Phoenix

Overview

With the ever-increasing demand of cellular devices, the vulnerabilities pertaining to network traffic are increasing as well. Dealing with such vulnerabilities required a system that would thwart the network attack attempts and mitigate these vulnerabilites, hence proposed Phoenix. Following are the salient features of Phoenix:

Phoenix monitors device side cellular traffic by performing signature-based run-time verification
Signatures can be manually crafted by a security expert or automatically synthesized by Phoenix
Based on corrective actions available to Phoenix, a defense system can either be deployed in a baseband processor or inside a mobile application

Implementation

Following are the two ways Phoenix can be deployed:

Phoenix in Modem — Figure 1: Phoenix deployed in the modem chip

Following are the key components that constitute Phoenix (deployed as an android app)

Message Extractor

Firstly the message extractor reads events from the baseband processor. We used MobileInsight's dissector to efficiently capture traffic of NAS and RRC Layers. We then apply required propositions and forward the message to the monitor.

Monitor Component

We implemented our own monitors using Python For Android since MobileInsight is written in Python. Now let's discuss implementation of each monitor against attack signatures.

DFA: DFA monitors the set of transitions, list of accepting states, current state and the alphabet in memory. If transitions lands on a non-accepting state it is considered an attack.
MM: Mealy Machine monitors are similar to DFA but since it doesn't have any accepting and non-accepting states, so the output symbol of the transition indicates which particular attack has occured.
PLTL: We used dynamic programming to monitor PLTL formulas. The monitor stores a single bit for each sub-formulas truth value and uses bitwise operations to identify truth values.

Results

Now lets see how well Phoenix performed in a real world scenario and also have a look at it's energy consumption.

Energy Consumption

To measure energy consumed when Pheonix is used as an android app we connected the Nexus 6 phone to a Monsoon Power Meter. The results can be seen as follows:

Figure 3: Power Consumption with different monitors running on Phoenix

Real World Evaluation

We deployed pheonix on two Pixel 3 devices running on 4 major US Cellular networks. The experiment included running Pheonix for approximately 12 hours using Pixel as our daily devices. Following are the results showing warnings using different monitors in Phoenix:

Figure 4: Warnings triggered when Phoenix ran on Pixel 3

As evident from the figure above we can see that DFA proves to be inadequate and produces a large amount of false warnings. Mealy machine on other hand produced no false warnings and thus won't disturb the user with false alarms. Whereas, PLTL produced some warnings which upon inspection turned out to be actual misconfigurations on part of the cellular providers. For example, we found that EMM information is sent in plaintext which is actual misconfiguration by the said cellular providers.

Signatures

Vulnerability signatures synthesized using vulnerable and non-vulnerable traces and later pushed to the device. The device analyzes cellular traffic against these signatures to give corresponding warning.

Download Signatures