35. What This Really Means
• If attackers can get the bot installed they can
remotely control a user's phone without
giving any sign of compromise to the user.
Nearly 62 million smartphones sold in Q2 2010Development is similar to standard platformsAndroid = LinuxiPhone = OSXWindows Mobile = WindowsTechnical specs not as good as top of the linedesktops. They are capable and improving rapidly.
Battery Management: IP runs down batteryquicklyFault Tolerant: If SMS fails it will queue and retryDifficult for security researchers to monitor
Bot receives all communication from modemIf SMS (code CMT) continue analysisIf not SMS pass up to user space
Moves through PDU to User DataDecode 7 bit GSM to plaintext
Bot checks for secret key in messageIf bot message continue analysis and swallowsmessage (user never sees it)If not bot message passed to user space
Bot reads functionality request in messageIf found perform functionalityIf not found fail silently
Impersonation:Use cryptographic keys to authenticatemaster bot and sentinel botsReplay:SMS timestampsSequence numbers/ one time keysElliptic Curve Algorithm
Possibility of detection from phone billsUser Data is limited to 160 characters(instructions and keys must fit in this space)On some platforms only the modem knows thephone number
Regular Users:App + Local Root Exploit (Sendpage etc.)Example: John Oberheide's TwilightAndroid BotnetDefconSkytalks 2010Root-level/Jailbroken Users:Root level app using proxy function forAWESOME + BotExample: flashlight + tether for iPhoneRemote: Remote root exploit (rooted and nonrooted)Example: iKee-B “Duh” Worm for iPhone
SpamCreating SMS-Send PDUs and passing them to themodemExample: SMS adsDDOSMillions of smartphones vs. a serverLoading New FunctionalitySend URL in payloadDownload the module into known payloadsDegrading GSM serviceOverloading the network with bogus requests