[go: up one dir, main page]

WO2018142404A1 - Protecting a mobile device from malicious field replacement units - Google Patents

Protecting a mobile device from malicious field replacement units Download PDF

Info

Publication number
WO2018142404A1
WO2018142404A1 PCT/IL2018/050115 IL2018050115W WO2018142404A1 WO 2018142404 A1 WO2018142404 A1 WO 2018142404A1 IL 2018050115 W IL2018050115 W IL 2018050115W WO 2018142404 A1 WO2018142404 A1 WO 2018142404A1
Authority
WO
WIPO (PCT)
Prior art keywords
communications
firewall
wireless device
main cpu
fru
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/IL2018/050115
Other languages
French (fr)
Inventor
Yossi OREN
Asaf Shabtai
Amir Cohen
Omer SHWARTZ
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BG Negev Technologies and Applications Ltd
Original Assignee
BG Negev Technologies and Applications Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BG Negev Technologies and Applications Ltd filed Critical BG Negev Technologies and Applications Ltd
Publication of WO2018142404A1 publication Critical patent/WO2018142404A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/73Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Definitions

  • the present invention is directed to systems and methods for digital security and in particular security for wireless devices such as mobile devices and Internet-of- Things (IOT) devices.
  • wireless devices such as mobile devices and Internet-of- Things (IOT) devices.
  • IOT Internet-of- Things
  • These "third-party” or OEM manufacturer components can typically be replaced by the user or by third-party service centers, and they are often called field-replaceable units, or FRUs.
  • Additional examples of FRUs include interface cards for routers; battery and sensor assemblies; ink cartridges for printers; and batteries.
  • These FRUs may have their own microprocessors and programmable memory. They may use a well-defined hardware and/or software interface to communicate with the device's main central processing unit (CPU). Many of these FRUs communicate over industry standard interfaces such as I2C (Inter Integrated Circuit) and SPI (Serial Peripheral Interface).
  • I2C Inter Integrated Circuit
  • SPI Serial Peripheral Interface
  • FRU drivers in contrast to network or universal serial bus (USB) drivers, are typically written without authentication or validation methods.
  • FRUs can often be copied by third parties. Consequently, an FRU may be exploited to compromise the security of a device.
  • a wireless device may include a firewall, the firewall comprising a processor and a memory with computer-readable instructions, which, when executed cause the processor to perform the steps of: monitoring communications to a main computer processing unit (CPU) of the wireless device from a field replaceable unit (FRU); identifying an anomalous pattern in the communications; and blocking transmission of the anomalous pattern to the main CPU.
  • CPU main computer processing unit
  • FRU field replaceable unit
  • the wireless device is one of a mobile device and an Internet of Things (IOT) device.
  • the anomalous pattern may be identified by anomaly detection, determined by a machine learning process.
  • the firewall may be implemented in an individual hardware component configured to intercept the communications between the FRU and the main CPU. Communications between the FRU and the CPU may be transmitted over an Inter Integrated Circuit (I2C) bus or a Serial Peripheral Interface (SPI) bus.
  • I2C Inter Integrated Circuit
  • SPI Serial Peripheral Interface
  • a wireless device comprising a firewall, the firewall comprising a processor and a memory with computer-readable instructions that when executed cause the processor to perform the steps of: monitoring communications to a main computer processing unit (CPU) of the wireless device from a field replaceable unit (FRU); identifying an anomalous pattern in the communications; and alerting the main CPU of the anomalous pattern.
  • the wireless device may be one of a mobile device and an Internet of Things (IOT) device.
  • the firewall may be implemented in an individual hardware component configured to intercept the communications between the FRU and the main CPU. Alternatively, the firewall may be implemented in an individual hardware component configured to probe the communications between the FRU and the main CPU without intercepting the communications.
  • the firewall may be implemented in software residing in the main CPU.
  • the firewall additionally or alternatively, may be configured to alert the main CPU by at least resetting the main CPU.
  • Figs. 1A-1D are illustrative, block diagrams of wireless devices each of which includes a firewall component to protect the device from a malicious field- replacement unit, according to an embodiment of the present invention.
  • Figs. 2A and 2B are illustrative, block diagrams of elements of a firewall installed in a wireless device to protect the device from a malicious field-replacement unit, according to an embodiment of the present invention.
  • FIG. 3 is an illustrative, flow diagram of a process for protecting a device from a malicious field-replacement unit, according to an embodiment of the present invention.
  • Embodiments of the present invention provide hardware -based, FRU interface firewalls for protecting wireless devices from FRUs that have been misconfigured or have been purposely configured to cause damage or to extract user data.
  • the firewalls disclosed herein monitor the communication of typical interfaces between a main CPU of a device (typically installed on the device "motherboard") and one or more FRUs.
  • a main CPU of a device typically installed on the device "motherboard”
  • typical mobile and IOT devices may be vulnerable to a variety of security threats when a replacement FRU is installed.
  • (malicious) FRU may be configured (programmed) to record, intercept, and/or inject
