While testing a theory about the cellular voice channel in smartphones being used as a covert channel “to conduct multiple covert malicious activities such as sending commands or even leaking information,” researchers discovered they could “easily bypass” Android security mechanisms and “answer incoming calls without the user or the system’s knowledge.”
Researchers from Golisano College of Computing and Information Sciences, at the Rochester Institute of Technology in New York, wanted to know if the cellular voice channel could potentially be used for “information leakage” or spreading malware by “carrying modulated speech-like data covertly.” They wrote, “Cellular service providers have not applied any information security protection systems, such as firewalls or intrusion detection systems, to guard cellular voice channel traffic in the cellular network core. Thus these channels are a prime choice over which to attempt a covert channel.”
To test their theory, they developed a proof-of-concept Android software audio modem and a rootkit; the rootkit got around the Android application sandboxing mechanism, changed phone services and hid the covert communication channels. Their modem “was able to leak data successfully through the cellular voice channel stream by carrying modulated data with a throughput of 13 bps with 0.018% BER.”
In “A New Covert Channel over Cellular Voice Channel in Smartphones” (pdf), authors Bushra Aloraini, Daryl Johnson, Bill Stackpole and Sumita Mishra explained that smartphones originally had two main processors; the baseband processor (BP), which has a Real-Time Operating System (RTOS), handles radio access to the cellular network and provides communication protocols. The application processor (AP), which is controlled by an operating system like Android, is responsible for the user interface and applications. But people wanted higher audio and video performance and longer battery life, so hardware designers came up with “integrated” designs, or “all-in-one” processors, that merged the audio digital signal processor with the AP.
The researchers used Cirrus Logic for a graphic to show how the audio digital signal processor was merged with the AP and changed audio routing functionalities.
Cirrus Logic Cirrus Logic Audio Subsystem Architecture show the audio digital signal processor (DSP) merged into the application processor (AP).
“This new feature introduced a new security vulnerability,” they wrote. As smartphone hardware and software designs changed, it allowed and contributed to the cellular voice channel potentially being used as a covert channel “to leak information” or to “distribute malware” through the cellular voice stream. They added, “This new smartphone design was adopted by multiple companies, and thus new smartphones are being released that use this design without considering the security vulnerability.”
The researchers tried out three attack scenarios. In the first, two people were texting and thereby using the cellular voice channel as a shared resource; the audio modem has each touch keyboard character mapped to corresponding Morse code which is formed into “speech-like” waveforms. The test successfully validated “the modem’s ability to utilize the cellular voice channel as a carrier of the generated audio signals by the smartphone. However, sometimes the receiver could not get the exact original data for several reasons, such as noisy environment, frame stealing scenario, smartphone audio hardware quality, and modem implementation.”
In the second scenario to see if the covert channel could be used to leak info unintentionally, the researchers discovered, “When the attacker made a call to the victim, the rootkit (in the hacked phone) recognized the attacker’s caller ID and, based on that fact, answered the call without showing up on the victim’s screen. The victim had no idea about the ongoing voice call in his smartphone.”
Bushra Aloraini, Daryl Johnson, Bill Stackpole, Sumita Mishra The third scenario tested if the covert channel could involve botnets as command and control. The test repeated the attacker’s caller ID being recognized without showing up on the victim’s screen, but the rootkit, acting as a botnet, listened for a command and then executed it. The attacker used the researcher’s modem to send a command to reboot the system, clear the call log, or turn on Bluetooth. The researchers included a screenshot of the “hacker’s screen when he sent ‘Blueto’ command to open the Bluetooth device in the hacked phone.” Another screenshot shows the hacked phone appearing as if nothing was happening when it responded to the command and turned on the Bluetooth device.
Bushra Aloraini, Daryl Johnson, Bill Stackpole, Sumita Mishra The modem implementation would work in “most Android smartphones,” they wrote. “The current modem implementation with the capability to reach the voice call stream by default works on most Samsung Galaxy S series and Nexus smartphones.”
Their rootkit “works in all Android-rooted stock ROMs, as well as most custom ROMs that have Jelly Bean 4.3.3 version or below, and it was not tested in newer versions." They added, "Rootkit was tested successfully in Samsung Galaxy S 3 I9300, Galaxy Nexus and Nexus S, Samsung Galaxy S 4, and Samsung Galaxy Y Duos GSM versions, and is believed to work in most GSM and CDMA Android smartphones.”
Besides proving that the cellular voice channel could be used to distribute malware or leak information, “this research also proves that communication between the AP and the BPs is vulnerable to attack in Android OS,” concluded the researchers. “In addition, it discusses some of the Android security mechanisms that were easily bypassed to accomplish the mission. The paper illustrates some discovered flaws in Android application architecture that allow a break in significant and critical Android operations.”