taming mr hayes: mitigating signaling based attacks on smartphones colin mulliner, steffen...
TRANSCRIPT
Taming Mr Hayes: Mitigating Signaling Based Attacks on Smartphones
Colin Mulliner, Steffen Liebergeld, Matthias Lannge, and Jean-Pierre Seifert
Technische Universitat Berlin and Deutsche Telekom Laboratories
Outline
Introduction
Background
Threats
Design
Implementation
The AT Command Filter
Conclusions
Introduction
Mobile botnets hijack mobile phone to produce signaling traffic sent from mobile phones to the cellular network core. – DDoS
Rooted smartphones disable protection mechanisms. Applications may launch intentional malicious activity and accidental harmful operations.
Introduction
Protect the cellular network infrastructure from malicious smartphones
Virtual modem Device-side protection system Android-based AT-command filter The OS is separated from the baseband Safe-to-root virtualized Android
Background
Cellular Network ArchitectureBase Station
Serving GPRS Support Node Gateway
GPRS Support Node
Home Location Register
Mobile Switching
Center
Background
Cellular Signaling Signaling traffic MSC and HLR
Voice call, SMS, and updating account settings Packet-data SGSN, GGSN, and HLR
Packet Data Protocol (PDP) ME establishes a PDP context by sending a GPRS-attach
message to SGSN.
Background
Smartphone Architecture
Baseband Processor
Application Processor
Threats
Hijacked Phones and Mobile Botnets
PDP Context Change
Premium Rate SMS Trojans
Rooted Phones
Threats
Hijacked Phones and Mobile Botnets ikee.B iPhone botnet infects about 22,000 devices
HTTP-based C&C channel Traynor et al. issue the AT command to configure and
enable call-forwarding settings in order to cause a high load on the HLR.
Mobile botnets use SMS messages for C&C.
Threats
PDP context activation and de-activation leads to high network load on the GGSN and SGSN.
On Android, it’s possible to force an PDP context change every 2 seconds. 43,200 PDP activation per day.
Pre-paid SIM cards may cause DoS attacks.
Threats
Premium Rate SMS Trojans FakePlayer-A The same problem applies to voice calls to premium
numbers android.permission.SEND_SMS
Threats
Rooted Phones Simply install a modified firmware on the device Exploiting known security flaws
EX: DroidDream
Design
Virtualize
Isolated
Assume the device’s DMA feature can be restricted to safe memory locations. IO-MMU
Design
Micro Kernel as Secure Foundation Modern third-generation micro kernels implement
object-capabilities POLA (principle of least authority)
Design
Virtualized Android Smartphone CPUs are not natively virtualizable. The overhead of running a monolithic OS on top of a micro
kernel is between 5 and 10 percent. Enforce Android to access the baseband by not giving it
access to the baseband’s IO memory. Safe-to-root A commercial version requires a bootloader that is
capable of restricting updates to the Android partition.
Design
Virtual Modem Baseband driver Virtual serial interface AT command filter Virtual network interface IP filter
NAT
Implementation
Intel x86-based smartphone Moorestown platform (SOC) Atom core
ST-Ericsson U300 – baseband
Fiasco.OC micro kernel A L4 micro kernel
Implementation
L4Android Based on L4Linux L4Android kernel ABI is compatible with Android
Implementation
System Setup
L4Android L4Linux
Implementation
L4Linux Booting and initializing the baseband Running baseband driver
Implementation
Modifications to Android RIL libreference-ril.so libsect-ril.so
They built their own abstraction library
The AT Command Filter
AT Command and Man-machine Interface (MMI)
##002#
MMI
Phone app
AT Command
AT+CCFC=0,4
The AT Command Filter
AT+CGDCONT Configure a PDP context
AT+CGACT Activated a configured PDP
AT*EPPSD PDP context control for our ST-Ericsson baseband
AT+CMGS Send an SMS message
ATD+<number>;
Initiates a voice call to given number
AT+CCFC Configure, activate, and de-activate call-forwarding settings
AT+CFUN Configuration of the baseband state
Not used on ST-Ericsson basebnad
AT+CMGS=17>0001000c81101521436587000004d4f29c0e
AT+CCFC=1,1,”4915112345678”, 129, 0
AT+CFUN=4
The AT Command Filter
PDP Context Setup on the STE Baseband
AT+CGDCONT=1,“ip”, “internet.t-mobile”,””,0,0OKAT*EPPSD=1,1,1<?xml version=“1.0”?><connection_parameters><ip_address>10.165.132.86</ip_address> <subnet_mask>255.255.255.255</subnet_mask> <mtu>1500</mtu> <dns_server>193.189.244.255</dns_server> <dns_server>193.189.244.206</dns_server></connection_parameters>OK*EPSB
The AT Command Filter
Special Problem Special case APN
APN for MMS Command side effects
If the baseband is switched between 2G and 3G, the PDP context is disconnected and reconnected
The AT Command Filter
Filtering AT Commands AT_CCFC_interval = 60 (seconds) AT_CCFC_threshold = 5 (# commands)
The AT Command Filter
SMS Filter Short code detector
Short code (4-6 digits): Premium rate numbers Block all SMS to short codes Future work: secure GUI for legit SMS to short codes
Binary Message Payload Detector Non-printable characters Base64 encoding
The AT Command Filter
Blocking Commands To not confuse the application logic in the RIL, our filter
would inject the error message into the stream that carries the responses from the baseband to the RIL
Some commands are never blocked Switch to flight mode (AT+CFUN=4) PDP context deactivation (AT*EPPSD) Emergency calls (ATD 911;)
The AT Command Filter
Profiling Benign AT Command Usage Count the number of commands used
Command # When Why
AT+CFUN 2 Boot Flight mode. Normal mode.
AT+CFUN 1 Use Switch to GSM-only.
AT+CDGMNT 1 Boot Set PDP configuration.
AT*EPPSD 1 Boot Activate PDP context.
AT+CMGS 1 Use Send a SMS message.
ATD 1 Use Issue a voice call.
AT+CCFC 3 Use Query forwarding settings.
AT+CCFC 2 Use Set a call-forwarding.
Evaluation
Setting nanoBTS - openBSC Faraday Cage
Evaluation
Limiting the Call-forwarding Attack [ref] 2,500 TPS (Transactions per second) for low traffic
network 30,000 TPS for high traffic network AT+CCFC takes 4.7 seconds 12 commands per minute
4.7 seconds * 2,500 TPS = 11,750 hosts Threshold = 5 commands / minutes
Evaluation
Evaluation
Limiting PDP Context Changes Switch the baseband mode between GSM-only, 3G-only,
and GSM+3G The threshold for PDP context changes, pt
The threshold for AT*EPPSD commands, et
The threhold for AT+CFUN commands, ct
Pt = et + ct
Without any limit, 30 changes per minute is the maximum possible
Evaluation
Evaluation
SMS Trojan FakePlayer-A premium SMS Trojan
Number 3353
AT+CMGS=1500010004813335999996b71cce56bb01number: 3353short number >3353< detected, could be premiumfilterd: filter returned:0filterd: blocking00010004813335999996b71cce56bb01
Evaluation
SMS Controlled Botnets Binary Payload Detector Blocking text messages will be complicated since they
would need to be analyzed thoroughly before one is able to safety block them
Conclusions
Virtual modem
Future work VPN Gateway Advanced IDS/IPS Policy Update Infrastructure Secure GUI Hardware Virtualization