![Page 1: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/1.jpg)
Rootkits on Smart Phones:Attacks, Implications and Opportunities
Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode
Department of Computer Science, Rutgers University
![Page 2: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/2.jpg)
2
Rise of the Smart Phone
HotMobile 2/23/2010
![Page 3: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/3.jpg)
Rise of the Smart Phone
1993
• calendar, address book, e-mail• touch screen• on-screen "predictive" keyboard
Simon
HotMobile 2/23/2010 2
![Page 4: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/4.jpg)
Rise of the Smart Phone
1993 2000
• Symbian OS
Ericsson R380
HotMobile 2/23/2010 2
![Page 5: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/5.jpg)
Rise of the Smart Phone
1993 2000 2002
• Blackberry• Windows Pocket PC• Treo
Treo 180
BlackBerry 5810
HotMobile 2/23/2010 2
![Page 6: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/6.jpg)
Rise of the Smart Phone
1993 2000 2002 2007
iPhone
HotMobile 2/23/2010 2
![Page 7: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/7.jpg)
Rise of the Smart Phone
1993 2000 2002 2007 2008
• iPhone 3G/3GS• Android• App Stores
HotMobile 2/23/2010 2
![Page 8: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/8.jpg)
HotMobile 2/23/2010 3
Smart Phone Users
![Page 9: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/9.jpg)
HotMobile 2/23/2010 4
Smart Phone InterfacesA rich set of interfaces is now available
GSM
GPSBluetooth
AccelerometerMicrophone Camera
![Page 10: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/10.jpg)
HotMobile 2/23/2010 5
Smart Phone Apps
Contacts
Location
Banking
Over 140,000 apps today
![Page 11: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/11.jpg)
Smart Phone Operating Systems
OS Lines of CodeLinux 2.6 Kernel 10 million
Android 20 millionSymbian 20 million
Complexity comparable to desktops
HotMobile 2/23/2010 6
![Page 12: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/12.jpg)
HotMobile 2/23/2010 7
The Rise of Mobile Malware
2004
Cabir
• spreads via Bluetooth• drains battery
Receive message via Bluetooth?
Yes No
![Page 13: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/13.jpg)
HotMobile 2/23/2010 7HotMobile 2/23/2010HotMobile 2/23/2010
The Rise of Mobile Malware
2004
• first J2ME malware• sends texts to premium numbers
RedBrowser
2006
![Page 14: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/14.jpg)
HotMobile 2/23/2010 7HotMobile 2/23/2010HotMobile 2/23/2010HotMobile 2/23/2010
The Rise of Mobile Malware
2004
• Kaspersky Labs report:106 types of mobile malware514 modifications
2006 2009
![Page 15: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/15.jpg)
HotMobile 2/23/2010 8
The Rise of Mobile Malware
“My iPhone is not jailbroken and it is running
iPhone OS 3.0”
![Page 16: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/16.jpg)
HotMobile 2/23/2010 9
Contributions
• Introduce rootkits into the space of mobile malware
• Demonstrate with three proof-of concept rootkits
• Explore the design space for detection
![Page 17: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/17.jpg)
HotMobile 2/23/2010 10
Rootkits
App App App
User Space
Kernel Space
Libraries
Kernel Code
SystemCall
TableDrivers Process
Lists
VirusAntiVirus
![Page 18: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/18.jpg)
HotMobile 2/23/2010 11
Rootkits
App App App
User Space
Kernel Space
Libraries
Kernel Code
SystemCall
TableDrivers Process
Lists
AntiVirus
Rootkit
Virus
![Page 19: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/19.jpg)
Proof of Concept Rootkits
HotMobile 2/23/2010 12
Note: We did not exploit vulnerabilities
• 1. Conversation Snooping Attack
• 2. Location Attack
• 3. Battery Depletion Attack
Openmoko Freerunner
![Page 20: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/20.jpg)
HotMobile 2/23/2010 13
1. Conversation Snooping Attack
Attacker Send SMSRootkit Infected
Dial me “666-6666”
Call AttackerTurn on Mic
Delete SMS
Rootkit stops if user tries to dial
![Page 21: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/21.jpg)
HotMobile 2/23/2010 14
1. Conversation Snooping Attack
Attacker Rootkit Infected
Call AttackerTurn on Mic
Calendar Notification
![Page 22: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/22.jpg)
Attacker Send SMSRootkit Infected
Send Location “666-6666”
2. Location Attack
Query GPS
HotMobile 2/23/2010 15
N40°28', W074°26SMS Response
Delete SMS
![Page 23: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/23.jpg)
3. Battery Depletion Attack
• Rootkit turns on high powered devices• Rootkit shows original device status
Battery Life For Different Smartphones
52 51
44
4 52
0
10
20
30
40
50
60
70
Verizon Touch ATT Tilt Neo FreeRunner
Phone Make and Model
Ho
urs
of
Bat
tery
Lif
e (i
dle
)
Normal IdleOperation
All PeripheralsActive
HotMobile 2/23/2010 16
Attack :
![Page 24: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/24.jpg)
HotMobile 2/23/2010 17
Rootkit Detection
App App App
User Space
Kernel Space
Libraries
Kernel Code
SystemCall
TableDrivers Process
Lists
Rootkit Detector
RootkitDOES NOT WORK!
