Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

The Battery and Security in Mobile Devices

Published: 2008-03-17
Last Updated: 2008-03-17 21:58:23 UTC
by Lenny Zeltser (Version: 1)
2 comment(s)

Once a phone, Trio, Pocket PC, etc. runs out of power in the middle of the day, you remember how reliant mobile devices are on their power sources. During a recent visit to Virginia Tech, I learned of the research Grant Jacoby conducted there several years ago. His dissertation was titled Battery-Based Intrusion Detection. I was fascinated by the fact that Jeremy looked beyond the standard network or host-level indicators to detect malicious activities. Instead, he looked at anomalies in the battery's current (mA) patterns.

IDS via power consumption

Grant observed that "by measuring battery power consumption, it is possible to discover anomalous behavior, which can serve as a form of intrusion detection for a variety of attacks. Central to this is the observation that intrusions manifest observable power-related events that deviate from normal behavior."

For example, take a look at the current patterns Grant collected on an iPaq PDA when the device was the subject of an nmap port scan and of an ICMP ping flood. There are clearly-observable differences in the attack patterns and those of the baseline.

Nmap Scan - Current

Ping - Current

DDoS via power consumption

Grant also brought up an interesting attack scenario that could deplete batteries of mobile devices, affecting the "availability" aspect of security. The idea is for the attacker to attempt communicating with the device via a wireless network. Even if the victim's device does not complete the connection, the device's power will be used up at a higher rate than if it remained idle. An attacker can issue a high number of such connection requests to deplete batteries of all mobile devices in the proximity. (I suppose both Wi-Fi and Bluetooth could be used to accomplish this.)

Creative sources of intrusion indicators

What non-traditional sources of indicators could be used to detect attack-related activities? Let us know if you think of something creative. What comes to mind at the moment is the urban legend that an increase in pizza orders to a government agency indicates an impeding military operation. Or, perhaps more practically, a hard disk activity light blinking during odd hours may suggest that a system is being controlled by someone other than its regular user.


-- Lenny

Lenny Zeltser
Security Consulting - SAVVIS, Inc.

2 comment(s)
Diary Archives