|
(((y)>) GSM Device
<br />Kernel Rootkit
<br />Allot to:
<br />�. Rootkit is
<br />triggered
<br />r ... 2. Rooikt cells
<br />attacker
<br />S. Rocti& tons on
<br />mlaophone
<br />Sound System
<br />Calendar
<br />Application
<br />Figure 2: The GSM rootkit intercepts an alarm signal, e.g., a
<br />meeting notification, and stealthily dials the attacker, thereby
<br />allowing him to snoop on confidential conversations.
<br />port loadable kernel modules; consequently, our proof -of -concept
<br />tootkits can potentially be modified to work on the Android plat-
<br />form (and the phones that run it, such as the Droid and the Nexus
<br />One). Since the attacks modify OS -specific data structures, they
<br />must be re -implemented for other platforms, such as Windows Mo-
<br />bile and Symbian OS; we expect that domg this will be relatively
<br />easy. In the following three subsections, we will describe m detail
<br />the three rootkits we developed. For each rootkit, we will present
<br />the goal of the attack, the attack description and its social impact.
<br />3.1 Spying on Conversations via GSM
<br />Goat The goal of this attack is to allow a remote attacker to
<br />stealthily listen into or record confidential conversations using a
<br />victim's rootkit-infected smart phone.
<br />Attack Description. The Freerunner phone is equipped with a GSM
<br />radio which is connected via the serial bus and it is therefore avail-
<br />able to applications as a serial device. During normal operation
<br />of the phone, user -space applications issue system calls to the ker-
<br />nel requesting services from the GSM device The GSM device
<br />services the request allowing the application to access the tele-
<br />phony functionality provided by the device. GSM devices are con-
<br />trolled through serves of commands, called AT (attention) com-
<br />mands, that let the kernel and user -space applications invoke spe-
<br />cific GSM functions. For example, GSM devices support AT com-
<br />mands to dial a number, fetch SMS messages, and so on. To ma-
<br />liciously operate -the GSM device, e g., to place .a phone call to
<br />a remote attacker, the rootkit must therefore issue AT commands
<br />from within the kernel.
<br />Most smart phones today contain calendar programs, which no-
<br />tify users when scheduled events. occur. Our prototype rootkit op-
<br />erates by intercepting these notifications set by the user. As shown
<br />in Figure 2, a notification is displayed by a user -space program to
<br />notify the user of an impending meeting. The rootkit intercepts
<br />this notification and activates its malicious functionality. The at-
<br />tack code stealthily dials a phone number belonging to a remote
<br />attacker, who can then snoop or record confidential conversations
<br />of the victim. The phone number dialed by the rootkit can either be
<br />hard -coded into the rootkit, or delivered via an SMS message from
<br />the attacker, which the rootkit intercepts to obtain the attacker's
<br />phone number. Alternatively, the rootkit could be activated when
<br />the victim dials a number. The rootkit could then stealthily place
<br />a three-way call to the attacker's number, thereby allowing the at-
<br />tacker to record the phone conversation.
<br />6. Triggering the rootkit. We used a simple alarm clock program
<br />to simulate calendar notifications on the Openmoko (we did so be-
<br />cause the Openmoko phone does not have any released calendar
<br />programs) In an uninfected kernel, when an alarm is signaled a
<br />specific message is delivered via the write system call. In our ` in-
<br />fected" kernel, the rootkit hooks the system call table and replaces
<br />the address of the write system call with the address of a mali-
<br />cious write function implemented m the rootkit. The goal of the
<br />malicious write function in our prototype rootkit is to check for
<br />the alarm notification in the write calls. Once an alarm message
<br />is identified, the malicious functionality is triggered.
<br />e Placing a phone call. When triggered, our rootkit places a phone
<br />call by emulating the functionality of user -space telephony appli-
<br />cations. Typically, user -space applications (such as the Qtopia soft-
<br />ware stack [6], which ships with the Openmoko Linux distribution
<br />on the Freerunner phone) make calls by issuing a sequence of sys-
<br />tem calls to the kernel. Specifically, applications such as Qtopia
<br />use write system calls to issue AT commands to the GSM device
<br />(these commands are supplied as arguments to the write system
<br />call). The n to be dialed is located in the AT command.
<br />Our prototype rootkit calls the attacker by issuing the same se-
<br />quence of AT commands from within the kernel. We obtained the
<br />sequence of AT calls that must be issued to place a phone call by
<br />studying the Qtopia software stack. The AT commands issued by
<br />the rootkit activate the telephony subsystem and successfully es-
<br />tablish a connection to the attacker's phone. The prototype rootkit
<br />must also activate the sound system by turning on the microphone.
<br />Social Impact. Snooping on confidential conversations has severe
<br />social impact because most users tend to keep their mobile phones
<br />in their proximity and powered -on most of the time. Rootkits op-
<br />erate stealthily, and as a result, end users may not even be aware
<br />that their phones are infected. Consequently, an attacker can listen-
<br />m on several conversations, which violates user privacy, ranging
<br />from those that result in embarrassing social situations to leaks of
<br />sensitive information. For example, an attack that records the con-
<br />versations at a corporate board meeting can potentially compromise
<br />corporate trade secrets and busmess reports to competitors. Simi-
<br />larly, several automated phone -based services often require a user
<br />to enter (via voice or key presses) PIN numbers or passwords be-
<br />fore routing the call to a human operator; an attacker snooping on
<br />such calls may financially benefit from such information.
<br />3.2 Compromising Location Privacy using GPS
<br />Goal. The goal of this attack is to compromise a victim s loca-
<br />tion privacy by ordering the victim's rootkit-infected smart phone
<br />to send to the remote attacker a text message with victim's current
<br />location (obtained via GPS).
<br />Attack Description. As with the GSM device, the GPS device is
<br />also a serial device. The kernel maintains a list of all serial devices
<br />installed on the system. A rootkit can easily locate the GPS device.
<br />Every serial device contains a buffer in which the corresponding
<br />device stores all outgoing data until it is read by a user -space appli-
<br />cation. Our prototype rootkit uses this buffer to read information
<br />before it is accessed by user -space applications This allows us to
<br />monitor and suppress incoming SMS messages and also query the
<br />GPS for location information.
<br />A rootkit that compromises location privacy as described above
<br />must implement three mechanisms. First, it must be able to inter-
<br />cept incoming text messages, and determine whether a text message
<br />is a query from a remote attacker on the victim's current location
<br />Second, the rootkit must be able to extract location information
<br />from the GPS receiver. Last, it must generate a text message with
<br />the victim's current location, and send this information to the at-
<br />tacker. An overview of this attack is shown in Figure 3.
<br />Our prototype rootkit intercepts text messages by monitoring and
<br />changing data in the GSM device buffer. To monitor the GSM
<br />buffer, we hook the kernel's read and write system calls. This
<br />3
<br />
|