This may be a very severe threat to mobile cyber-physical systems. Keywords-Voice; Privacy; Cyber-physical; Sensor; Android. I. INTRODUCTION. Nowadays ...
2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications
A Threat to Mobile Cyber-physical Systems: Sensor-based Privacy Theft Attacks on Android Smartphones Lingguang Lei†‡ † State
Yuewu Wang†
Jian Zhou†‡
Daren Zha‡ *
Zhongwen Zhang†‡
Key Laboratory of Information Security, Institute of Information Engineering, CAS, Beijing, China ‡ University of Chinese Academy of Sciences, Beijing, China † {lglei, ywwang, jzhou, drz, zwzhang}@lois.cn
physical privacy information. With the smart mobile terminal sensors, the adversary can extend the attacks from cyber world to the user’s physical world effectively. Thus, this novel privacy theft attack form is called as cyber-physical privacy theft attack in this paper. Sensor-based privacy theft attacks have already attracted some researchers’ attention. Roman Shclegel et al. [3] present a hotline eavesdropping Trojan horse named Soundcomber, which can extract sensitive information, such as Credit Card Number, PIN, and Password from the user’s hotline conversation, and then send it to the attacker. Nan Xu et al. [4] introduce a video-based spyware called SVC, which can secretly record video information, and then send it to the attacker in H.263 format through e-mail. However, in these malwares, the attack operations are all activated passively according to the cyber states of the smartphones rather than the adversary’s physical instructions. Therefore, the adversary cannot get the physical information following his own inclinations effectively, and a lot of useless information capturing will be generated. In a complete cyber-physical attack, the sensors should be activated completely according to the physical instructions rather than the cyber world events. In other words, both the origin and the victim of the attack are persons in the physical world, and the smart mobile terminals are just used as a tool to facilitate the attack process. In Android systems, enough technologies can be utilized by the adversary to launch more active privacy theft attacks. In this paper, a sensor-based Cyber-Physical Voice privacy Theft Trojan horse named CPVT is presented. Unlike most existing attacks, the attack process of CPVT can be fully controlled by the adversary, and the adversary can activate the attack arbitrarily according to his requirements at any time. For example, the adversary can activate the voice recording when the user is attending a sensitive conference. A prototype system of CPVT is implemented on the Android platform. The main function of CPVT is voice theft, since voice function is one of the most prevalent functions in Android, and voice is critical user privacy. Through voice eavesdropping, the attacker can capture the sensitive conversations of a user. He may also deduce the user’s location and behavior via the background sound captured. CPVT can
Abstract—The powerful processors and variety of sensors on nowaday smartphones make them being ideal mobile cyberphysical systems. However, these advantages can also be used to launch serious sensor-based privacy theft attacks through sensors abusing. In this paper, a sensor-based voice privacy theft attack named CPVT is presented. The attack will be detected easily if not processed appropriately, since voice data usually has high data rate and special permissions are needed for voice recording and data sending. We introduce two measures in CPVT to resolve the problems, with which CPVT can be disguised as a normal Android APP and the attack process can be fully controlled by the attacker without the knowledge of the victim. Experiments are taken out to verify the effectiveness and efficiency of CPVT, and the results demonstrate that the cyber-physical privacy theft attacks can be realized effectively on mobile terminals with good concealment and low overhead. This may be a very severe threat to mobile cyber-physical systems. Keywords-Voice; Privacy; Cyber-physical; Sensor; Android
I. I NTRODUCTION Nowadays, smartphones are more and more appealing to researches as an ideal platform of mobile cyber-physical systems [1][2]. Firstly, the smartphones are equipped with various sensors, such as MIC, camera, GPS sensor, and gravity acceleration sensor, which can be used to transform physical information into cyber information easily, and can be seen as a cyber-physical information exchange bridge. Secondly, the smartphones are equipped with powerful computing and storage capacity chips, so they can process and store the data captured well. Finally, there are usually many communication machanisms on the smartphones, such as WIFI, 3G, EDGE. However, if these resources are abused, the physical privacy of the user will be invaded seriously. The sensors can be abused by the adversary to capture the status, voice, traces and other personal privacy information of a person dynamically. And the communication machanisms can be used to disseminate the privacy information captured. A typical attack scenario is that an adversary operates a Trojan horse on the terminal to activate the MIC stealthily and eavesdrop on the user’s talk. In addition, the smartphones are carried by users almost all the time. Thus, the adversary has enough opportunities to obtain the user’s *Corresponding author.