![Page 25: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/25.jpg)
HotMobile 2/23/2010 18
Memory Introspection
Kernel
Sys CallTable
Monitor
Fetchand
Copy
Monitor Machine Target Machine
Training Phase
![Page 26: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/26.jpg)
HotMobile 2/23/2010 19
Memory Introspection
KernelMonitor
Fetch
Monitor Machine Target Machine
Compare
System OK
Detection Phase
![Page 27: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/27.jpg)
HotMobile 2/23/2010 20
Memory Introspection
KernelMonitor
Fetch
Monitor Machine Target Machine
Compare
Rootkit Detected
Rootkit
mal_write()
Detection Phase
![Page 28: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/28.jpg)
HotMobile 2/23/2010 21
Monitoring Approaches
1. Hardware Approach
Monitor Machine Target Machine
Rootkit InfectedNIC with remote
DMA support
![Page 29: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/29.jpg)
Smart Phone Challenge
Monitor Machine Rootkit Infected
HotMobile 2/23/2010 22
Problem:• Need interface allowing memory access
without OS intervention (FireWire?)
![Page 30: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/30.jpg)
HotMobile 2/23/2010 23
Monitoring Approaches
Host Machine
Hypervisor
Dom0 OS
2. VMM-based Approach
Detector
![Page 31: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/31.jpg)
Smart Phone Challenge
HotMobile 2/23/2010 24
Problem: CPU-intensive detection algorithms exhaust phone battery
Solution: Offload detection work to the service provider
Send Pages
Response
CPU intensive work
![Page 32: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/32.jpg)
Optimizations for Energy-Efficiency
HotMobile 2/23/2010 25
Page TableMonitor
Fetch
Problem: Too many memory pages may have to be transferred
![Page 33: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/33.jpg)
Optimizations for Energy-Efficiency
HotMobile 2/23/2010 26
Page Table000000
Monitor1
1Fetch
Solution: Only fetch and scan pages that have been recently modified
![Page 34: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/34.jpg)
HotMobile 2/23/2010 27
Related Work (1/2)
Rootkit Detection • Enforcement of Kernel Data Structure Invariants [Baliga, et al., ACSAC 2008]• Virtual Machine Introspection [Garfinkel and Rosenblum, NDSS 2003] Mobile Security and Detection• Semantically Rich Application-Centric Security in Android [Ongtang, et al., ACSAC 2009]• Detecting Energy-Greedy Anomalies [Kim, et al., MobiSys 2008]
![Page 35: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/35.jpg)
Related Work (2/2)
Mobile Malware• Cellular Botnets: Impact on Network Core [Traynor, et al., CCS 2009]• Exploiting MMS Vulnerabilities to Exhaust Battery [Racic, et al., SecureComm 2006]• Exploiting SMS-Capable Cellular Network [Enck, et al., CCS 2005]
HotMobile 2/23/2010 28
![Page 36: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/36.jpg)
Conclusion and Future Work
Conclusions:• Rootkits are now a threat to smart phones
Future Work:• Energy efficient rootkit detection techniques
• Develop a rootkit detector for smart phone
HotMobile 2/23/2010 29
![Page 37: Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department](https://reader037.vdocuments.us/reader037/viewer/2022103022/56649cac5503460f9496ded4/html5/thumbnails/37.jpg)
Thank You!
HotMobile 2/23/2010 30