A Security Hygienic Smart Charger for Mobile Devices David Weinstein The MITRE Corp. McLean, VA, USA email@example.com Abstract—Measuring and attesting to the operational in- top computer or over-the-air. We believe an alternative is tegrity and security posture of a mobile device is challenging. possible with the use of adaptable logic embedded in a plug Today, smart phones and tablet computers lack a number of computer and that new techniques are possible by exploiting traditional security features that have emerged for commodity laptops and desktops. In addition to restricted power, mobile the user’s need to periodically re-charge her mobile device. devices generally don’t have a hardware root-of-trust and It is also worth noting that Apple has also looked to the currently lack ubiquitous virtualization capability, which limits charger as a device that could provide greater utility, though some of today’s approaches to security. Even as these security only for password recovery purposes . mechanisms reemerge for mobile devices, no single one is In Section II, sample attacks are described, followed by expected to be a “silver bullet.” We believe that the need to recharge these mobile devices can be exploited with the a general discussion of evidence that could be gathered by introduction of a hygienic smart charger concept. The charger the charger. In Section III an initial prototype is presented is used to measure, attest, and remediate the integrity of hosted that has been tested on the Samsung Nexus S running the mobile devices via the Universal Serial Bus (USB), while the Android 2.3.3 OS. In Section IV we discuss future work, mobile device re-charges. A reference prototype speciﬁcally and ﬁnally we conclude in Section V. targeting the Android-based Nexus S is introduced. Keywords-mobile security; measurement and attestation; sys- II. S AMPLE ATTACKS tem integrity; power; hygiene; malware An adversary can gain an initial presence on a user’s mobile device in a number of ways. For example, an I. I NTRODUCTION attacker can craft an application, place it on the Android Black-listing and, in general, malicious signature detec- or third-party market, and exploit a root escalation vul- tion has proven ineffective against polymorphic malware and nerability , . Some malicious applications have even other attacker techniques. Virus scanning, virtual machine presented desirable features with the malicious component introspection, and taint tracing can also deplete a device’s being downloaded later as a secondary payload. While it battery faster than normal . Battery drain is a critical is assumed that Google makes a best effort to remove apps aspect of a consumer’s experience with mobile devices–a that are found malicious, detection can be made increasingly security mechanism that tips the balance of this reality will difﬁcult by an attacker. This may result in a time delay undoubtedly be met with disdain by consumers and unlikely signiﬁcant enough to allow the malware a period of efﬁcacy. to be adopted by vendors. An alternative defensive strategy Applications on Android use a manifest at installation is needed for these devices with inherently limited power. time to declare all permissions needed for proper installation Whether on non-volatile storage or in-memory, a defen- and functioning. This is an all-or-nothing decision: the user sive strategy can include gathering evidence of the side either approves all requested permissions or does not install effects caused by malicious activity. These observations can the application. Even if individual permissions could be be made at different layers of the OS stack, with the phone in denied, many users don’t understand the risks inherent in different states. For example, measurements can be obtained accepting them. A user is unlikely to know that granting on-device while the main OS is running, externally via USB access to a phone’s crash-log information can aid in esca- interfaces and debugging mechanisms, or by placing the lating an application’s privileges to root, as in the case of phone into a minimalistic recovery state–typically used for GingerBreak . forensics–where a smaller execution context is used to check Potential attacks can also take advantage of the mobile the device’s integrity. Malware has different persistence device’s larger ecosystem, i.e., the interaction with other mechanisms and measurements from different vantage points services or devices. Cloud synchronization services can will suggest different types of remediation. Perhaps the most be abused, for example, by stealing credentials to push straightforward response is to re-ﬂash the entire mobile malicious applications to the device over the internet. Mo- device to a master image. bile phones are often plugged in to other general purpose The re-provisioning of a mobile device through a device computing devices such as laptops and desktops. These re-ﬂash is traditionally performed from a laptop or desk- devices