978-0-7695-5022-0/13 $26.00 © 2013 IEEE DOI 10.1109/TrustCom.2013.20
126
also be extended to other forms of privacy theft easily. To the best of our knowledge, CPVT is the first active sensorbased privacy theft Trojan horse that can be manipulated by the attacker completely to eavesdrop on the user’s daily behavior. The biggest challenge in the implementation of CPVT is the balance of information acquisition and stealth, which means CPVT should be able to acquire more useful information at each execution and the attack process should be stealthy. For the information acquisition, since the voice recording and sending are both controlled by the attacker completely, the attacker can judge the user’s state in advance, for example, through social engineering. Then, the adversary can activate the voice recording only in a suitable time. For stealth, there are two problems. One is that the data rate of the voice information obtained from MIC is usually very high even when introducing the compression algorithm. Recording, storing and sending of these data are resource consuming for mobile terminal system and can be detected easily by users if processed inappropriately. In order to conduct privacy theft smoothly, specific policies must be included in design and implementation of CPVT to make it stealthier. The other problem is stealthily privilege elevating to the attack code. System resources, such as SMS, Internet, MIC and so on are necessary for CPVT to complete the attack successfully. However, permission mechanism [5][6][7] is provided in Android to control the access of these system resources. According to the permission mechanism, all Android APPs have to apply for the suitable permissions to access the corresponding system resources and the permissions applied must be checked and confirmed by the user before their installation. Permission pattern of an APP can be used to identify its functions and determine whether it is a malware or not [8][9][10][11]. To avoid being detected via the permission pattern, CPVT should get the permissions stealthily. Either of the two measures can be taken by CPVT to bypass the permission mechanism. One is taking advantage of the vulnerabilities of permission mechanism implementation to obtain the necessary permissions after CPVT being installed on the rooted Android systems [12]. The other is distributing the functions of CPVT into several different APPs to conceal the permission pattern on the unrooted Android systems. In the later case, a CPVT attack should be completed through the conspiracy of all involved APPs. Because an appropriately implemented sensor-based privacy theft attack such as CPVT can cause very serious physical personal information disclosure, it is obvious that this kind of attacks will attract more and more attentions in the near future and become one of the most serious threats to the mobile terminal systems. In order to defend against this attack effectively, corresponding measures are necessary. Since the primary cause of sensor-based privacy theft is the abuse of sensor resources, a fine grained sensor access
control technology can hold back the sensor-based privacy theft attack effectively. The contributions of this paper are concluded as follows: 1) An active sensor-based cyber-physical voice privacy theft Trojan horse CPVT is presented, which can be manipulated in real time by the adversary to eavesdrop on the user’s daily behavior. With two measures introduced based on Android, CPVT can be disguised as a normal Android APP, and the attack can be launched without the knowledge of the user. Realization of CPVT demonstrates that sensor-based privacy theft attacks are a big threat to the the mobile cyber-physical systems. 2) A prototype system of CPVT is implemented, and experiments are conducted to validate the effectiveness and performance overhead of CPVT. 3) Corresponding defense policies against the sensorbased cyber-physical privacy attacks are discussed in this paper finally. The remainders of this paper are organized as follows: in Section II, the related work is described; in Section III and IV, the design and implementation of CPVT are described in detail; in Section V, experiments are conducted to validate the effectiveness and efficiency of CPVT; in Section VI, a sensor access control based defense policy against this novel attack is discussed; finally, we conclude this paper with a brief conclusion. II. R ELATED W ORK Mobile cyber-physical systems have attracted a lot of attentions in recent years [13][14][15]. The existing researches mainly focus on enhancing performance of the mobile cyberphysical systems, such as conserving the power and so on. The information security problems faced by mobile cyberphysical systems aren’t paid enough attentions. As the rapid development of mobile cyber-physical systems, especially the smart mobile terminal systems, the information security problems will be more and more serious, and necessary work should be conducted to make smart mobile terminal systems more trusted and safe. Mobile terminals are usually equipped with various sensors, such as MIC, camera, GPS sensor, and gravity acceleration sensor, which can be used to transform human physical information into cyber information easily. These sensors can be used as a helpful tool for real-time privacy stealing. Nan Xu et al. [4] introduce a camera based Trojan horse called SVC, which turns on the camera of the mobile terminal stealthily, and sends the video captured to the attacker in H.263 format through e-mail. Roman Shclegel et al. [3] present an MIC-based Trojan horse named Soundcomber, which extracts sensitive information, such as Credit Card Number, PIN, and Password from the telephone voice, and then sends it to the attacker. Proper data capturing and processing are very critical to a successful sensor-based privacy theft attack, for the privacy data is usually with 127
