Smart-Phone Attacks and Defenses Discussion led by Aaron Isaki

Transcription

Smart-Phone Attacks and Defenses Discussion led by Aaron Isaki
Smart-Phone Attacks
and Defenses
Discussion led by Aaron Isaki
Authors
 Chuanxiong Guo
 Helen J. Wang
 Wenwu Zhu
HotNets III
November, 2004
San Diego, CA
Microsoft Research
Microsoft Research
Microsoft Research Asia
Definitions
 Smartphone – Mobile device containing
both cellular components and Internet
access, with powerful computing
components similar to those found on
desktop PC’s.
 Smartphone Operating Systems (OS)
“covered” in this paper: Symbian,
Windows Mobile/PocketPC, Palm, and
embedded Linux.
Problem
 Smartphones are interoperable between
cellular networks and the Internet and
have the potential to be dangerous
conduits for threats from the Internet to
the telecom infrastructure.
Bridging the Networks
Powerful Smartphone OSes
 Provide access to cellular network with cellular




standards such as GSM /CDMA and UMTS.
Access to the Internet with network interfaces
such as infrared, Bluetooth, GPRS/CDMA1X,
and 802.11; and use standard TCP/IP protocol
stack to connect to the Internet.
Multi-tasking for running multiple applications
simultaneously (except for Palm OS).
Data synchronization with desktop PCs.
“Open” APIs for application development.
Increased Threat
 Inevitable software vulnerabilities in
complex OSes
 Always-on vulnerability to Internet worms
 Smartphone user population likely to
exceed PC user population
History of Smartphone Attacks
 Cabir, June 14, 2004 (Symbian OS
worm)
 Duts, July 17, 2004 (PocketPC virus)
 Mosquito dialer, August 6, 2004 (trojan
horse)
Cabir/Caribe Worm
 Spread over Bluetooth
 Targeted Symbian Series 60
 Proof of concept
 Messagebox payload, replication bug
drastically limited spreading
Cabir/Caribe
Duts
 Proof of concept code
 Hand-written assembly for ARM
processors
 “This is proof of concept code. Also, i
wanted to make avers happy. The
situation when Pocket PC antiviruses
detect only EICAR file had to end ...”
Main Contribution
 Presents a high-level outline of several
attacks using smartphones on the
telecom network
 Telecom network was relatively safe
 Widespread convergence of Internet and
telecom networks on a single device
increases threat to telecom networks
Main Ideas
 Smartphones are the common link for
the Internet and telecom networks.
 Smartphones are portable computers
and can be subverted to launch attacks
on previously secure telecom networks.
 Existing attacks that were successful on
the Internet would cause much more
damage and cost end users more.
Compromising Smartphones
 “Attacks from the Internet” – viruses,
trojans, or worms spread “the same way
as PCs”
 Infection from compromised PC during
data synchronization
 Peer smart-phone attack or infection (via
Bluetooth or WiFi)
 Malformed SMS text message [?]
Compromised Smartphone
Attacks on Telecom Network
 Base Station DoS



Using eight smartphones for each GSM
carrier frequency can tie up a GSM base
station
Call other phones, but do not answer the
incoming call (to avoid being charged)
Ties up a time slot on each end for a
minute, exhausting radio resources
Compromised Smartphone
Attacks on Telecom Network
 Call Center DDoS


Using victims’ phones to remotely and
automatically place calls
Significant numbers of zombie
smartphones would be needed to reach a
cellular switch’s limited Busy Hour Call
Attempts (BHCA) value
Compromised Smartphone
Attacks on Telecom Network
 Spam SMS



Junk or marketing messages sent through
SMS
Abundant SMS packages make it possible
to slip past owner’s notice
“Good incentive to compromise
smartphones”
Compromised Smartphone
Attacks on Telecom Network
 Identity Theft and Spoofing



Smartphones allow remote reading of SIM
card data
International Mobile Subscriber Identity,
SMS history, and stored numbers the
target
Attacker can use stolen identity
Compromised Smartphone
Attacks on Telecom Network
 Remote Wiretapping