  • touch events that is, events that emulate a touch screen input of a user. Additional attacks may leverage vulnerabilities in the operating system of the main CPU, gaining privileged rights. Such attacks may be perpetrated even when all hardware and software on the device other than the FRU is authentic and trusted.
  • Figs. 1A-1D are illustrative, block diagrams of wireless devices, such as mobile or IOT devices having FRUs, the devices each including a firewall, according to an embodiment of the present invention.
  • Systems illustrated in Figs. 1A-1D are indicated as mobile devices, but may be any CPU-based device that receives communications from one or more FRUs.
  • Figs. 1A and IB illustrate respective devices 20 and 50.
  • Device 20 includes a main system board 22 on which is mounted an integral probe firewall 24, whereas device 50 includes a main system board 52 on which is mounted an integral inline firewall 54.
  • Both the probe firewall 24 and the in-line firewall 54 are typically embedded computing devices, such as an ATmega328 (TM) or an STM32L4 (TM) micro-controller.
  • TM ATmega328
  • TM STM32L4
  • Both main boards 22 and 52 include a main system CPU 26 and memory 28, the CPU 26 and the memory 28 often being provided together in a single, embedded computing device.
  • both device 20 and 50 include one or more FRUs, indicated as FRU 30.
  • FRU 30 As described above, a typical device, such as a mobile device, has multiple FRUs 30, such as touch screens, sensors, and battery assemblies. These devices typically include embedded controllers, which include an FRU CPU 32 and an FRU memory 34. In many common devices, these FRUs 30 communicate with the main CPU 26 over standard communications channels, such as industry standard I2C and SPI buses.
  • the communications channels for both devices 20 and 50 may be identical and is indicated in Figs. 1A and IB as channel 36.
  • FRU 30, and any additional FRU that may be installed in the respective devices typically connect to the respective main boards 22 and 52 at one or more identical I/O or bus ports, indicated as port 38.
  • probe firewall 24 of device 20 is configured to monitor traffic on channel 36 from the port 38 to the main CPU 26 by only sensing the communications line.
  • in-line firewall 34 of device 50 is configured to monitor communications on channel 36, by intercepting communications between the port 38 and the main CPU 26, typically delivering to the port 38 all communications from the CPU 26, but delivering only safe (i.e., not anomalous) communications from the port 38 to the main CPU 26.
  • the memory 28 of both device 20 and 50 typically includes driver code 42 for communicating with FRU 30.
  • the memory 28 typically includes code for communicating with the firewalls over the channels 36 and/or 40, this code indicated as FW drivers 44.
  • Code sets 42 and 44 are typically installed by the device manufacturer but may be provided by third -party sources. In embodiments of the present invention, these code sets 42 and 44 may be field updated, typically be wireless communications.
  • each packet travelling between the FRU 30 and the main CPU 26, and vice versa may be analyzed by the firewall of the respective devices 20 and 50.
  • the firewalls may support one or more of a variety of techniques for detecting anomalous (and/or malicious) traffic, including signature matching and clustering, and may perform techniques such as filtering and rate limiting to prevent identified anomalous traffic from accessing or exploiting security weaknesses of the main CPU 26.
  • the in-line firewall can optionally block this traffic by not conveying it to the main CPU 26, and thus protect the integrity of the main CPU 26.
  • both firewalls can optionally send an alert signal to the main CPU 26 or send a signal to a reset port (i.e., "pin") of the main CPU 26 over one or more channels such as channel 40, thus effectively blocking the CPU 26 from processing the anomalous communications and returning the main CPU 26 to a safe state.
  • Channel 40 like channel 36 may be I2C or SPI buses.
  • Channel 40 which carries alerts from the firewall to the main CPU 26, may also be provide communications from the main board to the firewall, such as firmware updates.
  • the probe firewall passively monitors communications traffic between the FRU 30 and the main CPU 26 without modifying the traffic.
  • the firewall is not implemented as an individual hardware component, but rather as independent software modules stored in the main memory and configured to run on the main CPU 26.
  • Figs. 1C and ID are illustrative, block diagrams of devices 60 and 70, almost identical to respective devices 20 and 50, except that the firewall components are not integral components of the main board. Instead, the devices 60 and 70 include a modified main board 62 that has no integral firewall.
  • Device 60 includes probe firewall 24, that is, a firewall identical to the probe firewall described above, but connected to the main board at one or both of two external ports, the bus port 38, for channel 36 communications (such as I2C or SPI communications), as described above, and an external I/O port 64 for channel 40 communications.
  • Device 70 similarly includes probe firewall 54, that is, a firewall identical to the probe firewall described above, but connected, as in device 60, to the main board at one or both of the bus port 38 and the I/O port 64. Note that I/O port 64 may also be included in devices 20 and 50 but would not be utilized for firewall communications.
  • Figs. 2A and 2B are illustrative, block diagrams of elements of a firewall installed in a wireless device to protect the device from a malicious field-replacement unit, according to an embodiment of the present invention.
  • Both the probe firewall 24 and the in-line firewall 54 are typically embedded computing devices, having a firewall CPU 80 and a firewall memory 82.