high data-rate in these attacks. If processed irrationally, these attacks will cause high overhead and be detected easily by the user. SVC doesn’t process appropriately to the video captured, and causes high performance overhead in power consumption and CPU utilization. Soundcomber tries to improve the efficiency and reduce the amount of the privacy data that should be sent. It extracts sensitive information, such as Credit Card Number, PIN, and Password from the telephone voice, and sends only the sensitive information rather than total voice data, which prevents high communication traffic as in SVC. However, Soundcomber only works in the situation when the user is in a hotline conversation, thus it is not very universal and expandable. Unlike most existing attacks, we develop a sensor-based voice privacy theft Trojan horse called CPVT, which can be fully controlled by the adversary and can be activated arbitrarily according to the adversary’s requirements at any time. Since the voice recording and data sending are both controlled by the attacker, he can record only sensitive voice of the victim to reduce the communication traffic needed and make the attack more secret.
is, all the operations should be done without the awareness of users. B. The Framework of CPVT Proper design should be carried out to make the attack efficient and stealthy. First, data rate of voice data is approximately 0.5 MB/min, which is rather high, such that we shouldn’t record blindly for a long time. For example, if we start recording once the mobile phone is launched, it may generate a lot of useless information capturing, and there will be large data storage and data traffic, which is easy to be detected. Thus recording at the right time is quite important and we should ensure the adversary only to record the data he wants most. Second, since mobile platform is resource and performance constrained, voice data sending may cause large performance cost, and may be perceived by the user easily. So, data sending needs to be well designed. For example, we could store data and send them in batches later at suitable time, e.g. when mobile phones are being charged, or users are having rest. Based on the above considerations, we propose a flexible and extensible cyber-physical voice privacy theft attack CPVT, in which the adversary can fully control the data recording and sending stealthily according to his needs at any time. As shown in Figure 1, the architecture of CPVT is composed of four functional modules: control channel establishing, commands parsing, voice recording and voice sending. The whole scenario of CPVT attack can be divided into 2 worlds: physical world and cyber world. With a remote control channel, the adversary can arbitrarily control the attack process completely with command sending and receiving. The attack process is invoked according to the physical user inputs rather than the cyber information, that is to say the origin of the attack is physical world. If the commands are parsed by CPVT successfully, corresponding functions will be initiated. Usually, the MIC will be activated and the talk in physical world will be captured and transformed into voice of cyber world by MIC. Then, subsequent processes will be conducted one by one in cyber world. Finally, the voice in cyber world can be transferred to the adversary’s device and transformed back to the voice of physical world. The specific work flow of CPVT is described as follows: 1) Malicious code establishes the control channel when the compromised mobile terminal starts; 2) The adversary sends remote control commands via the control channel, including record command, stop command and send command, etc. These commands can also contain rich parameters. For example, the command ‘Record: filesize=# MaxfileNum=#’ in Figure 1 tells CPVT to start recording using the given size of store file and maximum number of files; 3) Command parsing modular of CPVT parses the control commands received from the adversary, and invokes corresponding
III. T HE D ESIGN OF CPVT A. The Process of Cyber-physical Voice Privacy Theft Attack Different from existing privacy theft attacks, CPVT is a classic cyber-physical privacy theft attack. It is initiated from the adversary in the physical world, and the goal of the attack is getting the physical personal information. In the whole attack process, the cyber components (the mobile terminal system) are just mainly in charge of information transforming and sending. Since voice function is one of the most prevalent functions on Android and the voice of a person is very important personal information, the main function of CPVT is voice privacy theft. Through voice eavesdropping, the adversary can monitor the user’s conversation. For example, he might capture sensitive information, such as crucial trade secrets, if the user is attending an important meeting. The adversary may also deduce the user’s location and behavior via the background sound captured. The typical work scenario of CPVT can be described as follows: the adversary develops a Trojan horse that has the ability to control the voice sensor completely, and induces the user to install it on the mobile terminal. Then the adversary interacts with the Trojan horse program via remote control channel. Once the Trojan horse program receives the adversary’s command, it can open the MIC to record the voice data, and send the data to the adversary according to the policy instructions received. Thus, the adversary can obtain the user’s physical talk content arbitrarily through just sending a command. In this sense, no matter whether the terminal system is being used or not, the physical voice privacy may always be filched by the adversary. In addition, the process of the attack should be highly concealed, that 128
User
Physical World
Content of user talk
Cyber World
MIC Mobile Terminal of The Victim Content of user talk 2 1
A ta ck er
Control The Remote Device User Input Channel Commands of Attacker Establishing Speaker
Record: filesize=# MaxfileNum=# Stop Send: begintime=# endtime=# Or Send: filenumber=#
Content of user talk
Content of user talk
Figure 1.
