Covert Channel over Cellular Voice Channel in Smartphones

Network covert channels represent a significant problem due to their security implications. Thus many research efforts have been focused on their identification, detection, and prevention. Covert channel identification is the process of discovering a shared resource that might be utilized for covert communication.

A research on this topic contributes to the field by identifying a new network covert channel in smartphones. Smartphones are always connected to the cellular network; however, little effort has been directed at investigating potential security threats with its covert communication. Previously, the

cellular voice channel had never been used to launch such attacks. This service was designed to carry audio only. Thus cellular service providers have not applied any information security protection systems, such as firewalls or intrusion detection systems, to guard cellular voice channel traffic in the cellular network core.

Thus these channels are a prime choice over which to attempt a covert channel. Theoretically, this channel could be employed in smartphones to conduct multiple covert malicious activities, such as sending commands, or even leaking information. As there are some past research that studied modulating data to be “speech-like” and transmitting it through a cellular voice channel using a GSM modem and a computer. In addition to the fact that smartphone hardware designers introduced a new

smartphone design that provides higher-quality audio and video performance and longer battery life, the new design allows smartphone applications to reach the cellular voice stream. Thus information in the application could be intentionally or unintentionally leaked, or malware could be spread through the cellular voice stream.

This could be accomplished by implementing a simple audio modem that is able modulate date to be “speech-like” and access the cellular voice stream to inject information to smartphones’ cellular voice cannel. This covert channel could be accompanied with rootkit that alters phone services to hide the covert communication channels. To investigate the potential threats with this covert channel, Android security mechanisms were tested and it was demonstrated that it is possible to build an Android persistent user-mode rootkit to intercept Android telephony API calls to answer incoming calls without the user or the system’s knowledge. The developed modem along with the rootkit successfully leaked data from the smartphone’s application and through cellular voice channel stream by carrying modulated data with a throughput of 13 bps with 0.018% BER.

LITERATURE REVIEW

The covert channel concept was first presented by Lampson in 1973 as a communication channel that was neither designed nor intended for carrying information. A covert channel utilizes mechanisms that are not intended for communication purposes, thereby violating the network’s security policy. Three key conditions were introduced that help in the emergence of a covert channel: 

1. A global shared resource between the sender and the receiver must be present, 
2. The ability to alter the shared resource, 
3. A way to accomplish synchronization between the sender and the receiver. 

The cellular voice channel has all three conditions, making it an ideal channel for implementing a covert channel. Network covert channel field research currently focuses on exploiting weaknesses in common Internet protocols such as TCP/IP, HTTP, VoIP, & SSH to embed a covert communication. In the cellular network field, it has been demonstrated that high capacity covert channels in SMS can be embedded and used as a data exfiltration channel by composing the SMS in Protocol Description Unit (PDU) mod. Steganographic algorithms introduced to hide data in the context of MMS to be used in on-time password and key communication. Cellular voice channel in smartphones has been attempted so far recently.

As smartphones are trending to increase their computational capabilities, employees and individuals increasingly rely on smartphones to perform their tasks, and as a result smartphone security becomes more significant than ever before. One of the most serious threats to information security, whether within organization or individual, is covert channels, because they could be employed to leak sensitive information, divert the ordinary use of a system, or coordinate attacks on a system.

Therefore, identification of covert channels is considered an essential task. The research takes a step in this direction by identifying a potential covert channel which could affect smartphone security. It provides a proof of concept of the ability to use the cellular voice channel as a covert channel to leak information or distribute malware. It introduces details of designing and implementing the system and the challenges and constraints that have been faced to accomplish the system. It has been realized during the research that as smartphone hardware and software designs have changed recently. This new smartphones’ design is adopted by multiple companies, and thus new smartphones are being released that use this design without considering the security vulnerability.

The right screen shows when the attacker made a call to the victim, and in the left screen the rootkit in the hacked phone recognized the attacker’s caller ID and based on that it answered the call without showing up on the victim’s screen

The research also proves that communication between the AP and the BPs is vulnerable to attack in Android OS. In addition, it discusses some of the Android security mechanisms that were easily bypassed to accomplish the mission. The paper illustrates some discovered flaws in Android application architecture that allow a break in significant and critical Android operations.