  • Embedded code 84 of the probe firewall is configured to execute on the CPU 80 to sense signals received over a channel 36 probe port 86 (typically including multiple wires, depending on the channel protocol), at which the probe firewall can sense all traffic flowing from the FRU 30 to the main CPU 26.
  • In-line firewall 54 typically has two channel 36 ports, an FRU port 92 and a main board port 94.
  • the former port is a read/write communications interface to an FRU channel.
  • the latter port is a read/write interface to the main CPU 26.
  • Embedded code 90 of the in-line firewall 54 is configured to execute on the CPU 80 to intercept signals received at port 92 (typically including multiple wires, depending on the channel protocol), and to transmit to the main CPU 26 communications that are not detected as being anomalous.
  • both firewalls 24, 54 may also have additional I O channel 40 interfaces with the main CPU 26, in order to communicate alerts and firewall status, as described further hereinbelow. In some embodiments, such communications are also transmitted from the firewalls to the main CPU 26 over channel 36.
  • FIG. 3 is an illustrative, flow diagram of a process implemented by a probe or in-line firewall for protecting a wireless device from a malicious field-replacement unit, according to an embodiment of the present invention.
  • the firewall is configured to distinguish acceptable/legitimate FRU communication patterns from anomalous FRU traffic that could be indicative of malicious intrusion attempts.
  • the configuration of the firewall also includes configuration of an algorithm and/or data set to enable the firewall to detect anomalous communications.
  • Anomalous patterns may be at the physical and/or logical layers of communications.
  • the patterns may be based on signal features, such as timing of pulse intervals and other timing factors often referred to as "signature matching". Patterns also may be based on message features, such as typical command parameters received by the master CPU.
  • the acceptable/legitimate FRU communication patterns may be determined by a machine learning process at a step 204. Typically, this step is performed by the device manufacturer, who may run tests on multiple devices, tests that may be performed by human device operators or by simulated techniques, such as robotic device activation.
  • Machine learning may include measuring times between events on the communications bus and producing a histogram of "normal event timings", a given deviation from a mean being indicative of an anomaly.
  • Another machine learning technique may include measuring a length or timing of sets of communications.
  • Techniques of Hidden Markov Modeling (HMM) may also be applied to "learn" proper, non-anomalous patterns.
  • the step of machine learning may alternatively or additionally be performed by a firewall during an initial period that the device is operating in the field by a customer. Additionally or alternatively, the firewall code may be updated by a remote transmission at a step 206.
  • the firewall After the firewall is configured to identify anomalous and/or malicious communications traffic, the firewall monitors subsequent traffic at a step 208. All traffic is tested against the patterns defined as correct and/or anomalous.
  • a traffic sequence includes no anomalous patterns, the process of steps 208 and 210 may repeat indefinitely. If an anomalous pattern is detected, the firewall responds at a step 212, in a manner as described above depending on the type of firewall.
  • An inline firewall may be configured to intercept all traffic being monitored and to relay to the main CPU only correct traffic, filtering and or rate limiting the bad/anomalous traffic and thereby preventing such traffic from reaching the CPU.
  • the in-line monitor may be configured to alert the CPU, which may in turn be configured to take appropriate steps, such as messaging the manufacturer about the potential threat.
  • a probe firewall does not intercept bad traffic, but detects it and may similarly alert the main CPU.
  • the two types of firewall may also be configured to take additional precautionary steps, such as sending a signal to the main CPU to reset itself, in order to purge a potentially dangerous CPU state.
  • the firewalls of the present invention have several useful features in addition to protecting the device. They relatively low-cost solutions. They are transparent to the FRU driver code that operates on the main CPU (also known as OEM-supplied code). They are robust in that changes to OEM-supplied driver code do not require the firewall to be modified or replaced. Moreover, the firewalls can be applied with minimal modifications to different devices and different bus interfaces.
  • Processing elements of the system may be implemented in digital electronic circuitry, or in computer hardware, firmware, software, or in combinations thereof. Such elements can be implemented as a computer program product, tangibly embodied in an information carrier, such as a non-transient, machine-readable storage device, for execution by, or to control the operation of, data processing apparatus, such as a programmable processor, computer, or deployed to be executed on multiple computers at one site or distributed across multiple sites.
  • Memory storage may also include multiple distributed memory units, including one or more types of storage media.
  • the device, and the firewalls may have one or more processors and one or more interface ports. Processors may be configured as a multi-processing or distributed processing system. Channel interfaces may control the sending and receiving of data packets over networks.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Systems and methods are provided for a wireless device that includes a firewall configured to monitor communications to a main computer processing unit (CPU) of the wireless device from a field replaceable unit (FRU), identify an anomalous pattern in the communications and to block transmission of the anomalous pattern to the CPU and/or to alert the CPU.

