Slide 1

Rootkits on Smart Phones:Attacks, Implications and OpportunitiesJeffrey Bickford, Ryan OHare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode

Department of Computer Science, Rutgers UniversitySay who authors are

Bold my name joint work with 1Rise of the Smart Phone

HotMobile 2/23/201022Rise of the Smart Phone

1993 calendar, address book, e-mail touch screen on-screen "predictive" keyboard

SimonHotMobile 2/23/20102Rise of the Smart Phone

19932000 Symbian OS

Ericsson R380HotMobile 2/23/201024Rise of the Smart Phone

199320002002

Blackberry Windows Pocket PC Treo

Treo 180BlackBerry 5810 HotMobile 2/23/20102Rise of the Smart Phone

1993200020022007

iPhone

HotMobile 2/23/20102Rise of the Smart Phone

19932000200220072008

iPhone 3G/3GS Android App Stores

HotMobile 2/23/20102The reason I am telling you this is because we can see the increasing complexity. We see an increase in interfaces, applications, etc

Immediately after this present the users. 7HotMobile 2/23/20103Smart Phone Users

HotMobile 2/23/20104Smart Phone Interfaces

A rich set of interfaces is now available

GSMGPSBluetoothAccelerometerMicrophoneCameraName all, GSM, GPS, BT, Accellerometer

Tower instead of person

Make names smaller font9HotMobile 2/23/20105Smart Phone Apps

Contacts

Email

Location

Banking Over 140,000 apps todayNumber of apps in store10Smart Phone Operating SystemsOSLines of CodeLinux 2.6 Kernel10 millionAndroid20 millionSymbian20 millionComplexity comparable to desktopsHotMobile 2/23/20106

Smart phone operating systems are becoming increasingly complex. From the tables we can see that some OSes are on the order of 20 million lines of code. 11HotMobile 2/23/20107The Rise of Mobile Malware2004

Cabir spreads via Bluetooth drains batteryReceive message via Bluetooth?Yes NoVarious other malware that then spread by MMS, Bluetooth and memory card. 12HotMobile 2/23/20107HotMobile 2/23/2010HotMobile 2/23/2010The Rise of Mobile Malware2004

first J2ME malware sends texts to premium numbers

RedBrowser2006

13HotMobile 2/23/20107HotMobile 2/23/2010HotMobile 2/23/2010HotMobile 2/23/2010The Rise of Mobile Malware2004

Kaspersky Labs report:106 types of mobile malware514 modifications20062009

14HotMobile 2/23/20108The Rise of Mobile Malware

My iPhone is not jailbroken and it is running iPhone OS 3.0

15HotMobile 2/23/20109Contributions Introduce rootkits into the space of mobile malware

Demonstrate with three proof-of concept rootkits

Explore the design space for detectionMove article before contributions mention malware has risin so far that even non jailbroken iphones can be attacked.16HotMobile 2/23/201010RootkitsAppAppAppUser SpaceKernel SpaceLibrariesKernel CodeSystemCallTableDriversProcessListsVirusAntiVirus17HotMobile 2/23/201011RootkitsAppAppAppUser SpaceKernel SpaceLibrariesKernel CodeSystemCallTableDriversProcessListsAntiVirusRootkitVirusRootkits have been damaging bottom 600 percent increase in desktop rootkits

Name the rootkit

Add virus back18

Proof of Concept RootkitsHotMobile 2/23/201012Note: We did not exploit vulnerabilities 1. Conversation Snooping Attack

2. Location Attack

3. Battery Depletion AttackOpenmoko FreerunnerList 3 rootkits

Smaller font

Move openmoko to under picture

As I have shown you early iphone, android all vulnerable to attacks

Discuss note

19HotMobile 2/23/2010131. Conversation Snooping AttackAttacker

Send SMS

Rootkit InfectedDial me 666-6666Call Attacker

Turn on MicDelete SMSRootkit stops if user tries to dial Attacker Infected phone

Send Special SMSTurn on microphoneCall attacker

Delete SMS should not overlap put on bottom dont make it redMake dial me light red

Delete SMS

Remove then say instead of doing it this way we can also do it from a calendar application

