A Comprehensive Study for RFID Malwares on Mobile Devices

TBD

Outline• Motivation• State-of-Art Malwares and Countermeasures for

RFID and Mobile Systems– RFID Security Challenge– Mobile Security Challenge– New Challenge from RFID Malwares on Mobile

Devices• Extended Threat Model• Basic Design of Anti-malware Framework for

Mobile Devices in RFID Systems • Conclusion

Motivation• Severe challenge for RFID security on mobile devices,

because– RFID systems are still in its infant stage.

• Many RFID Systems are lack of security protection.– To improve productivity, more mobile devices will be

used.• Mobile systems are more vulnerable than non-portable systems.

• Limitations for RFID malwares are being relaxed as the development of technology.– Cheaper RFID tags with larger storage capacity – hold

more malicious data.– Better network connection for mobile devices – easier for

malware propagation.

New Opportunities for RFID MalwaresC1: The tag data size

limitation (<1024 bits) make RFID malware unrealistic.

EPC Gen2 Class3 Tags have at least kilo bytes storage.

C2: RFID Systems are closed-loop

systems.

New RFID Standard: EPCglobal Architecture may

require exchanging data with EPCglobal Network

through the Internet.

C3: More mobile devices will be used as RFID readers. RFID

Malware

Lessons from Practices (1/2)

• L1: A small number of bits are enough to construct a RFID malware. RFID malwares can spread itself by modifying database for tag value writing.– In 2006, researchers in Vrije University proposed the

first proof-of-concept malware design and basic propagation model.

– Even when the space is very limited, it is still possible to store a smaller malware trigger in a RFID tag which may awake malwares that already exist in the system.

Lessons from Practices (2/2)

• L2: Malwares may trigger exception flow to bypass pure data level protection mechanism. System level protection is required.– In 2007, German RFID experts shows how to crash

RFID Reader for RFID enabled E-Passport by modifying JPEG2000 photo image file in E-Passport.

– exploit buffer overflow vulnerability in off-the-shelf libraries when loading the photo image.

Basic Threat Model & Countermeasures

1. Defend Cloning and Counterfeiting 1. Defend Cloning and Counterfeiting 2. Defend Malware 2. Defend Malware

3. Defend Denial-of-Service3. Defend Denial-of-ServiceLess attention for Less attention for front-end devices as front-end devices as ((mobilemobile) RFID reader!) RFID reader!

Less attention for Less attention for front-end devices as front-end devices as ((mobilemobile) RFID reader!) RFID reader!

Malware State on Mobile Devices

• First proof-of-concept mobile malware was reported in 2004. But no major outbreak of mobile malwares is reported until now.

• In F-Secure Cell-phone Malwares Report 2007– 373 malwares in total (including variants).– Total number of malware reaches 1 million in Symantec

Internet Security Threat Report 2007• In CVE (Common Vulnerabilities and Exposures)

database (2002-2008)– 138 vulnerabilities found for software on mobile systems.– iPhone contributes 1/4 number of vulnerabilities.

Malware Trend on Mobile Devices• Why are mobile malwares so unpopular?

– Limited function of mobile device• All existed mobile malwares requires user interaction.

– Poor network connection• only allow local propagations in most of time.

– Low potential profit• Most people only use phone or Email functions of mobile devices.

• The situation is changing.– New multi-function platform: iPhone– New network techniques: Wi-Fi, 3G– More people use it to store sensitive or private data.

• Businessmen and college students.

Major Malware Challenge on Mobile Devices

• Lack of permission control– Most mobile system are single-user systems running on

simple hardware without runtime privilege control.– Social engineering are widely used in mobile malwares.

• Limited resources– Powered by battery– Less computation and storage capability compared to

general purpose platform.– Resource-demanding security protections are prohibited.

• Countermeasure status– Still emerging, not mature, useful mostly for post-

infection cleanup.

No-Tech Attacks in Mobile Malwares

The

dis

trib

uti

on

of

V

uln

erab

iliti

es[F

rom

CV

E]

The

dis

trib

uti

on

of

M

alw

ares

[Fro

m F

-Sec

ure]

Symbian OS, the most popular mobile system with only 3 reported vulnerabilities, has the largest number of malwares.