Description

PROTECTING A MOBILE DEVICE FROM MALICIOUS FIELD
REPLACEMENT UNITS
FIELD OF THE INVENTION
[0001] The present invention is directed to systems and methods for digital security and in particular security for wireless devices such as mobile devices and Internet-of- Things (IOT) devices.
BACKGROUND
[0002] Touch screens, orientation sensors, wireless and wired communication interfaces, charging controllers, near-field communication (NFC) readers, and other peripherals of mobile and IOT devices, including "smart phones" and "tablets", are often produced by manufacturers other than the device vendors themselves. These "third-party" or OEM manufacturer components can typically be replaced by the user or by third-party service centers, and they are often called field-replaceable units, or FRUs. Additional examples of FRUs include interface cards for routers; battery and sensor assemblies; ink cartridges for printers; and batteries. These FRUs may have their own microprocessors and programmable memory. They may use a well-defined hardware and/or software interface to communicate with the device's main central processing unit (CPU). Many of these FRUs communicate over industry standard interfaces such as I2C (Inter Integrated Circuit) and SPI (Serial Peripheral Interface).
[0003] FRU drivers, in contrast to network or universal serial bus (USB) drivers, are typically written without authentication or validation methods. In addition, because of the relatively simple architecture, FRUs can often be copied by third parties. Consequently, an FRU may be exploited to compromise the security of a device.
SUMMARY
[0004] Embodiments of the present invention provide systems and methods that prevent malicious or misconfigured FRU hardware from compromising code running on a main CPU of a mobile or IOT device. The CPU protection is provided without requiring modification of FRU drivers. According to an embodiment of the present invention, a wireless device may include a firewall, the firewall comprising a processor and a memory with computer-readable instructions, which, when executed cause the processor to perform the steps of: monitoring communications to a main computer processing unit (CPU) of the wireless device from a field replaceable unit (FRU); identifying an anomalous pattern in the communications; and blocking transmission of the anomalous pattern to the main CPU.
[0005] In some embodiments, the wireless device is one of a mobile device and an Internet of Things (IOT) device. The anomalous pattern may be identified by anomaly detection, determined by a machine learning process. The firewall may be implemented in an individual hardware component configured to intercept the communications between the FRU and the main CPU. Communications between the FRU and the CPU may be transmitted over an Inter Integrated Circuit (I2C) bus or a Serial Peripheral Interface (SPI) bus.
[0006] There is further provided, by embodiments of the present invention, a wireless device, comprising a firewall, the firewall comprising a processor and a memory with computer-readable instructions that when executed cause the processor to perform the steps of: monitoring communications to a main computer processing unit (CPU) of the wireless device from a field replaceable unit (FRU); identifying an anomalous pattern in the communications; and alerting the main CPU of the anomalous pattern. In some embodiments, the wireless device may be one of a mobile device and an Internet of Things (IOT) device. The firewall may be implemented in an individual hardware component configured to intercept the communications between the FRU and the main CPU. Alternatively, the firewall may be implemented in an individual hardware component configured to probe the communications between the FRU and the main CPU without intercepting the communications.
[0007] In further embodiments, the firewall may be implemented in software residing in the main CPU. The firewall, additionally or alternatively, may be configured to alert the main CPU by at least resetting the main CPU.
[0008] The present invention will be more fully understood from the following detailed description of embodiments thereof.
BRIEF DESCRIPTION OF DRAWINGS
[0009] The accompanying drawings illustrate embodiments of the disclosed subject matter and explain principles of embodiments of the disclosed subject matter. Structural details are shown only to the extent necessary for an understanding of the disclosed subject matter and the various ways in which it may be practiced.
[0010] Figs. 1A-1D are illustrative, block diagrams of wireless devices each of which includes a firewall component to protect the device from a malicious field- replacement unit, according to an embodiment of the present invention. [0011] Figs. 2A and 2B are illustrative, block diagrams of elements of a firewall installed in a wireless device to protect the device from a malicious field-replacement unit, according to an embodiment of the present invention.
[0012] Fig. 3 is an illustrative, flow diagram of a process for protecting a device from a malicious field-replacement unit, according to an embodiment of the present invention.
DETAILED DESCRIPTION OF THE INVENTION
[0013] In the following detailed description of various embodiments, reference is made to the accompanying drawings that form a part thereof, and in which are shown by way of illustrating specific embodiments by which the invention may be practiced. It is understood that other embodiments may be envisioned, and structural changes made without departing from the scope of the present invention.
[0014] Embodiments of the present invention provide hardware -based, FRU interface firewalls for protecting wireless devices from FRUs that have been misconfigured or have been purposely configured to cause damage or to extract user data. The firewalls disclosed herein monitor the communication of typical interfaces between a main CPU of a device (typically installed on the device "motherboard") and one or more FRUs. As described in Shwartz, et al., 2017, typical mobile and IOT devices may be vulnerable to a variety of security threats when a replacement FRU is installed. An "attacking"
(malicious) FRU may be configured (programmed) to record, intercept, and/or inject
"touch" events, that is, events that emulate a touch screen input of a user. Additional attacks may leverage vulnerabilities in the operating system of the main CPU, gaining privileged rights. Such attacks may be perpetrated even when all hardware and software on the device other than the FRU is authentic and trusted.
