Opening Pandora’s Box through ATFuzzer: Dynamic Analysis of AT Interface for Android Smartphones Imtiaz Karim Fabrizio Cicala Syed Rafiul Hussain Purdue University Purdue University Purdue University [email protected] [email protected] [email protected] Omar Chowdhury Elisa Bertino University of Iowa Purdue University [email protected] [email protected] ABSTRACT 9–13, 2019, San Juan, PR, USA. ACM, New York, NY, USA, 15 pages. https: This paper focuses on checking the correctness and robustness of //doi.org/10.1145/3359789.3359833 the AT command interface exposed by the cellular baseband proces- sor through Bluetooth and USB. A device’s application processor 1 INTRODUCTION uses this interface for issuing high-level commands (or, AT com- Modern smartphones operate with two interconnected processing mands) to the baseband processor for performing cellular network units—an application processor for general user applications and a operations (e.g., placing a phone call). Vulnerabilities in this inter- baseband processor (also known as a cellular modem) for cellular face can be leveraged by malicious Bluetooth peripherals to launch connectivity. The application processor can issue ATtention com- pernicious attacks including DoS and privacy attacks. To identify mands (or, AT commands) [22] through the radio interface layer such vulnerabilities, we propose ATFuzzer that uses a grammar- (RIL, also called AT interface) to interact with the baseband pro- guided evolutionary fuzzing approach which mutates production cessor for performing different cellular network operations (e.g., rules of the AT command grammar instead of concrete AT com- placing a phone call). Most of the modern smartphones also accept mands. Empirical evaluation with ATFuzzer on 10 Android smart- AT commands once connected via Bluetooth or USB. phones from 6 vendors revealed 4 invalid AT command grammars Problem and scope. Since the AT interface is an entry point for over Bluetooth and 13 over USB with implications ranging from accessing the baseband processor, any incorrect behavior in pro- DoS, downgrade of cellular protocol version (e.g., from 4G to 3G/2G) cessing AT commands may cause unauthorized access to private to severe privacy leaks. The vulnerabilities along with the invalid information, inconsistent system states, and crashes of the RIL dae- AT command grammars were responsibly disclosed to affected mon and the telephony stack. This paper thus focuses on the follow- vendors and two of the reported vulnerabilities have been already ing research question: Is it possible to develop a systematic approach assigned CVEs (CVE-2019-16400 and CVE-2019-16401). for analyzing the correctness and robustness of the baseband-related AT command execution process to uncover practically-realizable vul- CCS CONCEPTS nerabilities? • Security and privacy → Mobile and wireless security; Dis- Incorrect execution of AT commands may manifest in one of tributed systems security; Denial-of-service attacks. the following forms: (1) Syntactic errors: the device accepts and processes syntactically invalid AT commands; and (2) Semantic vio- KEYWORDS lations: the device processes syntactically correct AT commands, but does not conform to the prescribed behavior. Successful ex- Android Smartphone Security and Privacy, Vulnerabilities, Attack ploitations of such invalid commands may enable malicious periph- ACM Reference Format: eral devices (e.g., a headset), connected to the smartphone over Imtiaz Karim, Fabrizio Cicala, Syed Rafiul Hussain, Omar Chowdhury, Bluetooth, to access phones’s sensitive information, such as, IMSI and Elisa Bertino. 2019. Opening Pandora’s Box through ATFuzzer: Dy- (International Mobile Subscriber Identity, unique to a subscriber) namic Analysis of AT Interface for Android Smartphones. In 2019 An- and IMEI (International Mobile Equipment Identity, unique to a nual Computer Security Applications Conference (ACSAC ’19), December device), or to downgrade the cellular protocol version or stop the cellular Internet, even when the peripheral is only allowed to access Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed phone’s call and media audio. for profit or commercial advantage and that copies bear this notice and the full citation Prior efforts. Existing approaches [43, 44, 53] strive to identify the on the first page. Copyrights for components of this work owned by others than ACM types of valid AT commands (i.e., commands with valid inputs/ar- must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a guments conforming to 3GPP reference [1, 9, 11, 12, 52] or vendor- fee. Request permissions from [email protected]. specific commands [13, 14, 18, 21] added for vendor customization) ACSAC ’19, December 9–13, 2019, San Juan, PR, USA exposed through USB interfaces on modern smartphone platforms © 2019 Association for Computing Machinery. ACM ISBN 978-1-4503-7628-0/19/12...