View
217
Download
0
Category
Tags:
Preview:
Citation preview
Evaluating the threat ofepidemic mobile malware
8th IEEE International Conference on Wireless and Mobile Computing, Networking and Communications
(WiMob 2012)
M. Sc. Christian Szongott
Distributed Computing & Security Group (DCSec)Gottfried Wilhelm Leibniz University of Hannover, Germany
Slide 2
Malware for mobile devices
Desktop PCs have been the only attractive goals for malware attacks in the past limited functionality of cell phones mobile internet not widely used
Todays cell phone landscape Multiple communication interfaces
(WiFi, Bluetooth, NFC, …) Increased usage and connectivity
Christian Szongott, Evaluating the threat of epidemic mobile malware, IEEE WiMob 2012, 10.10.2012
Slide 3
Source: hostingnote.com
Malware for mobile devices II
In the past… cell phones from many manufacturers
Nokia, Siemens, Sony, Ericsson, LG, Samsung, … great diversity of mobile operating systems
each manufacturer had his proprietary OS not an attractive goal for attackers
Today… only a handful of manufacturers only 2 relevant mobile OS left (Android, iOS) bulk of mobile phone users with equal mobile OS
Christian Szongott, Evaluating the threat of epidemic mobile malware, IEEE WiMob 2012, 10.10.2012
Slide 5
iOS Malware
noteworthy worms in the past on iOS device
iKee worm (changes wallpaper) iKee.b/Duh (connects to botnet control server, loads
additional components, sends SMS details) Siri Privacy Exposer (MITMA, stealing private
information) on different computer
iPhone/Privacy.A (steals private information of nearby devices)
Christian Szongott, Evaluating the threat of epidemic mobile malware, IEEE WiMob 2012, 10.10.2012
All of them require a jailbroken device to work!
Slide 6
iOS Malware II
iSAM variety of attacks possible Propagation through SMS
Our approach Use modern hotspot feature of cell phones for the
malware to spread to nearby devices spatial proximity is considered
Christian Szongott, Evaluating the threat of epidemic mobile malware, IEEE WiMob 2012, 10.10.2012
Slide 7
Proof-of-concept implementation
1. Prepare Evil Twin Hotspot at acrowded place well used SSID Auto-reconnection Once connected, all data connections go through our Evil
Twin
2. Exploitation Using iOS internal pf to redirect requests to locally
deployed lighttpd webserver In iOS the captive portal pop-up window (UAM) is shown Site is hosted on our webserver and contains actual exploit Exploit jailbreaks the device and receives METM software
Christian Szongott, Evaluating the threat of epidemic mobile malware, IEEE WiMob 2012, 10.10.2012
Slide 8
Proof-of-concept implementation II
3. Prepare a new Evil Twin Start hotspot
(in our proof-of-concept MyWi) Copy malware and configurations Overwrite pf rules Start webserver Cycle starts back at step 1.
Christian Szongott, Evaluating the threat of epidemic mobile malware, IEEE WiMob 2012, 10.10.2012
Slide 9
Proof-of-concept evaluation I
MET transfer ~12 seconds (~10MB) for d < 20m
Christian Szongott, Evaluating the threat of epidemic mobile malware, IEEE WiMob 2012, 10.10.2012
Slide 10
Proof-of-concept evaluation II
Significantly higher battery consumption with running Hotspot Still low enough to infect a bulk of other devices during a day
Christian Szongott, Evaluating the threat of epidemic mobile malware, IEEE WiMob 2012, 10.10.2012
Slide 11
Simulating cell phone users
Drawbacks of existing simulators pure mathematical models
only consider temporal dynamics but no spatial ones mobile agent-based models
rely on simple assumptions (homogenous users, random walk model in empty terrain, instant infection)
Development of the Mobile Security & Privacy Simulator (MoSP) Based on SimPy (process-based discrete-event simulation
framework) Uses geo-spatial data from the OpenStreetMap Open source
Christian Szongott, Evaluating the threat of epidemic mobile malware, IEEE WiMob 2012, 10.10.2012
Slide 12
Environment and Assumptions I
Simulation of downtown Chicago (The Loop)
Population Amount of infectable devices
Transport statistics -> 400,000 smartphone users iOS share from comScore study 12% Users running a vulnerable version of iOS% <10% Resulting in 4,000 infectable devices