[0015] Figs. 1A-1D are illustrative, block diagrams of wireless devices, such as mobile or IOT devices having FRUs, the devices each including a firewall, according to an embodiment of the present invention. Systems illustrated in Figs. 1A-1D are indicated as mobile devices, but may be any CPU-based device that receives communications from one or more FRUs. Figs. 1A and IB illustrate respective devices 20 and 50. Device 20 includes a main system board 22 on which is mounted an integral probe firewall 24, whereas device 50 includes a main system board 52 on which is mounted an integral inline firewall 54. Both the probe firewall 24 and the in-line firewall 54 are typically embedded computing devices, such as an ATmega328 (TM) or an STM32L4 (TM) micro-controller.
[0016] Most of the other components of devices 20 and 50 are identical. Both main boards 22 and 52 include a main system CPU 26 and memory 28, the CPU 26 and the memory 28 often being provided together in a single, embedded computing device. In addition to the main board, both device 20 and 50 include one or more FRUs, indicated as FRU 30. As described above, a typical device, such as a mobile device, has multiple FRUs 30, such as touch screens, sensors, and battery assemblies. These devices typically include embedded controllers, which include an FRU CPU 32 and an FRU memory 34. In many common devices, these FRUs 30 communicate with the main CPU 26 over standard communications channels, such as industry standard I2C and SPI buses. The communications channels for both devices 20 and 50 may be identical and is indicated in Figs. 1A and IB as channel 36. FRU 30, and any additional FRU that may be installed in the respective devices typically connect to the respective main boards 22 and 52 at one or more identical I/O or bus ports, indicated as port 38.
[0017] The primary architectural difference between devices 20 and 50 is that the probe firewall 24 of device 20 is configured to monitor traffic on channel 36 from the port 38 to the main CPU 26 by only sensing the communications line. By contrast, in-line firewall 34 of device 50 is configured to monitor communications on channel 36, by intercepting communications between the port 38 and the main CPU 26, typically delivering to the port 38 all communications from the CPU 26, but delivering only safe (i.e., not anomalous) communications from the port 38 to the main CPU 26.
[0018] The memory 28 of both device 20 and 50 typically includes driver code 42 for communicating with FRU 30. In addition, the memory 28 typically includes code for communicating with the firewalls over the channels 36 and/or 40, this code indicated as FW drivers 44. Code sets 42 and 44 are typically installed by the device manufacturer but may be provided by third -party sources. In embodiments of the present invention, these code sets 42 and 44 may be field updated, typically be wireless communications.
[0019] As described further hereinbelow, each packet travelling between the FRU 30 and the main CPU 26, and vice versa, may be analyzed by the firewall of the respective devices 20 and 50. The firewalls may support one or more of a variety of techniques for detecting anomalous (and/or malicious) traffic, including signature matching and clustering, and may perform techniques such as filtering and rate limiting to prevent identified anomalous traffic from accessing or exploiting security weaknesses of the main CPU 26. When the traffic travelling between the FRU 30 and CPU 26 is detected as anomalous, the in-line firewall can optionally block this traffic by not conveying it to the main CPU 26, and thus protect the integrity of the main CPU 26. In addition, both firewalls can optionally send an alert signal to the main CPU 26 or send a signal to a reset port (i.e., "pin") of the main CPU 26 over one or more channels such as channel 40, thus effectively blocking the CPU 26 from processing the anomalous communications and returning the main CPU 26 to a safe state. Channel 40, like channel 36 may be I2C or SPI buses. Channel 40, which carries alerts from the firewall to the main CPU 26, may also be provide communications from the main board to the firewall, such as firmware updates.
[0020] The probe firewall passively monitors communications traffic between the FRU 30 and the main CPU 26 without modifying the traffic. In an alternative implementation, the firewall is not implemented as an individual hardware component, but rather as independent software modules stored in the main memory and configured to run on the main CPU 26.
[0021] Figs. 1C and ID are illustrative, block diagrams of devices 60 and 70, almost identical to respective devices 20 and 50, except that the firewall components are not integral components of the main board. Instead, the devices 60 and 70 include a modified main board 62 that has no integral firewall. Device 60 includes probe firewall 24, that is, a firewall identical to the probe firewall described above, but connected to the main board at one or both of two external ports, the bus port 38, for channel 36 communications (such as I2C or SPI communications), as described above, and an external I/O port 64 for channel 40 communications. Device 70 similarly includes probe firewall 54, that is, a firewall identical to the probe firewall described above, but connected, as in device 60, to the main board at one or both of the bus port 38 and the I/O port 64. Note that I/O port 64 may also be included in devices 20 and 50 but would not be utilized for firewall communications.
[0022] Figs. 2A and 2B are illustrative, block diagrams of elements of a firewall installed in a wireless device to protect the device from a malicious field-replacement unit, according to an embodiment of the present invention. Both the probe firewall 24 and the in-line firewall 54 are typically embedded computing devices, having a firewall CPU 80 and a firewall memory 82. Embedded code 84 of the probe firewall is configured to execute on the CPU 80 to sense signals received over a channel 36 probe port 86 (typically including multiple wires, depending on the channel protocol), at which the probe firewall can sense all traffic flowing from the FRU 30 to the main CPU 26. In-line firewall 54 typically has two channel 36 ports, an FRU port 92 and a main board port 94. The former port is a read/write communications interface to an FRU channel. The latter port is a read/write interface to the main CPU 26. Embedded code 90 of the in-line firewall 54 is configured to execute on the CPU 80 to intercept signals received at port 92 (typically including multiple wires, depending on the channel protocol), and to transmit to the main CPU 26 communications that are not detected as being anomalous.