Co m m an ds Pa rs in g
Voice 3 Recording Write in Storage Read Out 4
Voice Sending
The architecture of CPVT
functions indicated in the commands; 4) If a record command is received, voice recording modular starts to record and store voice files after splitting files with the parameters provided in the commands. Otherwise, if a stop command is received, it stops voice recording. 5) If the adversary wants to get the voice data, voice sending modular sends the recorded voice data to the specified device controlled by the adversary, according to the parameters provided in the send command, such as the time during which files are recorded, or the number of files counting from the first. After sending data successfully, the modular deletes the files from the user’s mobile terminal. The architecture shown in Figure 1 possesses quite a large flexibility. As long as the commands parsing modular supports, the adversary can send control information of arbitrary complexity, including specifying the receiver, the way and the time of data sending. By dynamically setting attackrelated parameters via commands, the adversary can prevent the attack from being detected by statically analyzing fixed keywords, etc.
by the information exchange through this control channel. A qualified control channel should possess four features: 1) CPVT should receive the commands from the control channel as soon as possible; 2) No other APPs except CPVT can receive and parse the commands; 3) The communication through control channel should be stealthy and reliable; and 4) The integrity of the commands transferred through control channel should be protected.
IV. T HE I MPLEMENTATION OF CPVT
In Android, when an SMS message is received, a broadcast notification message will be sent to all APPs. All APPs that have registered an SMS receiver, which is a BroadcastReceiver with permission ‘SMS RECEIVED’, will receive this message orderly according to their priorities. If an APP with the highest priority reads the message and then discards it, none of the other APPs will receive this message any longer. In Android, there are two ways to register an SMS receiver. One is static registration realized in Mainifest.xml, while the other is dynamic registration realized directly in application codes. In both dynamic and static registration, APPs can set the priority of the SMS receiver via ‘android:prority’. If the values of ‘android:prority’ are equal, receivers those are dynamically registered have higher priority than those statically registered. For receivers dynamically registered, the earlier a receiver is registered, the higher priority it has.
Many communication technologies in Android can be used to create the control channel, such as SMS, WIFI, GRRS, 3G and so on. Among these technologies, SMS is most suitable for control channel construction. SMS is an indispensable function of radio communication module on mobile phones and usually cannot be closed by the user. On the other hand, taking advantage of Android SMS mechanism, CPVT can hijack incoming SMS messages successfully. Thus, all CPVT control commands contained in SMS messages cannot be perceived by the user. With end to end integrity protection mechanism, the commands can be sent from the adversary to CPVT correctly.
As one of the most popular mobile terminal systems, Android is selected as the basic platform to implement CPVT. In the implementation of CPVT, we make following three hypotheses: i. the mobile terminal is physical secure, i.e. an adversary cannot physically contact with the mobile terminal system directly; ii. CPVT is hidden in normal Android APPs and implanted into target system through APPs installation; iii. CPVT can be divided into several APPs or elevate his privilege by itself on rooted Android to avoid the defense of permission mechanism. A. The Establishing of Control Channel One of the most unique features of CPVT is initiative. In order to conduct remote controlling on CPVT, an effective communication channel between the adversary and CPVT is necessary. All attack intentions are implemented 129
The control channel of CPVT can be realized as an SMS receiver. There are usually several SMS receivers in a mobile phone. In order to make sure that CPVT receives the control SMS messages at the first time, the SMS receiver in CPVT should have the highest priority. Figure 2 illustrates the specific implementation, where the process of control channel establishing is shown on the left side and the work flow of control channel is shown on the right side. We first register a Boot Receiver, which is a BroadcastReceiver with permission ‘RECEIVE BOOT COMPLETED’, to monitor the boot up of the mobile phone. Then, we dynamically register an SMS receiver at the first time when the mobile phone is booting up, and set the priority of the SMS receiver as the highest value ‘100000’. According to the rules of receivers prioritizing in Android, the SMS receiver registered in such way has the highest priority and can be used as an effective control channel of CPVT. With the control channel, we can intercept all incoming SMS messages, filter control instructions and take corresponding measures.