when used to access rich media could pose another Figure 1. Hygienic charger ﬂow diagram for Android based devices. attack surface and could potentially be a low barrier to then The charger uses the built in debugging/recovery mech- compromise the mobile device . anisms that are available while mobile devices are plugged into a host system via USB. The charger has a smaller attack A. Evidence of compromise surface than a typical laptop/desktop, while also being out- side the critical path of an attacker. Speciﬁcally, the charger Integrity violations introduced by malicious software will isn’t network accessible, does not support the execution of be dependent on the device’s existing security mechanisms. rich media like PDFs and Flash, and isn’t intended to be In general, integrity violations may consist of 1) changes used for normal web browsing. This specialization reduces to the bootloader, which is the ﬁrst code to execute on a the attack surface signiﬁcantly and can provide an out-of- mobile device at boot time (e.g., a bootkit), 2) replacing band management capability for an enterprise to deal with the kernel entirely and/or modifying kernel data structures mobile device security speciﬁcally. For software updates, at runtime to hide malicious activity (e.g., a rootkit), 3) the charger can use an end-to-end authenticated update implanting native binaries that obfuscate application-layer mechanism with the phone as a communication medium. malware analysis, 4) implanting of managed-code rootkits Additionally, as SD cards have become ubiquitous and into Dalvik VM applications and associated data structures, inexpensive, a major update can be delivered by swapping 5) modifying permissions on key system ﬁles (e.g., SUID- an SD card on the charger. bits), allowing other malware components a mechanism to hide in plain sight. We have implemented an initial prototype using the SheevaPlug plug computer, which is a Marvell Kirkwood Detecting and mitigating integrity violations also depends (ARM-based) platform with USB host support. The charger on the vendor’s approach to securing the mobile device. runs a minimalistic OS speciﬁcally designed to execute pre- For example, replacing the bootloader on some devices may set sanity checks on the mobile device. The charger stores a be infeasible because this critical software must be signed signed recovery image that is used to re-provision the device using a private-key only the vendor has, and the bootloader at the time of detection. Using the cryptographic process, the is veriﬁed using a corresponding burned in public-key that charger deposits a token that indicates the device has passed cannot be changed by conventional means. The variations the pre-deﬁned checks. This activity would then allow the in these protection mechanisms may also pose challenges device access to private networks and resources that would in developing auxiliary defensive mechanisms. In order to have otherwise been off-limits. be usable, some region of the device’s storage must be read/write, and thus could be used for attacker persistence. The ﬂow of communication in Figure 1 is as follows. Once plugged into the hygienic charger, the charger uses III. H YGIENIC SMART- CHARGER the built in Android Debug Bridge (ADB) to reboot into bootloader mode (in this case assumed to be signed by the Rechargers have traditionally been simple devices whose vendor). If malware were to suppress the reboot operation, “smarts” can be used to control the power-rate at which a the smart charger can alert the user by blinking a red LED. device is charged, i.e., in a way that is most efﬁcient to the The bootloader implements a protocol called fastboot, which life of the battery. We believe a hygienic charger can help allows the ﬂashing of arbitrary binary data to the device mitigate the risk of persistent malicious software on mobile and in particular to a recovery partition. The charger uses devices, and aid in raising the bar for sophisticated attackers. the fastboot protocol to ﬂash a custom recovery image to Figure 2. Marvell Kirkwood based SheevaPlug computer used for initial prototype. the recovery partition and commands the mobile device to loaders of the possibly compromised mobile device, but of immediately jump into the recovery image. The recovery those that were built into the custom recovery image.The image is less than 4MB and has a software self-checking recovery image can be stored on the charger or could be mechanism to verify it has been properly booted. As shown supplied in a signed/encrypted format in a known location in Figure 2, the public-key of the enterprise server is stored on the mobile device. The untrusted mobile device would not in NAND on the SheevaPlug. The plug computer draws AC be able to change the recovery image because the private key power from a standard connector and provides the 5V and up would be stored in the enterprise, similar to the mechanism to 500mA power supply to the mobile device for