智能手机漏洞分析

智能手机漏洞分析

原文出自:http://www.cs.ucsb.edu/~seclab/projects/smartphones/index.html
作者:Stefan Hellkvist 陈尚义翻译

概述

智能手机将移动手机和个人电子助手(PDA)功能结合在一起。在过去几年里，这些设备已经成为普通消费品，逐渐融合各种网络技术，如IEEE 802.11、蓝牙、GSM等，支持更多的功能和服务，服务提供商和电信运营商快速地捕捉这些机会，培育新的预付费服务。
不幸的是，设备和服务提供商已经被市场利益所驱动，将精力集中在新特性上，而忽略了安全性。结果是，智能手机现在面临新的安全问题，这些新安全问题是之前没有过的。这些问题直接产生于融合的过程，且通常与采用多种无线技术相关；有些问题来自于智能手机相关的服务，这些服务经常需要复杂的软件和基础设施。
我们将在这些领域里探索移动/智能手机安全：移动手机病毒/蠕虫、网络接口集成的安全问题（跨服务的攻击），以及智能手机应用的漏洞分析。

移动电话的恶意软件
移动电话病毒和蠕虫正越来越普及且越来越复杂。为了更好地理解这些恶意软件带来的威胁，我们在Symbian操作系统上开发了一个概念验证型的蠕虫。通过开发，我们收集到一些关于信息，知道人们怎样开发移动电话蠕虫、蠕虫传播机制，以及如何感染目标的。

跨服务的攻击
智能手机是集成多种不同的无线网络接口的单个设备，攻击者善用这个特性实施攻击，高度集成化的智能手机易遭受跨服务攻击。我们定义针对智能手机的跨服务攻击，并开发了一个针对基于PocketPC智能手机的概念验证攻击/利用系统，这款手机集成了无线局域网和GSM。然后我们基于资源标识设计和实现了一个保护机制以抵御这些攻击。

智能手机应用的安全性分析
分析智能手机上软件模块的漏洞是件复杂的事，需要一次性的基础设施和定制的方法。我们研究了在PocketPC 智能手机上实现的MMS（多媒体消息服务）用户代理的安全性。为执行这些应用的安全测试，我们开发了一个fuzzing工具为MMS客户端应用生成测试用例。工具包括智能手机服务基础设施的部分仿真。使用这个工具，我们能发现多个以前不知道的漏洞。发现了导致概念验证远程代码注入/执行的漏洞。在这篇文章写作的时候，这是首个针对移动电话的远程代码执行攻击，这个攻击使用了移动电话网络作为攻击路径。

Description
Smart phones combine the functionality of mobile phones and Personal Digital Assistants (PDAs). These devices have become commonplace during the past few years, gradually integrating different networking technologies such as IEEE 802.11, Bluetooth, and GSM. These new devices support additional functionality and services, and service providers quickly embraced these as a way to foster new pay-per-use services.

Unfortunately, the development of both devices and services has been driven by market demand, focusing on new features and neglecting security. As a result, smart phones now face new security problems not found elsewhere. These problems originate directly from the integration process and are often related to the inclusion of multiple wireless technologies into a single device. Other problems are created by smart-phone-specific services, which often require complex software and infrastructure.

We explored the field of mobile/smart phone security in three areas: mobile phone viruses/worms, security issues of network interface integration (cross-service attacks), and vulnerability analysis of smart phone applications.

Mobile Phone Malware
Mobile phone viruses and worms are becoming more common and sophisticated. To better understand the threat posed by these class of malware, we developed a proof-of-concept mobile phone worm for the Symbian OS. Through the development of this proof-of-concept worm we gathered information about what is needed to develop a mobile phone worm, how mobile phone worms spread, and how targets are infected.

Cross-Service Attacks
Highly integrated smart phones are prone to cross-service attacks, where an attacker leverages the interaction among different wireless network interfaces integrated into a single device. We defined what cross-service attacks against smart phones are and we developed a proof-of-concept attack/exploit against a PocketPC-based smart phone that integrates wireless LAN and GSM. We then designed and implemented a protection mechanism based on resource labeling to prevent these types of attacks.

Security Analysis of Smart Phone Applications
Vulnerability analysis of software components running on smart phones is complex and requires both ad hoc infrastructure and custom approaches. We studied the security of MMS (Multimedia Messaging Service) User Agents implemented on PocketPC-based smart phones. To perform the security testing of these application, we developed a fuzzing tool that is able to produce test cases for MMS client applications. The tool includes a partial simulation of a mobile phone service infrastructure. With our tool, we were able to discover multiple previously unknown vulnerabilities. One of the vulnerabilities led to a proof-of-concept remote code injection/execution exploit. At the time of writing, this was the first remote code execution attack against a mobile phone that uses part of the mobile phone network as the attack vector.