20HotMobile 2/23/2010141. Conversation Snooping AttackAttacker

Rootkit InfectedCall Attacker

Turn on MicCalendar NotificationAttacker

Send SMS

Rootkit InfectedSend Location 666-66662. Location AttackQuery GPSHotMobile 2/23/201015N4028', W07426SMS ResponseDelete SMSRepeat slide before

Put coordinates in box.Add delete SMS223. Battery Depletion Attack Rootkit turns on high powered devices Rootkit shows original device status

HotMobile 2/23/201016Attack : 23HotMobile 2/23/201017Rootkit DetectionAppAppAppUser SpaceKernel SpaceLibrariesKernel CodeSystemCallTableDriversProcessListsRootkit DetectorRootkitDOES NOT WORK!Rootkits have been damaging bottom 600 percent increase in desktop rootkits

Name the rootkit

Add virus24HotMobile 2/23/201018Memory IntrospectionKernelSys CallTableMonitorFetchandCopyMonitor MachineTarget MachineTraining PhaseTraining Phase25HotMobile 2/23/201019Memory IntrospectionKernelMonitorFetchMonitor MachineTarget MachineCompareSystem OKDetection PhaseDetection Phase26HotMobile 2/23/201020Memory IntrospectionKernelMonitorFetchMonitor MachineTarget MachineCompareRootkit DetectedRootkit

mal_write()Detection PhaseHotMobile 2/23/201021Monitoring Approaches1. Hardware Approach

Monitor MachineTarget MachineRootkit InfectedNIC with remote DMA supportMonitor Machine can be physical

with remote memory access or a virtual machine over VMM

Intelligent NIC I-NICNIC PCI card with remote DMA support

28Smart Phone Challenge

Monitor MachineRootkit InfectedHotMobile 2/23/201022

Problem: Need interface allowing memory access without OS intervention (FireWire?)Need interface with memory access without OS intervention (FireWire?)

Backdoor because we connect with access to memory without OS. If it is wireless in theory someone can use maliciously. Removes requires physical connection29HotMobile 2/23/201023Monitoring ApproachesHost MachineHypervisorDom0OS

2. VMM-based ApproachDetectorSmart Phone ChallengeHotMobile 2/23/201024Problem: CPU-intensive detection algorithms exhaust phone batterySolution: Offload detection work to the service providerSend PagesResponse

CPU intensive workOptimizations for Energy-EfficiencyHotMobile 2/23/201025Page TableMonitorFetchProblem: Too many memory pages may have to be transferredOptimizations for Energy-EfficiencyHotMobile 2/23/201026Page Table000000Monitor11FetchSolution: Only fetch and scan pages that have been recently modified HotMobile 2/23/201027Related Work (1/2)Rootkit Detection Enforcement of Kernel Data Structure Invariants [Baliga, et al., ACSAC 2008] Virtual Machine Introspection [Garfinkel and Rosenblum, NDSS 2003] Mobile Security and Detection Semantically Rich Application-Centric Security in Android [Ongtang, et al., ACSAC 2009] Detecting Energy-Greedy Anomalies [Kim, et al., MobiSys 2008]Rootkit detection

Mobile malware - SMS patrick mcdaniel- Cellular botnets patrick traynor- Michigan DBLP mobile malware kangshin34Related Work (2/2)Mobile Malware Cellular Botnets: Impact on Network Core [Traynor, et al., CCS 2009] Exploiting MMS Vulnerabilities to Exhaust Battery [Racic, et al., SecureComm 2006] Exploiting SMS-Capable Cellular Network [Enck, et al., CCS 2005]

HotMobile 2/23/201028Conclusion and Future WorkConclusions: Rootkits are now a threat to smart phones

Future Work: Energy efficient rootkit detection techniques

Develop a rootkit detector for smart phone

HotMobile 2/23/20102936Thank You!HotMobile 2/23/201030

Chart2524515442

Normal Idle OperationAll Peripherals ActivePhone Make and ModelHours of Battery Life (idle)Battery Life For Different Smartphones

Sheet1Verizon TouchATT TiltNeo FreeRunnerGTA02 w/ Rootkit5251442452

Sheet1

Normal Idle OperationAll Peripherals ActivePhone Make and ModelHours of Battery Life (idle)Battery Life For Different Smartphones

Sheet2

Sheet3