[0023] In addition to the channel 36 interfaces, both firewalls 24, 54 may also have additional I O channel 40 interfaces with the main CPU 26, in order to communicate alerts and firewall status, as described further hereinbelow. In some embodiments, such communications are also transmitted from the firewalls to the main CPU 26 over channel 36.
[0024] Fig. 3 is an illustrative, flow diagram of a process implemented by a probe or in-line firewall for protecting a wireless device from a malicious field-replacement unit, according to an embodiment of the present invention.
[0025] At an initial step 202, the firewall is configured to distinguish acceptable/legitimate FRU communication patterns from anomalous FRU traffic that could be indicative of malicious intrusion attempts. Typically, the configuration of the firewall also includes configuration of an algorithm and/or data set to enable the firewall to detect anomalous communications. Anomalous patterns may be at the physical and/or logical layers of communications. For example, the patterns may be based on signal features, such as timing of pulse intervals and other timing factors often referred to as "signature matching". Patterns also may be based on message features, such as typical command parameters received by the master CPU.
[0026] The acceptable/legitimate FRU communication patterns may be determined by a machine learning process at a step 204. Typically, this step is performed by the device manufacturer, who may run tests on multiple devices, tests that may be performed by human device operators or by simulated techniques, such as robotic device activation.
[0027] Machine learning may include measuring times between events on the communications bus and producing a histogram of "normal event timings", a given deviation from a mean being indicative of an anomaly. Another machine learning technique may include measuring a length or timing of sets of communications. Techniques of Hidden Markov Modeling (HMM) may also be applied to "learn" proper, non-anomalous patterns. The step of machine learning may alternatively or additionally be performed by a firewall during an initial period that the device is operating in the field by a customer. Additionally or alternatively, the firewall code may be updated by a remote transmission at a step 206.
[0028] After the firewall is configured to identify anomalous and/or malicious communications traffic, the firewall monitors subsequent traffic at a step 208. All traffic is tested against the patterns defined as correct and/or anomalous.
[0029] If a traffic sequence includes no anomalous patterns, the process of steps 208 and 210 may repeat indefinitely. If an anomalous pattern is detected, the firewall responds at a step 212, in a manner as described above depending on the type of firewall. An inline firewall may be configured to intercept all traffic being monitored and to relay to the main CPU only correct traffic, filtering and or rate limiting the bad/anomalous traffic and thereby preventing such traffic from reaching the CPU. In addition, the in-line monitor may be configured to alert the CPU, which may in turn be configured to take appropriate steps, such as messaging the manufacturer about the potential threat.
[0030] A probe firewall does not intercept bad traffic, but detects it and may similarly alert the main CPU. The two types of firewall may also be configured to take additional precautionary steps, such as sending a signal to the main CPU to reset itself, in order to purge a potentially dangerous CPU state.
[0031] The firewalls of the present invention have several useful features in addition to protecting the device. They relatively low-cost solutions. They are transparent to the FRU driver code that operates on the main CPU (also known as OEM-supplied code). They are robust in that changes to OEM-supplied driver code do not require the firewall to be modified or replaced. Moreover, the firewalls can be applied with minimal modifications to different devices and different bus interfaces.
[0032] It is to be understood that elements of the system and process described above may be combined in different combinations in different embodiments of the present invention. Processing elements of the system may be implemented in digital electronic circuitry, or in computer hardware, firmware, software, or in combinations thereof. Such elements can be implemented as a computer program product, tangibly embodied in an information carrier, such as a non-transient, machine-readable storage device, for execution by, or to control the operation of, data processing apparatus, such as a programmable processor, computer, or deployed to be executed on multiple computers at one site or distributed across multiple sites. Memory storage may also include multiple distributed memory units, including one or more types of storage media. The device, and the firewalls, may have one or more processors and one or more interface ports. Processors may be configured as a multi-processing or distributed processing system. Channel interfaces may control the sending and receiving of data packets over networks.
[0033] Method steps associated with the system and process can be rearranged and/or one or more such steps can be omitted to achieve the same, or similar, results to those described herein. It is to be understood that the embodiments described hereinabove are cited by way of example, and that the present invention is not limited to what has been particularly shown and described hereinabove. Rather, the scope of the present invention includes variations and modifications thereof which would occur to persons skilled in the art upon reading the foregoing description and which are not disclosed in the prior art.
REFERENCES
[Shwartz, et al., 2017] O. Shwartz, G. Shitrit, A. Shabtai and Y. Oren, "From Smashed Screens to Smashed Stacks: Attacking Mobile Phones Using Malicious Aftermarket Parts," 2017 IEEE European Symposium on Security and Privacy Workshops (EuroS & PW), Paris, 2017, pp. 94-98.