permission is authorized to the APP, it can use the voice recording function in arbitrary way, including recording stealthily behind the scenes. Thus, the only challenge that needs to be resolved in voice recording is how to obtain the ‘RECORD VOICE’ permission secretly in CPVT, which is described detailedly in Section IV-D. With the control channel described in Section IV-A, the audio recording, stopping and sending operations are all activated based on the intentions of the adversary. Therefore, it is realizable for the adversary to record only audio data he is interested in. Supposing that minimum sample frequency is 8000HZ and each sample point is 8bit, the data rate of audio recording is 8KB/s. If we store the data during two minutes as a file, the file size is about 1MB. It is easy to send files of such size via network or Email. In addition, audio recording won’t result in large performance overhead, we describe the detailed evaluation results in Section V-B. C. Voice Sending According to the calculation in Section IV-B, supposing data rate is 8KB/s, the voice file size is about 30MB/hour, which is not quite large. In order to make data sending more convenient and covert, we save the recorded voice data in sections, for example, with the size of 1MB or other parameters specified in the send command. Several communication methods are provided in Android to transmit the voice data, such as Email, MMS, and direct network sending, etc. In CPVT, we send voice data through Email, since Email sending operation is imperceptible to the user and voice files can be sent conveniently as the attachment of Email. The process of voice data sending can also be controlled by the adversary remotely. Detailed parameters about the data sending operation can be specified by the adversary via control commands, such as when to send the data, how many files to be sent, and the receiver, etc. Voice sending module deletes each file once it has been successfully sent, to ensure the imperceptibility of the whole attack process. Just like voice recording, one APP should apply for ‘INTERNET’ permission before invoking Email function in Android system, and it can use the Email function in arbitrary way once ‘INTERNET’ permission is authorized, including sending voice data via Email stealthily behind the scenes. Thus, the challenge in voice data sending is the same with that in voice recording, that is, how to obtain the special permission secretly in CPVT.
Control Channel Control Channel Constructing Listen for Booting of the Android OS
Working Flow Hijack the SMS messages Parse the SMS messages
Register an SMS Broadcast Receiver Dynamically Once the System Booting has Completed
Whether It Is a Control Command
Set the Priority of the SMS Broadcast Receiver to the highest
Call Corresponding Functions and discard the SMS message
Figure 2.
No
Yes Do Nothing
The Process of Control Channel Establishing
B. Voice Recording According to the adversary’s instructions, voice recording module opens MIC on the compromised mobile terminal and starts voice recording secretly behind the scenes. The implementation of this module should meet following three requirements: 1) Recording should be done secretly behind the scenes; 2) Recoding should not result in large performance or energy cost; 3) Voice data should be stored properly, which is critical to a covert data sending. All these requirements make the attack difficult to be detected by users. Android system provides related API interfaces for the user to do voice recording, such as MediaRecorder.start(), VoiceRecord.startRecording() etc. Permission mechanism is provided in Android to protect the access of these APIs, one APP should apply for ‘RECORD VOICE’ permission before calling these APIs. However, once the ‘RECORD VOICE’
D. Circumventing Existing Security Mechanisms As described above, the implementation of CPVT requires applying for some special permissions: RECEIVE SMS, RECORD AUDIO, INTERNET and RECEIVE BOOT COMPLETED. If we apply for all these permissions explicitly in one application, the attack may be observed by users, or detected by existing detection mechanisms [8]. Either of the following two measures can be 130
E FFECTIVENESS OF CPVT Mobile Phone Anycall I909 Google Nexus S HTC Desire HTC S710d SAMSUNG GT-I9100
OS Version Android Android Android Android Android
2.2.1 2.3.4 2.3.7 2.3.4 4.0.3
Rooted Yes Yes No No No
Table I VARIOUS M OBILE P LATFORMS
ON
CPVT Works Control Channel Establishing Voice Recording Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
