PDP Context Setup on the STE Baseband
The AT Command Filter Special Problem Special case APN APN for MMS Command side effects If the baseband is switched between 2G and 3G, the PDP context is disconnected and reconnected
The AT Command Filter Filtering AT Commands AT_CCFC_interval = 60 (seconds) AT_CCFC_threshold = 5 (# commands)
The AT Command Filter SMS Filter Short code detector Short code (4-6 digits): Premium rate numbers Block all SMS to short codes Future work: secure GUI for legit SMS to short codes Binary Message Payload Detector Non-printable characters Base64 encoding
The AT Command Filter Blocking Commands To not confuse the application logic in the RIL, our filter would inject the error message into the stream that carries the responses from the baseband to the RIL Some commands are never blocked Switch to flight mode (AT+CFUN=4) PDP context deactivation (AT*EPPSD) Emergency calls (ATD 911;)
The AT Command Filter Profiling Benign AT Command Usage Count the number of commands used Command#WhenWhy AT+CFUN2BootFlight mode. Normal mode. AT+CFUN1UseSwitch to GSM-only. AT+CDGMNT1BootSet PDP configuration. AT*EPPSD1BootActivate PDP context. AT+CMGS1UseSend a SMS message. ATD1UseIssue a voice call. AT+CCFC3UseQuery forwarding settings. AT+CCFC2UseSet a call-forwarding.
Evaluation Setting nanoBTS - openBSC Faraday Cage
Evaluation Limiting the Call-forwarding Attack [ref][ref] 2,500 TPS (Transactions per second) for low traffic network 30,000 TPS for high traffic network AT+CCFC takes 4.7 seconds 12 commands per minute 4.7 seconds * 2,500 TPS = 11,750 hosts Threshold = 5 commands / minutes
Evaluation
Limiting PDP Context Changes Switch the baseband mode between GSM-only, 3G-only, and GSM+3G The threshold for PDP context changes, p t The threshold for AT*EPPSD commands, e t The threhold for AT+CFUN commands, c t P t = e t + c t Without any limit, 30 changes per minute is the maximum possible
Evaluation
SMS Trojan FakePlayer-A premium SMS Trojan Number 3353
Evaluation SMS Controlled Botnets Binary Payload Detector Blocking text messages will be complicated since they would need to be analyzed thoroughly before one is able to safety block them
Conclusions Virtual modem Future work VPN Gateway Advanced IDS/IPS Policy Update Infrastructure Secure GUI Hardware Virtualization