Passively record the conversations of their
owners
Report back to spies
Encrypt and tunnel the conversation with
other Internet traffic
Defenses
 Smartphone Hardening
 Internet Side Protection
 Telecommunication Side Protection
 Cooperations between the Internet and
Telecom Networks
Smartphone Hardening
 Attack Surface Reduction

Turn off features not in use
 OS Hardening




Always display callee’s number
Light up LCD display when dialing
Export only security enhanced APIs to
applications
Attacking actions should be easily
detectable by the smartphone user
Smartphone Hardening
 Hardware hardening



SIM Toolkit (STK) – API to securely load
applications to the SIM
STK allows operator to provision services
directly to the SIM
Combine STK and TCG’s Trusted Platform
Module (TPM) for hardware hardening
Internet Side Protection
 Rigorous software patching
 Vulnerability-driven network traffic
shielding
 Smartphone ISPs (GPRS or CDMA)
should restrict Internet access unless
devices are fully patched
Telecommunication Side
Protection
 Telecom traffic is highly predictable and
well-managed (voice or SMS traffic only)
 Abnormal blocking rates of base station
or switch (DoS attack)
 Abnormally high call-center load
 Abnormal end-user behavior
Telecommunication Side
Protection
 Detecting abnormal end-user behavior will




require in-depth analysis
Junk SMS messages can be detected the same
way as spam e-mail
Methods exist to trace and limit smartphones
effectively
Very expensive to put defenses into various
parts of telecom infrastructure
Only a handful of telecom carriers, easy to
coordination between them
Cooperation between the Internet
and Telecom Networks
 Exchange known vulnerability and attack
information to reduce vulnerable
services
 Advance knowledge of an attack on the
other network can be passed along
 Telecom’s blacklisted smartphones can
be added to ISPs blacklists
Differentiating smartphones
and other 802.11 clients
 Assign unique IDs to all Internet wireless
endpoints, creating a mapping between
SIM IDs and Internet wireless IDs
 Design smartphones to submit SIM IDs
to APs for authentication
Modem-Equipped or VoIPEnabled PCs
 These PCs cannot access both networks
simultaneously?
 VoIP PCs lack SIM cards, so they cannot
be spoofed
 VoIP PCs send traffic through an IP-toPSTN switch, which can limit rates
 Smartphones are more popular?
Interoperation breaks design
assumptions
 Telecom networks have dumb terminals
and intelligent networks
 The Internet is a dumb network with
smart endpoints
 The attacks listed were possible when
combining the smart endpoints with
intelligent networks
 Security must be considered before
connecting any hardware to the Internet
Conclusions
 Imminent danger of smartphone attacks
against telecom infrastructure (privacy
issues, identity theft, DoS)
 Outlined some defense strategies
 Urge system architects to pay attention
to insecurity of the Internet when
connecting new peripherals
Questions Left Open
 With constant Internet available to
smartphones today, how is this threat
model changed?
 Is Symbian Signed and Windows Mobile
signed an effective countermeasure?
My thoughts
 Paper was very light on details, perhaps to




protect smartphone users?
What about smartphones attacking other
smartphones or Internet sites?
Smartphone bandwidth now hundreds of times
greater than when the paper was written
Greater threat posed by VoIP, which connects
to the telecom network as well, but has less
restrictions on what those computers can do.
Many more smartphones available, but much
fewer viruses reported. Smartphone security
doing its job?
My thoughts continued
 Smartphone “Hardening” section was
very weak. Code-signing with
certificates now used
 Clients today may run multiple SIM
cards, or they could also swap them
between multiple smartphones
 Users would notice when their batteries
died quickly or their bills came in
Smartphone Viruses evolve
 2006 – Redbrowser.A Java Midlet sends
SMS messages to a pay number while
pretending to give free Internet over
SMS (abusing J2ME)
Commercial Smartphone
Spyware
 Flexispy
 Hides from process list, no icon or UI
 Records details of voice calls, SMS
messages, GSM location info
 Hidden UI via special code
 Signed via Symbian Signed so no user
prompts
Flexispy Installation
Questions