taken in CPVT to avoid it being detected through combined permission checking. Method One We implement the three modules: control channel establishing, voice recording and voice sending in three different applications separately, such that each application needs to apply for only one or two permissions at installation time. For example, we embed control channel establishing module into an SMS processing application, and voice recording module into an entertainment program. CPVT implemented with this method can avoid being detected via combined permissions. However, it needs to induce users to install several related applications before attack initiation. Method Two Based on the vulnerability of Android permission mechanism, we can elevate privilege stealthily to CPVT. In Android system, actual permission capabilities of an APP comes from the parsing of AndroidManifest.xml. However, it is time-consuming to parse each AdroidMainifest.xml individually during the booting of Android system. In order to accelerate the booting process, Android takes some optimization measures. It parses the application packages only at installation time, and writes the permission information to /data/system/packages.xml. Each time Android starts, it reads the file directly and loads permission information to the memory, avoiding parsing each application package individually. As packages.xml saves permission information that the application applies for and the process of loading the information to memory doesn’t include integrity checking, it is able for CPVT to add new permissions through modifying packages.xml. That is, we apply for permissions including RECEIVE SMS, RECORD VOICE and INTERNET, etc. at run time rather than at installation time. However, in this method, we need root permission to modify the key system files including /data/system/packages.xml. Therefore, it requires that the mobile terminal being compromised has been rooted in advance by users.
Voice Sending Yes Yes Yes Yes Yes
A. Effectiveness of CPVT Five popular Android mobile phones are selected and configured with the most popular versions of Android OS, as shown in Table I. Anycall I909 and Google Nexus S are rooted in advance, and the rest three are not. As discussed in Section IV-D, there are two approaches to prevent CPVT from being detected by combined permissions checking. In the experiments, two versions of CPVT are developed. One is implemented with the function modules ‘Control Channel Establishing’, ‘Voice Recording’, ‘Voice Sending’ separated in three applications, and the other with permissions ‘RECEIVE SMS’, ‘INTERNET’, ‘RECORD VOICE’ added stealthily after CPVT is installed. We deploy the former version of CPVT on the three non-rooted mobile phones, and the later version on the two rooted mobile phones. We validate effectiveness of the three function modules of CPVT on the five mobile phones, and it proves that CPVT works well on all various mobile platforms with various versions of Android OS, as illustrated in Table I. It can be seen that no matter whether the mobile platform is rooted or not, the whole attack process can be completed successfully. As a Trojan working in the background, the concealment of CPVT is very important. In order to validate the concealment of CPVT, we install five popular mobile antivirus software on all mobile phones deploying CPVT, including Kaspersky [20], Rising [21], Norton [22], AGV [23], 360 Mobilesafe [24] etc. The experimental results show that CPVT are identified as a normal software by all five antivirus software in the process of ‘Control Channel Establishing’, ‘Voice Recording’, ‘Voice Sending’ on the five mobile phones, the details are shown in Table II. It can be seen that CPVT can bypass current mainstream antivirus software successfully. C ONCEALMENT OF CPVT Antivirus Software Kaspersky 360 Mobilesafe AVG Norton Rising
V. E VALUATION In this section, we report our evaluation results of CPVT. Firstly, we evaluate the effectiveness and performance of CPVT, including the effectiveness and performance overhead on various mobile platforms. Then, we do experiments to evaluate the concealment of CPVT to different mobile antivirus software.
Table II M OBILE A NTIVIRUS S OFTWARE
TO
Detect CPVT Control Channel Voice Establishing Recording No No No No No No No No No No
Voice Sending No No No No No
B. Performance of CPVT As a Trojan running on resources-limited mobile platforms, efficiency is very critical to CPVT. In this section, 131
we evaluate the performance overhead of CPVT on the five experimental mobile platforms, on the aspects of power consumption, memory usage and CPU utilization. The results are shown in Table III. As shown in the table, the overhead of CPVT on different platforms differs slightly, due to different hardware and OS configurations, but it is almost in the same magnitude. The memory and CPU usage of CPVT are both in normal range, which are less than 4.78MB and 5.18% respectively, no matter when it is doing voice recording or voice sending. Therefore, on the aspects of CPU and Memory overhead, the execution of CPVT causes almost no performance reduction, such as slow reaction time, and can work securely in the background. The power consumption on the voice recording stage is less than 10.49mw. For a normal smart phone with 1500mAh battery, CPVT can do voice recording 22 days uninterruptedly. However, a normal user usually charges every two or three days. Thus, the power consumption on voice recording stage is negligible. For the use of WIFI or 3G network, the data sending module is more power consuming. However, according to Section IV-C, one-hour voice recording will produce 30MB data, which can be transferred in one minute using WIFI. Therefore, the power consumption on voice sending stage can also be neglected.
