Thwarting Smartphone SMS Attacks at the Radio Interface Layer

—The short message service (SMS) is a cornerstone of modern smartphone communication that enables inter-personal text messaging and other SMS-based services (e.g., two-factor authentication). However, it can also be readily exploited to compromise unsuspecting remote victims. For instance, novel exploits such as Simjacker and WIBAttack enable transmission of binary SMS messages that could surreptitiously execute dangerous commands on a victim device. The SMS channel may also be subverted to drive other nefarious activities (e.g., spamming, DoS, and tracking), thereby undermining end-user security and privacy. Unfortunately, neither contemporary smart- phone operating systems nor existing defense techniques provide a comprehensive bulwark against the spectrum of evolving SMS- driven threats. To address this limitation, we develop a novel defense framework called R IL D EFENDER , which to the best of our knowledge is the first inline prevention system integrated into the radio interface layer (RIL) of Android smartphones. We describe an implementation of R IL D EFENDER on three smartphone models with five Android versions of the Android Open Source Project (AOSP), and show that it is able to protect users from six types of SMS attacks spanning four adversary models. We evaluate R IL D EFENDER against 19 reproduced SMS attacks and 11 contemporary SMS malware samples and find that R IL D EFENDER detects all and automatically prevents all but one of these threats without affecting normal cellular operations.

[1]  Phillip A. Porras,et al.  A fine-grained telemetry stream for security services in 5G open radio access networks , 2022, EmergingWireless@CoNEXT.

[2]  Elisa Bertino,et al.  Noncompliance as Deviant Behavior: An Automated Black-box Noncompliance Checker for 4G LTE Cellular Devices , 2021, CCS.

[3]  Elisa Bertino,et al.  ProChecker: An Automated Security and Privacy Analysis Framework for 4G LTE Protocol Implementations , 2021, 2021 IEEE 41st International Conference on Distributed Computing Systems (ICDCS).

[4]  Thorsten Holz,et al.  5G SUCI-catchers: still catching them all? , 2021, WISEC.

[5]  Guevara Noubir,et al.  SigUnder: a stealthy 5G low power attack and defenses , 2021, WISEC.

[6]  Syed Rafiul Hussain,et al.  Look Before You Leap: Secure Connection Bootstrapping for 5G Networks to Defend Against Fake Base-Stations , 2021, AsiaCCS.

[7]  Xiaozhong Liu,et al.  Bookworm Game: Automatic Discovery of LTE Vulnerabilities Through Documentation Analysis , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[8]  Karl Norrman,et al.  Murat: Multi-RAT False Base Station Detector , 2021, ArXiv.

[9]  M. Fareed Arif,et al.  PHOENIX: Device-Centric Cellular Network Protocol Monitoring using Runtime Verification , 2021, NDSS.

[10]  Baojun Liu,et al.  Lies in the Air: Characterizing Fake-base-station Spam Ecosystem in China , 2020, CCS.

[11]  Shinjo Park,et al.  BaseSAFE: baseband sanitized fuzzing through emulation , 2020, WISEC.

[12]  Elisa Bertino,et al.  5GReasoner: A Property-Directed Security and Privacy Analysis Framework for 5G Cellular Network Protocol , 2019, CCS.

[13]  Yongdae Kim,et al.  Hiding in Plain Signal: Physical Signal Overshadowing Attack on LTE , 2019, USENIX Security Symposium.

[14]  Ravishankar Borgaonkar,et al.  New Privacy Threat on 3G, 4G, and Upcoming 5G AKA Protocols , 2019, IACR Cryptol. ePrint Arch..

[15]  Jinsung Lee,et al.  This is Your President Speaking: Spoofing Alerts in 4G LTE Networks , 2019, MobiSys.

[16]  Jean-Pierre Seifert,et al.  New vulnerabilities in 4G and 5G cellular access network protocols: exposing device capabilities , 2019, WiSec.

[17]  Thorsten Holz,et al.  LTE security disabled: misconfiguration in commercial networks , 2019, WiSec.

[18]  Yongdae Kim,et al.  Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[19]  Thorsten Holz,et al.  Breaking LTE on Layer Two , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[20]  Stefan Savage,et al.  Lawful Device Access without Mass Surveillance Risk: A Technical Design Discussion , 2018, CCS.

