A general approach which can efficiently monitor a device's cellular network traffic and identify the presence of attacks
With the ever-increasing demand of cellular devices, the vulnerabilities pertaining to network traffic are increasing as well. Dealing with such vulnerabilities required a system that would thwart the network attack attempts and mitigate these vulnerabilites, hence proposed Phoenix. Following are the salient features of Phoenix:
Following are the two ways Phoenix can be deployed:
Following are the key components that constitute Phoenix (deployed as an android app)
Firstly the message extractor reads events from the baseband processor. We used MobileInsight's dissector to efficiently capture traffic of NAS and RRC Layers. We then apply required propositions and forward the message to the monitor.
We implemented our own monitors using Python For Android since MobileInsight is written in Python. Now let's discuss implementation of each monitor against attack signatures.
Now lets see how well Phoenix performed in a real world scenario and also have a look at it's energy consumption.
To measure energy consumed when Pheonix is used as an android app we connected the Nexus 6 phone to a Monsoon Power Meter. The results can be seen as follows:
We deployed pheonix on two Pixel 3 devices running on 4 major US Cellular networks. The experiment included running Pheonix for approximately 12 hours using Pixel as our daily devices. Following are the results showing warnings using different monitors in Phoenix:
As evident from the figure above we can see that DFA proves to be inadequate and produces a large amount of false warnings. Mealy machine on other hand produced no false warnings and thus won't disturb the user with false alarms. Whereas, PLTL produced some warnings which upon inspection turned out to be actual misconfigurations on part of the cellular providers. For example, we found that EMM information is sent in plaintext which is actual misconfiguration by the said cellular providers.
Vulnerability signatures synthesized using vulnerable and non-vulnerable traces and later pushed to the device. The device analyzes cellular traffic against these signatures to give corresponding warning.
Attack Variants generated during experiment when phoenix ran on phones.