Newer exploits might be multi-platform malware Therefore most simulations run with 10,000 devices
Christian Szongott, Evaluating the threat of epidemic mobile malware, IEEE WiMob 2012, 10.10.2012
Slide 13
Environment and Assumptions II
Battery consumption Based on the conducted lab tests Consumption rises when device gets infected For each new infection a small amount is subtracted If flat battery no infection possible from and to device
Infection duration Overall time until a victim’s device is infectious Measured average for d < 20m : 12 seconds Additional installation and start-up : 3 seconds Assumed overall infection time: 15 seconds
Christian Szongott, Evaluating the threat of epidemic mobile malware, IEEE WiMob 2012, 10.10.2012
Slide 14
Environment and Assumptions III
Four user actions Walking, public space, location, leave
Five user groups Power Users, Window Shoppers, Cafe Visitors, Average
People, Strolling People Differences in walking speed, duration of stay, internet
usage, probabilities for next user action
Christian Szongott, Evaluating the threat of epidemic mobile malware, IEEE WiMob 2012, 10.10.2012
Slide 15
Infection Model – Outside
Depending on the user’s group membership users have different internet access intervals
An infection occurs if, the victim’s device tries to access the internet the victim’s device remains in communication range (15m)
for at least 15 seconds.
Christian Szongott, Evaluating the threat of epidemic mobile malware, IEEE WiMob 2012, 10.10.2012
Slide 16
Dimensions of locations (cafes, etc.) are not included in OSM data mathematical infection model
Location sizes: 30 – 300 m2
Infection probability: Story count (l), area (a), #inf. devices (i), damping factor (β)
Length of stay (tvisit),device activation interval (tloc), communication range (rWi-Fi)
Infection Model – Inside
Christian Szongott, Evaluating the threat of epidemic mobile malware, IEEE WiMob 2012, 10.10.2012
Slide 17
Comparison of different world models
Infection: Zombie infection / Realistic Device Infection Movement: Random walk model / Full model
Christian Szongott, Evaluating the threat of epidemic mobile malware, IEEE WiMob 2012, 10.10.2012
Slide 18
Results
Parametric study of infections
Christian Szongott, Evaluating the threat of epidemic mobile malware, IEEE WiMob 2012, 10.10.2012
Slide 19
Results II
Different internet usage intervals
Christian Szongott, Evaluating the threat of epidemic mobile malware, IEEE WiMob 2012, 10.10.2012
Slide 20
Results III
Closed vs. open system
Christian Szongott, Evaluating the threat of epidemic mobile malware, IEEE WiMob 2012, 10.10.2012
Slide 21
Results IV
Different initial battery levels
Christian Szongott, Evaluating the threat of epidemic mobile malware, IEEE WiMob 2012, 10.10.2012
Slide 22
Results V
No locations
Christian Szongott, Evaluating the threat of epidemic mobile malware, IEEE WiMob 2012, 10.10.2012
With cafés as locations
Slide 23
Conclusion & Future work
Simulation of mobile malware has to take movement and usage patterns as well as locations into account
A critical mass for epidemical spreading of mobile malware will probably be reached in the near future Monoculture of mobile operating systems Significantly rising number of smartphone users
Simulator ToDos Improving indoor simulator Tuning simulation parameters Simulation of countermeasures
Christian Szongott, Evaluating the threat of epidemic mobile malware, IEEE WiMob 2012, 10.10.2012
Slide 24
Links & information
Mobile Security & Privacy Simulator http://www.dcsec.uni-hannover.de/mosp.html
More technical details about the proof-of-concept malware “Mobile Evil Twin Malnets - The Worst of Both Worlds”,
Proceedings of the 11th International Conference on Cryptology and Network Security, 2012 (to appear)
or ask me later on
Christian Szongott, Evaluating the threat of epidemic mobile malware, IEEE WiMob 2012, 10.10.2012
Thank you! Any Questions?
Slide 25
Simulation of a countermeasure
Christian Szongott, Evaluating the threat of epidemic mobile malware, IEEE WiMob 2012, 10.10.2012
Slide 26
Results VI
Christian Szongott, Evaluating the threat of epidemic mobile malware, IEEE WiMob 2012, 10.10.2012
Recommended