Claims

1. A wireless device, comprising a firewall, wherein the firewall comprises a processor and a memory with computer-readable instructions that when executed cause the processor to perform the steps of:
monitoring communications to a main computer processing unit (CPU) of the wireless device from a field replaceable unit (FRU);
identifying an anomalous pattern in the communications; and
blocking transmission of the anomalous pattern to the main CPU.
2. The wireless device of claim 1, wherein the wireless device is one of a mobile device and an Internet of Things (IOT) device.
3. The wireless device of claim 1, wherein the anomalous pattern is identified by anomaly detection determined by a machine learning process.
4. The wireless device of claim 1, wherein the firewall is implemented in an individual hardware component configured to intercept the communications between the FRU and the main CPU.
5. The wireless device of claim 1, wherein the communications between the FRU and the main CPU is transmitted over an Inter Integrated Circuit (I2C) bus or a Serial Peripheral Interface (SPI) bus.
6. A wireless device, comprising a firewall, wherein the firewall comprises a processor and a memory with computer-readable instructions that when executed cause the processor to perform the steps of:
monitoring communications to a main computer processing unit (CPU) of the wireless device from a field replaceable unit (FRU);
identifying an anomalous pattern in the communications; and alerting the main CPU of the anomalous pattern.
7. The wireless device of claim 6, wherein the wireless device is one of a mobile device and an Internet of Things (IOT) device.
8. The wireless device of claim 6, wherein the firewall is implemented in an individual hardware component configured to intercept the communications between the FRU and the main CPU.
9. The wireless device of claim 6, wherein the firewall is implemented in an individual hardware component configured to probe the communications between the FRU and the main CPU without intercepting the communications.
10. The wireless device of claim 6, wherein the communications between the FRU and the main CPU is transmitted over an Inter Integrated Circuit (I2C) bus or a Serial Peripheral Interface (SPI) bus.
11. The wireless device of claim 6, wherein the communications between the FRU and the main CPU is transmitted on a first communications channel and the alert to the main CPU is transmitted over a second communications channel.
12. The wireless device of claim 6, wherein the firewall is implemented in software residing in the main CPU.
13. The wireless device of claim 6, wherein the firewall is configured to alert the main CPU by at least resetting the main CPU.
PCT/IL2018/050115 2017-02-01 2018-02-01 Protecting a mobile device from malicious field replacement units Ceased WO2018142404A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201762453007P 2017-02-01 2017-02-01
US62/453,007 2017-02-01

