Taming Mr Hayes: Mitigating Signaling
Based Attacks on Smartphones
Colin Mulliner, Steffen Liebergeld, Matthias Lannge, and Jean-Pierre
Seifert
Technische Universitat Berlin and Deutsche Telekom Laboratories
Outline
 Introduction
 Background
 Threats
 Design
 Implementation
 The AT Command Filter
 Conclusions
Introduction
 Mobile botnets hijack mobile phone to produce signaling
traffic sent from mobile phones to the cellular network
core. – DDoS
 Rooted smartphones disable protection mechanisms.
Applications may launch intentional malicious activity
and accidental harmful operations.
Introduction
 Protect the cellular network infrastructure from malicious
smartphones
 Virtual modem
 Device-side protection system
 Android-based
 AT-command filter
 The OS is separated from the baseband
 Safe-to-root virtualized Android
Background
 Cellular Network Architecture
Background
 Cellular Signaling
 Signaling traffic  MSC and HLR
 Voice call, SMS, and updating account settings
 Packet-data  SGSN, GGSN, and HLR
 Packet Data Protocol (PDP)
 ME establishes a PDP context by sending a GPRS-attach
message to SGSN.
Background
 Smartphone Architecture
Baseband
Processor
Application
Processor
Threats
 Hijacked Phones and Mobile Botnets
 PDP Context Change
 Premium Rate SMS Trojans
 Rooted Phones
Threats
 Hijacked Phones and Mobile Botnets
 ikee.B iPhone botnet infects about 22,000 devices
 HTTP-based C&C channel
 Traynor et al. issue the AT command to configure and
enable call-forwarding settings in order to cause a high load
on the HLR.
 Mobile botnets use SMS messages for C&C.
Threats
 PDP context activation and de-activation leads to high
network load on the GGSN and SGSN.
 On Android, it’s possible to force an PDP context change
every 2 seconds.  43,200 PDP activation per day.
 Pre-paid SIM cards may cause DoS attacks.
Threats
 Premium Rate SMS Trojans
 FakePlayer-A
 The same problem applies to voice calls to premium
numbers
 android.permission.SEND_SMS
Threats
 Rooted Phones
 Simply install a modified firmware on the device
 Exploiting known security flaws
 EX: DroidDream
Design
 Virtualize
 Isolated
 Assume the device’s
DMA feature can be
restricted to safe
memory locations.
 IO-MMU
Design
 Micro Kernel as Secure Foundation
 Modern third-generation micro kernels implement objectcapabilities
 POLA (principle of least authority)
Design
 Virtualized Android
 Smartphone CPUs are not natively virtualizable.
 The overhead of running a monolithic OS on top of a micro
kernel is between 5 and 10 percent.
 Enforce Android to access the baseband by not giving it
access to the baseband’s IO memory.
 Safe-to-root
 A commercial version requires a bootloader that is capable
of restricting updates to the Android partition.
Design
 Virtual Modem
 Baseband driver
 Virtual serial interface
 AT command filter
 Virtual network interface
 IP filter
 NAT
Implementation
 Intel x86-based smartphone
 Moorestown platform (SOC)
 Atom core
 ST-Ericsson U300 – baseband
 Fiasco.OC micro kernel
 A L4 micro kernel
Implementation
 L4Android
 Based on L4Linux
 L4Android kernel ABI is compatible with Android
Implementation
 System Setup
L4Android
L4Linux
Implementation
 L4Linux
 Booting and initializing the baseband
 Running baseband driver
Implementation
 Modifications to Android RIL
 libreference-ril.so
 libsect-ril.so
 They built their own abstraction library
The AT Command Filter
 AT Command and Man-machine Interface (MMI)
MMI
##002#
Phone app
AT Command
AT+CCFC=0,4
The AT Command Filter
AT+CGDCONT
Configure a PDP context
AT+CGACT
Activated a configured PDP
AT*EPPSD
PDP context control for our ST-Ericsson baseband
AT+CMGS
Send an SMS message
ATD+<number>;
Initiates a voice call to given number
AT+CCFC
Configure, activate, and de-activate callforwarding settings
AT+CFUN
Configuration of the baseband state
The AT Command Filter
 PDP Context Setup on the STE Baseband
The AT Command Filter
 Special Problem
 Special case APN
 APN for MMS
 Command side effects
 If the baseband is switched between 2G and 3G, the
PDP context is disconnected and reconnected
The AT Command Filter
 Filtering AT Commands
 AT_CCFC_interval = 60 (seconds)
 AT_CCFC_threshold = 5 (# commands)
The AT Command Filter
 SMS Filter
 Short code detector
 Short code (4-6 digits): Premium rate numbers
 Block all SMS to short codes
 Future work: secure GUI for legit SMS to short codes
 Binary Message Payload Detector
 Non-printable characters
 Base64 encoding
The AT Command Filter
 Blocking Commands
 To not confuse the application logic in the RIL, our filter
would inject the error message into the stream that carries
the responses from the baseband to the RIL
 Some commands are never blocked
 Switch to flight mode (AT+CFUN=4)
 PDP context deactivation (AT*EPPSD)
 Emergency calls (ATD 911;)
The AT Command Filter
 Profiling Benign AT Command Usage
 Count the number of commands used
Command
# When
Why
AT+CFUN
2 Boot
Flight mode. Normal mode.
AT+CFUN
1 Use
Switch to GSM-only.
AT+CDGMNT
1 Boot
Set PDP configuration.
AT*EPPSD
1 Boot
Activate PDP context.
AT+CMGS
1 Use
Send a SMS message.
ATD
1 Use
Issue a voice call.
AT+CCFC
3 Use
Query forwarding settings.
AT+CCFC
2 Use
Set a call-forwarding.
Evaluation
 Setting
 nanoBTS - openBSC
 Faraday Cage
Evaluation
 Limiting the Call-forwarding Attack [ref]
 2,500 TPS (Transactions per second) for low traffic network
 30,000 TPS for high traffic network
 AT+CCFC takes 4.7 seconds  12 commands per minute
 4.7 seconds * 2,500 TPS = 11,750 hosts
 Threshold = 5 commands / minutes
Evaluation
Evaluation
 Limiting PDP Context Changes
 Switch the baseband mode between GSM-only, 3G-only,
and GSM+3G
 The threshold for PDP context changes, pt
 The threshold for AT*EPPSD commands, et
 The threhold for AT+CFUN commands, ct
 Pt = et + ct
 Without any limit, 30 changes per minute is the maximum
possible
Evaluation
Evaluation
 SMS Trojan
 FakePlayer-A premium SMS Trojan
 Number 3353
Evaluation
 SMS Controlled Botnets
 Binary Payload Detector
 Blocking text messages will be complicated since they
would need to be analyzed thoroughly before one is able to
safety block them
Conclusions
 Virtual modem
 Future work
 VPN Gateway
 Advanced IDS/IPS
 Policy Update Infrastructure
 Secure GUI
 Hardware Virtualization