The behavior of an APP is composed of a sequence of API calls and system events process. The scheme possesses following three advantages: 1) with respect to the diversity of malicious behaviors, SBPs are more certain, and thus can be expressed more easily, which will decrease the complexity of the implementation of the defense scheme; 2) it can prevent the attacks timely before the damage has been caused, through real-time accessing control to the MIC; 3) the scheme can work well in conjunction with the existing protection mechanisms, such as Android permission mechanism, and TaintDroid. VII. C ONCLUSION In this paper, we propose a sensor-based cyber-physical voice privacy theft Trojan horse CPVT, which can be manipulated in real time by the adversary to eavesdrop on the user’s daily behavior stealthily. We implement CPVT on Android OS and deploy it on five popular mobile platforms. The experimental results show that CPVT can launch attacks successfully on all five mobile platforms, and the performance overhead of CPVT is negligible. The implementation of CPVT demonstrates that the cyber-physical privacy theft on mobile smart terminals is feasible and is a severe threat to mobile cyber-physical systems. The essence of CPVT is the abuse of MIC access. If the sensor access is controlled strictly, the CPVT-like attacks can be held back effectively. In our ongoing work, two works will be emphasized. One is extending the cyber-physical privacy theft analysis from voice to other forms and getting more common features of this novel privacy attack. The other is promoting the research on behavior-based sensor access control technology into deeper level.
VI. D ISCUSSION ON THE D EFENSE P OLICY AGAINST CPVT Existing protection mechanisms can’t provide a good defense against these attacks. First, the current permission mechanism in Android can’t effectively protect sensor resources from being abused. Sensor-based cyber-physical privacy theft attacks are all launched by accessing MIC stealthily in the context with permission mechanism. Second, current privacy protection solutions, such as TaintDroid [17], mainly focus on passively tainting and tracking of the privacy data, while providing none protections on the generation of privacy data. These protection schemes are more suitable to protect traditional privacy data, such as static files on the mobile platforms, and can’t provide complete protections to sensor-based cyber-physical privacy attacks, in which the privacy data is captured in physical world and reflects the users’ real-time status. The essence of CPVT is the abuse of MIC sensor. If a fine grained access control to the sensor resources is introduced into Android OS, and only the access to the sensors in secure way is permitted, CPVT can be held back effectively. Based on this technical idea, a behavior based sensor access control framework can be constructed. In this framework, a security behavior pattern of a sensor access named SBP is defined and the dynamic sensor access behavior of an APP is obtained by real time monitoring the execution of the APP. Through comparing the dynamic behavior of the APP with the security behavior pattern of a sensor access, we can filter the sensor access in the unsafe way effectively.
ACKNOWLEDGMENT This work is supported by the National Natural Science Foundation of China grant 70890084/G021102, 61003273, 61003274, National High Technology Research and Development Program of China (863 Program, No. 2013AA01A214 and 2012AA013104), and Strategy Pilot Project of Chinese Academy of Sciences, sub-project XDA06010702. R EFERENCES [1] http://en.wikipedia.org/wiki/Cyberphysical system [2] http://reu-mcps.cs.txstate.edu/home.html [3] Roman Schlegel, Kehuan Zhang, Xiao-yong Zhou, Mehool Intwala, Apu Kapadia, XiaoFeng Wang, Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones. In NDSS ’11: Proceedings of the 15th Network and Distributed System Security Symposium, 2011 [4] N. Xu, F. Zhang, Y. Luo, W. Jia, D. Xuan, and J. Teng, Stealthy video capturer: a new video-based spyware in 3g smartphones. In WiSec ’09: Proceedings of the 132
Table III P ERFORMANCE OVERHEAD OF CPVT ON VARIOUS M OBILE P LATFORMS Mobile Phone Anycall I909 Google Nexus S HTC Desire HTC S710d SAMSUNG GT-I9100
Performance Overhead of CPVT Power Consumption(mw) Memory Usage(MB) Record Send Null Record Send Null 8.56 362