Publications (1)

Publication Number Publication Date
WO2018142404A1 true WO2018142404A1 (en) 2018-08-09

Family

ID=63040326

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2018/050115 Ceased WO2018142404A1 (en) 2017-02-01 2018-02-01 Protecting a mobile device from malicious field replacement units

Country Status (1)

Country Link
WO (1) WO2018142404A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11483342B2 (en) 2020-05-29 2022-10-25 Saudi Arabian Oil Company Utilizing web application firewall and machine learning to detect command and control

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040268138A1 (en) * 2003-06-12 2004-12-30 Larson Thane M. Inter integrated circuit bus router
US20130139247A1 (en) * 2011-11-29 2013-05-30 Bayshore Networks, Inc. Firewall apparatus, systems, and methods employing detection of application anomalies

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040268138A1 (en) * 2003-06-12 2004-12-30 Larson Thane M. Inter integrated circuit bus router
US20130139247A1 (en) * 2011-11-29 2013-05-30 Bayshore Networks, Inc. Firewall apparatus, systems, and methods employing detection of application anomalies

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
PIERLUIGI PAGANINI: "Hardware attacks, backdoors and electronic component qualification", 11 October 2013 (2013-10-11), XP055535022, Retrieved from the Internet <URL:https://web.archive.org/web/20131018023303/https://resources.infosecinstitute.com/hardware-attacks-backdoors-and-electronic-component-qualification> *
RICH MCCORMICK: "Qualcomm's new mobile chip will learn how to identify malicious apps | The Verge", 31 August 2015 (2015-08-31), XP055535016, Retrieved from the Internet <URL:https://web.archive.org/web/20151104052349/https://www.theverge.com/2015/8/31/9237351/qualcomm-snapdragon-820-malware-machine-learning> [retrieved on 20150411] *
SEBASTIAN ANTHONY: "Rakshasa: The hardware backdoor that China could embed in every computer | ExtremeTech", 1 August 2012 (2012-08-01), XP055535026, Retrieved from the Internet <URL:https://web.archive.org/web/20120918052409/https://www.extremetech.com/computing/133773-rakshasa-the-hardware-backdoor-that-china-could-embed-in-every-computer> *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11483342B2 (en) 2020-05-29 2022-10-25 Saudi Arabian Oil Company Utilizing web application firewall and machine learning to detect command and control

Similar Documents

Publication Publication Date Title
US12309184B2 (en) System and method for providing security to in-vehicle network
US7594269B2 (en) Platform-based identification of host software circumvention
Palanca et al. A stealth, selective, link-layer denial-of-service attack against automotive networks
US7441272B2 (en) Techniques for self-isolation of networked devices
KR101737726B1 (en) Rootkit detection by using hardware resources to detect inconsistencies in network traffic
CN112347022B (en) Security module for CAN nodes
US12039050B2 (en) Information processing device
US8230127B2 (en) Method of protecting input/output packet of USB device and apparatus thereof
KR20180127222A (en) Method for protecting a network against a cyber attack
US20150033004A1 (en) Processing Device
Tang et al. ERACAN: Defending Against an Emerging CAN Threat Model
CN114567456A (en) Method for checking messages in a communication system
WO2018142404A1 (en) Protecting a mobile device from malicious field replacement units
Dupont et al. Network intrusion detection systems for in-vehicle network-Technical report
CN111480160B (en) System, method, and medium for process verification
EP3704618B1 (en) Cyber security system for networked devices
AU2019255300B2 (en) Anti-virus device for industrial control systems
US12452672B1 (en) Distributed multilayered cybersecurity framework for connected vehicles
US12013436B2 (en) Dynamic security protection in configurable analog signal chains
EP4654056A1 (en) Electronic control unit, apparatus, computer-readable data carrier, computer program, and method for intrusion detection
Rogers et al. Targeted Detection for Attacks on the MIL-STD-1553 Bus
Rasmussen Targeted Detection for Attacks on the MIL− STD− 1553 Bus
Lofy et al. Demystifying Platform Cyber Resilience
US10331887B2 (en) Embedded system
Ha et al. Attacking Automation Systems via the PLC Backplane Bus

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18747656

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18747656

Country of ref document: EP

Kind code of ref document: A1