Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen - - PowerPoint PPT Presentation

Nomadic Honeypots

A Novel Concept for Smartphone Honeypots Steffen Liebergeld, Matthias Lange and Collin Mulliner

Security in Telecommunications Technische Universit¨ at Berlin, Germany {steffen,mlange}@sec.t-labs.tu-berlin.de Northeastern University crm@ccs.neu.edu

May 23, 2013

Smartphones are a Valuable Target for Attackers

Ubiquitous Precious personal information

◮ Login credentials for email, social networks ... ◮ Banking credentials, Wallet ◮ Location

Always online Directly generate money Lots of infection vectors

Liebergeld (TUB) Nomadic Honeypots May 23, 2013 1 / 9

Motivation

Users conscious about security Having countermeasures can be valuable market asset for cellular

• perators

Requires information on current threats How can we collect information on mobile threats?

Liebergeld (TUB) Nomadic Honeypots May 23, 2013 2 / 9

Infection Vectors on Smartphones

User interaction required:

◮ Apps ◮ QR-Codes

Phone needs to be placed within reach of:

◮ NFC ◮ Bluetooth ◮ WiFi, ◮ FM-radio

Insight: Static Honeypots will not work

Liebergeld (TUB) Nomadic Honeypots May 23, 2013 3 / 9

Idea: Collect Threat Information Directly on Smartphone

Operator Malicious WiFI Inform I n f

• r

m Warn W a r n Smartphone infected with Bluetooth worm Nomadic Honeypots Ordinary Smartphones

Liebergeld (TUB) Nomadic Honeypots May 23, 2013 4 / 9

Concept of Nomadic Honeypots

Functional requirements:

◮ Collect threat information ◮ Send collected information to operator ◮ Confine attack: pose no harm to others

Threat Model:

◮ Allow smartphone OS to be completely compromised Liebergeld (TUB) Nomadic Honeypots May 23, 2013 5 / 9

Concept of Nomadic Honeypots

Partition the device Isolate partitions from one another Honeypot Partition:

◮ Runs smartphone OS ◮ Interacts with the user ◮ Hosts user information and Apps ◮ Cannot directly communicate ◮ Cannot tamper with data in second partition even when compromised

Infrastructure Partition:

◮ Mediates access to all communication devices ◮ Sensors for threat information collection ◮ Snapshot mechanism for Honeypot partition ◮ Backchannel to operator (e.g VPN) Liebergeld (TUB) Nomadic Honeypots May 23, 2013 6 / 9

Practical Design

Hardware Microkernel

Honeypot VM Infrastructure VM

Communication Devices Sensors Virtual Devices Mobile OS (ABI unmodified) Applications Backchannel

Liebergeld (TUB) Nomadic Honeypots May 23, 2013 7 / 9

Challenges

Social challenges: How to find people who use nomadic honeypot as their primary phone? Privacy issue: information is sent to operator Usability issue: Battery duration, performance degraded Technical challenges: How to virtualize efficiently?

◮ Must ensure performance ◮ Keep battery duration at reasonable levels

How to build reasonable sensors?

◮ Which data streams to monitor? ◮ Sweet spot: Processing on device versus sending data to operator Liebergeld (TUB) Nomadic Honeypots May 23, 2013 8 / 9

Take Away

Nomadic Honeypots: New concept for smartphone honeypots Threat collection directly on the device Two isolated partitions: Honeypot and Infrastructure Practical design proposed Work has just started Contributions welcome: steffen@sec.t-labs.tu-berlin.de

Liebergeld (TUB) Nomadic Honeypots May 23, 2013 9 / 9

Prototype

Based on Fiasco.OC, L4Re and L4Android Runs on Galaxy S2 smartphone Mediates baseband access Parts missing: Sensors, mediating NFC, Bluetooth, secure backchannel Lots of optimization needed Battery duration of about a day

Liebergeld (TUB) Nomadic Honeypots May 23, 2013 9 / 9