Sandia Labs’ MegaDroid Plays Security War Games

Sandia National Laboratories announced on Tuesday that it has set up a network of 300,000 Android virtual hand-held computing devices to study large networks of smartphones.

The project, called “MegaDroid,” is expected to result in a software tool that will let other cyber-researchers model similar environments and study the behavior of smartphone networks.

The tool will ultimately let the computing industry better protect hand-held devices from malicious intent, Sandia stated.

“There is a market gap in the ability to study large-scale networks of Android or other smartphone devices, and that’s what MegaDroid is attempting to address,” Sandia researcher David Fritz told LinuxInsider. “Our system allows us to create arbitrary networks of Android devices, with sensor input and output under our control, on a range of systems from commodity cluster hardware down to your desktop workstation.”

MegaDroid’s Muscles

The virtual Android network runs on its own subnet. Sandia can add a full domain name service, an Internet relay chat server, a Web server and multiple subnets for a realistic computing environment, the lab said.

Work on MegaDroid included Sandia researchers spoofing GPS data of a smartphone user in an urban environment and fed that into the GPS input of an Android virtual machine. The VM software treated the spoofed data as real GPS data, giving researchers a more accurate emulation environment in which to analyze and study what hackers can do to smartphone networks.

Sandia hopes its platform “will become the de facto Android development and testing platform for at-scale networks of devices,” and will release it to the open source community, the lab’s Fritz said.

Sandia also sees the system being used as a “test bed for national security applications” such as natural disasters, John Floren, another Sandia researcher, told LinuxInsider.

The main challenge in studying devices running the Android OS is the complexity of the software, Sandia said. Google wrote 14 million lines of code into the OS, which runs on top of a Linux kernel that contains more than that amount of code. This makes it difficult to diagnose and fix a problem in a large wireless network.

Just Another Brick in the Wall

“It does appear that [Sandia researchers] are using the very same image from a ‘user in an urban environment’ to seed all 300,000 instances on their test harness,” Frank Artes, a research director at NSS Labs, told LinuxInsider. “This isn’t a very good representation of Android on any wireless network as Android has an inherent gap issue with regard to patching updating.”

What that means is that Android updates are often specific to the particular model of mobile device being patched, and updates are not produced for every type of device running the OS.

“This means a mobile network has any number of versions of Android with various iterations of the operating system running in disparate hardware,” Artes explained.

While 300,000 virtual instances of mobile devices “is a good size test, the most difficult problem in approximating real-world conditions is introducing the randomness of the mobile factor,” Randy Abrams, another research director at NSS Labs, pointed out.

The Threat to Mobile Systems

Android devices have been hacked repeatedly and often, and virtually all new mobile malware detected in Q2 2012 was directed at that OS, McAfee stated in its Q2 2012 threats report.

The second quarter of this year chalked up the biggest increase in malware samples detected in the last four years. McAfee Labs identified new threats such as mobile drive-by downloads, the use of Twitter for controlling mobile botnets, and the appearance of mobile ransomware.

Size Matters

The MegaDroid project “is really focused on a snapshot of a data network where only Android devices would live, all running the same hardware and software, and in the absence of much of the normal network traffic patterns that should exist,” Artes pointed out. “While some testing can be done to examine the impact upon the ecosystem of that network, it is a very simple version of the true live ecosystem.”

The project environment “isn’t robust enough to emulate a real carrier network, and doesn’t seem to contain the traffic, network security devices, or monitoring that such a network would incorporate,” Artes elaborated.

“It will be quite interesting to see if the team is able to learn more than a multi-billion device, real network situation has been teaching carriers,” Abrams told LinuxInsider.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories

LinuxInsider Channels