New Challenge from RFID Malware on Mobile Devices

• RFID Systems:– High potential profit.– Global connection in EPCglobal architecture.

• Mobile Systems:– More vulnerable than non-portable counterpart.– Limited resources prohibit resource demanding

security protection.

• RFID Systems + Mobile Systems:– Attractive targets for hackers.

Extended Threat Model

RFID Tag can carry:1.Malware trigger2.Malware fragment3.Malware entity

RFID Tag can carry:1.Malware trigger2.Malware fragment3.Malware entity

Reader Firmware may be compromisedReader Firmware may be compromised

Mobile Device / Middleware on itmay be compromised

Mobile Device / Middleware on itmay be compromised

Front-end Server may be compromisedFront-end Server may be compromised

Enterprise Database System may be compromisedEnterprise Database System may be compromised

EPCglobal Network may be compromisedEPCglobal Network may be compromised

Bad News: Every node can be compromised.Good News: They are connected in a chain.

Bad News: Every node can be compromised.Good News: They are connected in a chain.

Public DomainPublic Domain

Company DomainCompany Domain

EPC Core DomainEPC Core Domain

Basic Design of Anti-malware Framework for Mobile Devices in RFID Systems

To secure the frontier of RFID security chain, we arm the mobile device with Intrusion Prevention System and Intrusion Detection System.To secure the frontier of RFID security chain, we arm the mobile device with Intrusion Prevention System and Intrusion Detection System.

IPSIPS

IDSIDS

Dangerous Data Source

Filter out anything can be filtered.

Detect anything can be detected.

Firewall + Check Data Format and Content.Firewall + Check Data Format and Content.Defend DoS, SQL/Script Injection, Shell Code in text input.Defend DoS, SQL/Script Injection, Shell Code in text input.Another alternative: Distort Binary Data?Another alternative: Distort Binary Data?

Firewall + Check Data Format and Content.Firewall + Check Data Format and Content.Defend DoS, SQL/Script Injection, Shell Code in text input.Defend DoS, SQL/Script Injection, Shell Code in text input.Another alternative: Distort Binary Data?Another alternative: Distort Binary Data?

Validate Program Behavior on Given Data Input.Validate Program Behavior on Given Data Input.Defend Buffer Overflow, Unexpected Behavior.Defend Buffer Overflow, Unexpected Behavior.Validate Program Behavior on Given Data Input.Validate Program Behavior on Given Data Input.Defend Buffer Overflow, Unexpected Behavior.Defend Buffer Overflow, Unexpected Behavior.

IDS is well known inefficient and resource demanding.Is it feasible to use it on mobile device?

IDS is well known inefficient and resource demanding.Is it feasible to use it on mobile device?

Potential Techniques (1/2)• 1. Good Signature Checking

– Why is IDS known inefficient and resource-demanding?

• Check the related signatures one by one.• Complex program behaviors are inevitable in general

purpose systems.• Many signatures to check, no matter whether good or

malicious signatures are used.– However, the functions of RFID systems are much

SIMPLE than general purpose systems.• Check good signatures should be affordable.• To provide a more flexible system, combine good signatures

with malicious signatures if necessary.

– Some Problem?• How to automatically generate efficient good

signatures?• How to secure the good signature database and the IDS

monitor on mobile device?• …

Potential Techniques (2/2)

• 2. Cooperative mode– Connection with EPCglobal network is compulsory

for new RFID Standard.• Network connection is guaranteed.

– To achieve longer battery time and enable sophisticated IDS protection, SHIFT part or all of intrusion detection workload to cooperative servers.

– Some Problems?• What kinds of workload should be shifted to

cooperative servers?• What to do when the connection to cooperative servers

is lost?• How to efficiently balance the workload between

mobile client and cooperative servers?• …

Conclusion

• We survey state-of-art malware and countermeasures for RFID and mobile systems, and…– Propose an extended threat model to capture the

malware threats to RFID systems with mobile devices

– Discuss some potential techniques to defend against such malware threats.

Q & A

TBD