$15.00 and the functionality they enable. Yet these studies have at least https://doi.org/10.1145/3359789.3359833 one of the following limitations: (A) The analyses [53] do not test 529 the robustness of the AT interface in the face of invalid commands; on the fitness score of each grammar, ATFuzzer selects the parent (B) The analyses [53] only consider USB interface and thus leave grammars for crossover operation. We design a grammar-aware the Bluetooth interface to the perils of both valid and invalid AT two-point crossover operation to generate a diverse set of valid and commands; and (C) The analyses [30, 43, 45, 49] are not general invalid grammars. After the crossover operations, we incorporate enough to be applicable to smartphones from different vendors. three proposed mutation strategies to include randomness within Challenges. Conceptually, one can approach our problem using the grammar itself. The intuition behind using both crossover and one of the following two techniques: (1) static analysis; (2) dynamic mutation operations is for testing the integrity of each command analysis. As the source code of firmwares is not always available, a field as well as the command sequence1. static analysis-based approach would have to operate on a binary Findings. To evaluate the generality and effectiveness of our ap- level. The firmware binaries, when available, are often obfuscated proach, we evaluated ATFuzzer on 10 Android smartphones (from 6 and encrypted. Making such binaries amenable to static analysis different vendors) with both Bluetooth and USB interfaces. ATFuzzer requires substantial manual reverse engineering effort. To make has been able to uncover a total of 4 erroneous AT grammars over matters worse, such manual efforts are often firmware-version spe- Bluetooth and another 13 AT grammars over USB. Impacts of these cific and may not apply to other firmwares, even when theyare errors range from complete disruption of cellular network con- from the same vendor. Using dynamic analysis-based approaches nectivity to retrieval of sensitive personal information. We show also often requires instrumenting the binary to obtain coverage practical attacks through Bluetooth that can downgrade or shut- information for guiding the search. Like static analysis, such instru- down Internet connectivity, and also enable illegitimate exposure mentation requires reverse engineering effort which again is not of IMSI and IMEI when such impacts are not achievable through scalable. Also, during dynamic analysis, due to the separation of valid AT commands. In addition, the syntactically and semanti- the two processors, it is often difficult to programmatically detect cally flawed AT commands over USB can cause crashes, compound observable RIL crashes from the application processor. Finally, in actions, and syntactically incorrect commands to get processed. many cases, undesired AT commands are blacklisted [2–4] and For instance, an invalid AT command ATDI in LG Nexus 5 induces hence can induce rate-limiting by completely shutting down the AT the program to execute two valid AT commands— ATD (dial) and interface. The only way to recover from such a situation is to reboot ATI (display IMEI), simultaneously. These anomalies add a new the test device which can substantially slow down the analysis. dimension to the attack surface when blacklisting or access control Our approach. In this paper, we propose ATFuzzer which can test mechanisms are put in place to protect the devices from valid yet the correctness and robustness of the AT interface. One of the key menacing AT commands. The vulnerabilities along with the invalid objectives driving the design of ATFuzzer is discovering problematic AT command grammars were responsibly disclosed to the affected input formats instead of just some misbehaving concrete AT com- vendors. Among the discovered vulnerabilities, two of them (i.e., mands. Towards this goal, ATFuzzer employs a grammar-guided DoS and privacy leaks attacks) have been assigned CVEs (CVE- evolutionary fuzzing-based approach. Unlike typical mutation-based 2019-16400 [5] and CVE-2019-16401 [6]). [28, 35–37, 46, 59] and generation-based [20, 31, 54] fuzzers, ATFuzzer Contributions. The paper has the following contributions: follows a different strategy. It mutates the production rules of theAT command grammars and uses sampled instances of the generated