Abstract

Today's mobile devices contain sensitive data, which raises concerns about data security. This paper discusses a covert channel threat on existing mobile systems. Through it, malware can wirelessly leak information without making network connections or emitting signals, such as sound, EMR, vibration, etc., that we can feel or are aware of. The covert channel is built on a communication method that we call NICScatter. NICScatter transmitter malware forces mobile devices, such as mobile phones, tablets or laptops, to reflect surrounding RF signals to covertly convey information. The operation is achieved by controlling the impedance of a device's wireless network interface card (NIC). Importantly, the operation requires no special privileges on current mobile OSs, which allows the malware to stealthily pass sensitive data to an attacker's nearby mobile device, which can then decode the signal and thus effectively gather the guarded data. Our experiments with different mobile devices show that the covert channel can achieve 1.6 bps and transmit as far as 2 meters. In a through-the-wall scenario, it can transmit up to 70 cm.