Smart Phone Security

Description

Smart phones combine the functionality of mobile phones and Personal Digital Assistants (PDAs). These devices have become commonplace during the past few years, gradually integrating different networking technologies such as IEEE 802.11, Bluetooth, and GSM. These new devices support additional functionality and services, and service providers quickly embraced these as a way to foster new pay-per-use services.

Unfortunately, the development of both devices and services has been driven by market demand, focusing on new features and neglecting security. As a result, smart phones now face new security problems not found elsewhere. These problems originate directly from the integration process and are often related to the inclusion of multiple wireless technologies into a single device. Other problems are created by smart-phone-specific services, which often require complex software and infrastructure.

We explored the field of mobile/smart phone security in three areas: mobile phone viruses/worms, security issues of network interface integration (cross-service attacks), and vulnerability analysis of smart phone applications.

Mobile Phone Malware

Mobile phone viruses and worms are becoming more common and sophisticated. To better understand the threat posed by these class of malware, we developed a proof-of-concept mobile phone worm for the Symbian OS. Through the development of this proof-of-concept worm we gathered information about what is needed to develop a mobile phone worm, how mobile phone worms spread, and how targets are infected.

Cross-Service Attacks

Highly integrated smart phones are prone to cross-service attacks, where an attacker leverages the interaction among different wireless network interfaces integrated into a single device. We defined what cross-service attacks against smart phones are and we developed a proof-of-concept attack/exploit against a PocketPC-based smart phone that integrates wireless LAN and GSM. We then designed and implemented a protection mechanism based on resource labeling to prevent these types of attacks.

Security Analysis of Smart Phone Applications

Vulnerability analysis of software components running on smart phones is complex and requires both ad hoc infrastructure and custom approaches. We studied the security of MMS (Multimedia Messaging Service) User Agents implemented on PocketPC-based smart phones. To perform the security testing of these application, we developed a fuzzing tool that is able to produce test cases for MMS client applications. The tool includes a partial simulation of a mobile phone service infrastructure. With our tool, we were able to discover multiple previously unknown vulnerabilities. One of the vulnerabilities led to a proof-of-concept remote code injection/execution exploit. At the time of writing, this was the first remote code execution attack against a mobile phone that uses part of the mobile phone network as the attack vector.

Software

The Feakk proof-of-concept Symbian Worm
Proof-of-concept Symbian Worm and SMS security material.
- cell.zip [MD5 Checksum]
MMSLib - Fuzzing Edition
Extension to MMSLib for fuzzing purposes.
Based on MMSLib by Stefan Hellkvist
- mmslib-0.97_crm1.tar.gz [MD5 Checksum]

Publications

C. Mulliner, G. Vigna, D. Dagon, and W. Lee, "Using Labeling to Prevent Cross-Service Attacks Against Smart Phones," in Proceedings of the Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), pp. 91-108, Springer, Berlin, Germany, July 2006. [PDF, BibTeX] [Presentation]
C. Mulliner, "Security of Smart Phones," Master's Thesis, Department of Computer Science, University of California Santa Barbara, CA, June 2006. [PDF, BibTeX]
C. Mulliner and G. Vigna, "Vulnerability Analysis of MMS User Agents," to appear in Proceedings of the Annual Computer Security Applications Conference (ACSAC), IEEE Press, Miami, FL, December 2006. [PDF, BibTeX]
C. Mulliner and G. Vigna, "PocketPC MMS - Remote Code Injection/Execution Vulnerability and Denial-of-Service," Bugtraq Security Advisory, Santa Barbara, CA, August 2006. [TXT]
C. Mulliner, "Advanced Attacks Against PocketPC Phones," DEFCON 14 Presentation, Las Vegas, NV, August 2006. [Presentation]
C. Mulliner, "Exploiting PocketPC -- Exploitation techniques for WinCE4.2x/PocketPC," WhatTheHack! Presentation, Netherlands, August 2005. [Presentation]
P. Haas, "Cell Phone Viruses," Presentation, Santa Barbara, CA, March 2005. [Presentation]
Symantex, "University of Santa Barbara Release Source Code for Symbian Worm," Symantec Security Response Weblog, Santa Barbara, CA, October 2006. [PDF]

People

G. Vigna.
C. Mulliner.
P. Haas.

Acknowledgments

This research was supported by the Army Research Office, under agreement DAAD19-01-1-0484, and by the National Science Foundation, under grants CCR-0238492 and CCR-0524853.