charging. used to protect the bootloader on many mobile devices today. The recovery image acts similar to a Live CD on a Finally, we have discussed a mechanism for measurement traditional laptop/desktop. The custom recovery image can of the boot-time characteristics of the Nexus S. This process mount the ﬁle system of the mobile device and begin to look is incomplete without a run-time measurement component for indications of compromise (e.g., incorrect checksums that is able to periodically check the in-memory integrity of of system libraries, kernel, kernel modules, native binaries, system components. permissions). It is important to note that the trust is placed on IV. F UTURE WORK the bootloader and the underlying hardware of the device to Future work will explore software timing-based attestation not actively hide malicious activity; everything else is treated and remediation techniques. We believe that a dedicated as untrustworthy. channel (with near zero latency variance) between the mo- In theory, a secure booting mechanism incorporating some bile device and charger can be leveraged to build upon the functionalities of the smart charger could be designed as part previous work in this area–e.g., , , , , . We of the mobile device. In practice this design would be vendor hope to expand the current static measurement capabilities speciﬁc, allowing little ﬂexibility for an enterprise to deﬁne to include runtime measurement of key system components what system integrity measurements are appropriate to its while in-memory. We will also accumulate knowledge of desired level of assurance. This is a problem when trying potential known-good baseline device binaries, which will to make use of low level device security mechanisms such be helpful in determining integrity violations. as TrustZone as well. For example, a government using a Other system on chip hardware platforms will be iden- commercial device for a secure voice communication may tiﬁed for possible conversion into charger form-factor de- have different integrity requirements than the carrier. vices, aiming for a small and lightweight device that could It is also important to note that the operating environment potentially be accepted by consumers. Finally, alternative once in recovery mode is not using drivers or ﬁlesystem remediation techniques will be explored to reconstitute the mobile device after an integrity violation, so that a full re- ﬂash is not the only option. V. C ONCLUSION New approaches to security on power-constrained mobile devices are needed. We believe that a hygienic smart charger will be helpful in raising the bar for adversaries targeting mobile devices with persistent malware, by capitalizing on the need to periodically recharge and by providing an out- of-band management capability for mobile in general. We hope that the idea and prototype will be useful in showing a way forward. R EFERENCES  M. Jakobsson and K.-A. Johansson. Practical and secure software-based attestation. In Lightweight Security Privacy: Devices, Protocols and Applications (LightSec), 2011 Work- shop on, pages 1 –9, march 2011.  Markus Jakobsson and Karl-Anders Johansson. Assured detection of malware with applications to mobile plat- forms. http://dimacs.rutgers.edu/TechnicalReports/abstracts/ 2010/2010-03.html, 2010.  Xuxian Jiang. Gingermaster: First android malware utilizing a root exploit on android 2.3 (gingerbread). http://www.csc. ncsu.edu/faculty/jiang/GingerMaster/, August 2011.  Xuxian Jiang. Security alert: New rootsmart android malware utilizes the gingerbreak root exploit. http://www.cs.ncsu.edu/ faculty/jiang/RootSmart/, February 2012.  Xeno Kovah, Corey Kallenberg, Chris Weathers, Amy Her- zog, Matthew Albin, and John Butterworth. New results for timing-based attestation. In To Appear in the Proceedings of the 2012 IEEE Symposium on Security and Privacy.  Mathew J. Schwartz. Apple patents power charger password recovery. http://www.informationweek.com/news/security/ mobile/232400075, January 2012.  A. Seshadri, A. Perrig, L. van Doorn, and P. Khosla. Swatt: software-based attestation for embedded devices. In Security and Privacy, 2004. Proceedings. 2004 IEEE Symposium on, pages 272 – 282, may 2004.  Arvind Seshadri. A software primitive for externally-veriﬁable untampered execution and its applications to securing com- puting systems. PhD thesis, Pittsburgh, PA, USA, 2009. AAI3382437.  Vanja Svajcer. First malware using android ginger- break root exploit. http://nakedsecurity.sophos.com/2011/08/ 22/ﬁrst-malware-using-android-gingerbreak-exploit/, August 2011.  Deepak Venugopal. An efﬁcient signature representation and matching method for mobile devices. In Proceedings of the 2nd annual international workshop on Wireless internet, WICON ’06, New York, NY, USA, 2006. ACM.  Zhaohui Wang and Angelos Stavrou. Exploiting smart-phone usb connectivity for fun and proﬁt. In Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC ’10, pages 357–366, New York, NY, USA, 2010. ACM.