About This Project
In our fast-paced technological society, nearly everyone is connected to the Internet through Wi-Fi with their mobile devices and computers. Most users likely have known Wi-Fi networks that they have connected to before, and their devices connect automatically to the network when it comes within range. In this project, we aim to demonstrate that this default setting is a severe security risk by developing an attack that exploits the vulnerability in Android devices.
Ask the ScientistsJoin The Discussion
What is the context of this research?
Android devices are susceptible to attacks from a vulnerability known as Stagefright. This vulnerability is a conglomerate of software bugs that affect Android Froyo (2.2) and above. They allow attackers to gain remote access to the devices. The Pineapple Wireless Auditing Platform allows someone to intercept Wi-Fi network traffic by forcing users to connect to it instead of the router that was to be used intentionally. This theoretically creates a massive attack vector on Android devices that have the option to automatically connect to Wi-Fi hotspots, which seems to be the case with most people, due to the ability to use man-in-the-middle attacks to replace ad images on websites with images that can inflict on the Stagefright vulnerability.
What is the significance of this project?
It is very important to understand and demonstrate the dangers of having automatic connection to Wi-Fi on Android devices turned on. Not only does this allow devices, such as the Pineapple, to have access to your traffic, but, as in our primary attack example, it allows the possibility to get root access on Android systems if exploited properly. This is due to the stagefright vulnerability still being an active vector for attack, despite numerous attempts at bug fixes within the Android framework.
What are the goals of the project?
Our Pineapple Stagefright Mass Attack (PASMA), uses the Pineapple, wireless auditing platform, to perform man-in-the-middle attacks on stagefright vulnerabilities on Android devices by serving media with malicious content to the mobile device in order to gain control over it.
In particular, our goal is to perform a controlled experiment to deauthenticate users from their current network, forcing them to reconnect to what their devices believe is the same network. However, we will be directing the users traffic to and from their preferred network, allowing us the ability to compromise the confidentiality and integrity of the users traffic. We intend to serve up webpages with stagefright inflicting images. At this point, we will gain root access to the users Android device.
The fund will be used to hire two research assistants (undergrad students) for 3 months to implement the attack as a proof of concept. In addition, some devices will be purchased to test the implementation. Specifically, we need Pineapple, a wireless auditing platform, and one mobile Android-based device.
Meet the Team
We are a research team working on cyber security at Florida Polytechnic University. The team consists of Dr. Karim Elish and two students researchers Jason Gutierrez-Pinho and Michael Whitfield. Jason and Michael are both undergrad students studying computer science & IT with a concentration in cyber security at Florida Polytechnic University. They have interest in all areas of technology with emphasis on the security aspects.
I am an Assistant Professor in the Department of Computer Science at Florida Polytechnic University. I received my PhD and MS in Computer Science from Virginia Tech in 2015 and 2011, respectively. My current research interests focus on software security, Android malware analysis and detection, and software engineering. I have published several papers in peer-reviewed security and software engineering conferences and journals. Also, I am working as a reviewer for numerous conferences and journals, including IEEE Transactions on Dependable and Secure Computing (TDSC), and IEEE Systems Journal.
Nothing posted yet.
- $0Total Donations
- $0Average Donation