LAS VEGAS – Researchers have developed a do-it-yourself system for detecting malware on mobile phones using a femtocell that allows users to monitor their own mobile traffic.
The system is meant to provide companies or individual users with an intrusion detection system that gives them the ability to see and monitor their own mobile phone traffic in the same way that companies can monitor corporate network traffic.
Currently the only way for companies to determine if an employee’s mobile phone is infected is to install mobile device management software on every mobile phone. The only way for individual consumers to know if they’re infected is to pay to install antivirus software on their smartphone.
But in either case, the mobile phone traffic itself is unavailable for monitoring, since it passes through the carrier’s network, beyond the reach of corporate IT departments or individual users.
To remedy this, researchers from LMG Security in Montana developed a system that costs less than $300 to make and uses a modified Verizon Samsung femtocell to view traffic that passes from smart phones through the femtocell to mobile phone carrier networks and monitor it for malicious activity.
Femtocells are small cellular base stations that are used in homes and businesses to extend the cellular network in areas where carrier cell towers don’t reach.
“If your phone is infected, … it can send audio recordings, copies of your text messages and even intercept copies of your text messages so you never receive them,” says Sherri Davidoff, of LMG Security. “Our goal is to give people the ability to see the network traffic” to determine if this is occurring.
The researchers presented their system on Saturday at the Def Con hacker conference and have since released a paper describing their method as well as code for others to use to develop their own system.
They say it took them six months to study the femtocell firmware and devise a method to modify the firmware so that they could divert data from it as the data passed from phones through the femtocell to carrier networks. They then modified a Verizon femtocell that they bought online so that it had a more advanced version of iptables (part of the Linux firewall for filtering IP packets) to send the traffic from the femtocell to a laptop running the Snort intrusion detection system and virus signatures that they wrote.
“You could take this technique and run it into any whitelisting, blacklisting heuristics, any number of different types of analysis,” says LMG’s Randi Price, another member of the research team. “We chose to go with Snort and write our own signatures.”
The system not only allows them to monitor traffic passing through the femtocell, it would also allow someone to stop the data from being passed to attackers from infected phones, alter it to feed the attackers false data, or pass commands back to the smart phone to remotely disable the malware.
Their research was done specifically on the CDMA network but with just a little work could be developed for use with other mobile network traffic as well.
The system cost about $285 to make and uses code that they are releasing under a GPL license for others to use and develop.
Davidoff says they developed the system to empower consumers and let them see that viewing and monitoring their mobile traffic is a viable option. She said she hopes that either cellular providers will start offering such a system commercially to customers or that third-party companies will use their research to independently develop products for consumers to use.
“It seems silly not to give people the same tools they have on the internet for use on the cell phone network,” Davidoff says. “I feel like we’re doing people a disservice if we’re not allowing them to actually inspect their own network traffic.”For more information, please visit: http://www.facebook.com/efoxItalia