[21]  Hyunwoo Choi,et al.  Peeking Over the Cellular Walled Gardens - A Method for Closed Network Diagnosis - , 2018, IEEE Transactions on Mobile Computing.

[22]  Ralf Sasse,et al.  A Formal Analysis of 5G Authentication , 2018, CCS.

[23]  Wenyuan Xu,et al.  FBSleuth: Fake Base Station Forensics via Radio Frequency Fingerprinting , 2018, AsiaCCS.

[24]  Jean-Pierre Seifert,et al.  White-Stingray: Evaluating IMSI Catchers Detection Applications , 2017, WOOT.

[25]  Ian Smith,et al.  SeaGlass: Enabling City-Wide IMSI-Catcher Detection , 2017, Proc. Priv. Enhancing Technol..

[26]  Songwu Lu,et al.  New Security Threats Caused by IMS-based SMS Service in 4G LTE Networks , 2016, CCS.

[27]  Tao Wang,et al.  Mobileinsight: extracting and analyzing cellular network information on smartphones , 2016, MobiCom.

[28]  Edgar R. Weippl,et al.  The Messenger Shoots Back: Network Operator Based IMSI Catcher Detection , 2016, RAID.

[29]  Patrick Traynor,et al.  Detecting SMS Spam in the Age of Legitimate Bulk Messaging , 2016, WISEC.

[30]  Patrick Traynor,et al.  Sending Out an SMS: Characterizing the Security of the SMS Ecosystem with Public Gateways , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[31]  D. Leith,et al.  srsLTE: an open-source platform for LTE evolution and experimentation , 2016, WiNTECH.

[32]  Valtteri Niemi,et al.  Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems , 2015, NDSS.

[33]  Thomas R. Gross,et al.  Fine-Grained Control-Flow Integrity Through Binary Hardening , 2015, DIMVA.

[34]  Edgar R. Weippl,et al.  IMSI-catch me if you can: IMSI-catcher-catchers , 2014, ACSAC.

[35]  Narseo Vallina-Rodriguez,et al.  RILAnalyzer: a comprehensive 3G monitor on your phone , 2013, Internet Measurement Conference.

[36]  Ralf-Philipp Weinmann,et al.  Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks , 2012, WOOT.

[37]  吉田 則裕,et al.  Android Open Source Projectを対象としたパッチレビュー活動の調査 , 2012 .

[38]  Kang G. Shin,et al.  Design of SMS commanded-and-controlled and P2P-structured mobile botnets , 2012, WISEC '12.

[39]  Jean-Pierre Seifert,et al.  SMS of Death: From Analyzing to Attacking Mobile Phones on a Large Scale , 2011, USENIX Security Symposium.

[40]  Matthias Hollick,et al.  ARIstoteles - Dissecting Apple's Baseband Interface , 2021, ESORICS.

[41]  CheolJun Park,et al.  BaseSpec: Comparative Analysis of Baseband Software and Cellular Specifications for L3 Protocols , 2021, NDSS.

[42]  Carsten Bruns,et al.  Modification of LTE Firmwares on Smartphones , 2021 .

[43]  Zhenfeng Zhang,et al.  Privacy-Preserving and Standard-Compatible AKA Protocol for 5G , 2021, USENIX Security Symposium.

[44]  Thorsten Holz,et al.  Call Me Maybe: Eavesdropping Encrypted LTE Calls With ReVoLTE , 2020, USENIX Security Symposium.

[45]  Katharina Kohls,et al.  IMP4GT: IMPersonation Attacks in 4G NeTworks , 2020, NDSS.

[46]  Elisa Bertino,et al.  Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information , 2019, NDSS.

[47]  Amir Rahmati,et al.  ATtention Spanned: Comprehensive Vulnerability Analysis of AT Commands Within the Android Ecosystem , 2018, USENIX Security Symposium.

[48]  Elisa Bertino,et al.  LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE , 2018, NDSS.

[49]  Yunhao Liu,et al.  FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild , 2017, NDSS.

[50]  Nan Jiang,et al.  Greystar : Fast and Accurate Detection of SMS Spam Numbers in Large Cellular Networks using Grey Phone Space , 2013 .

[51]  M. Olivier,et al.  A Silent SMS Denial of Service ( DoS ) Attack , 2007 .