More Web Proxy on the site http://driver.im/

research-article

Open access

ATFuzzer: Dynamic Analysis Framework of AT Interface for Android Smartphones

Authors:

Fabrizio Cicala,

Syed Rafiul Hussain,

Omar Chowdhury,

Elisa BertinoAuthors Info & Claims

Digital Threats: Research and Practice , Volume 1, Issue 4

Article No.: 23, Pages 1 - 29

https://doi.org/10.1145/3416125

Published: 10 December 2020 Publication History

All formats PDF

Abstract

Application processors of modern smartphones use the AT interface for issuing high-level commands (or AT-commands) to the baseband processor for performing cellular network operations (e.g., placing a phone call). Vulnerabilities in this interface can be leveraged by malicious USB or Bluetooth peripherals to launch pernicious attacks. In this article, we propose ATFuzzer, which uses a grammar-guided evolutionary fuzzing approach that mutates production rules of the AT-command grammar instead of concrete AT commands to evaluate the correctness and robustness of the AT-command execution process. To automate each step of the analysis pipeline, ATFuzzer first takes as input the 3GPP and other vendor-specific standard documents and, following several heuristics, automatically extracts the seed AT command grammars for the fuzzer. ATFuzzer uses the seed to generate both valid and invalid grammars, following our cross-over and mutation strategies to evaluate both the integrity and execution of AT-commands. Empirical evaluation of ATFuzzer on 10 Android smartphones from 6 vendors revealed 4 invalid AT command grammars over Bluetooth and 14 over USB with implications ranging from DoS, downgrade of cellular protocol version, to severe privacy leaks. The vulnerabilities along with the invalid AT-command grammars were responsibly disclosed to affected vendors and assigned CVE’s.

References

[1]

Android Developers. [n.d.]. Configure on-device developer options. Retrieved from https://developer.android.com/studio/debug/dev-options. [Online; accessed May 1, 2020].

[2]

[n.d.]. CWE-325: Missing required cryptographic step - CVE-2018-5383. Carnegie Mellon University, CERT Coordination Center. Retrieved from https://www.kb.cert.org/vuls/id/304725/. [Online; accessed May 1, 2020].

[3]

[n.d.]. Neo 1973 and Neo FreeRunner GSM modem, AT Command set. Retrieved from http://wiki.openmoko.org/wiki/Neo_1973_and_Neo_FreeRunner_gsm_modem. [Online; accessed May 1, 2020].

[4]

[n.d.]. XDA Forum [online]. Retrieved from https://forum.xda-developers.com/galaxy-s2/help/how-to-talk-to-modem-commands-t1471241. [Online; accessed May 1, 2020].

[5]

M. Herfurt, A. Laurie, M. Holtmann. [n.d.]. The BlueBug. AL Digital Ltd.Retrieved from https://trifinite.org/trifinite_stuff_bluebug.html#introduction. [Online; accessed May 1, 2020].

[6]

Iosif Androulidakis. 2011. Intercepting mobile phone calls and short messages using a GSM tester. In Proceedings of the International Conference on Computer Networks. Springer, 281--288.

[7]

Cornelius Aschermann, Tommaso Frassetto, Thorsten Holz, Patrick Jauernig, Ahmad-Reza Sadeghi, and Daniel Teuchert. 2019. NAUTILUS: Fishing for deep bugs with grammars. In Proceedings of the Network and Distributed System Security Symposium (NDSS’19).

[8]

Marcel Böhme, Van-Thuan Pham, Manh-Dung Nguyen, and Abhik Roychoudhury. 2017. Directed greybox fuzzing. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM, 2329--2344.

[9]

ICP DAS. [n.d.]. GTM-203-3GWA AT Commands Manual. Retrieved from http://ftp.icpdas.com/pub/cd/usbcd/napdos/3g_modem/gtm-203m-3gwa/manual/gtm-203m-3gwa_atcommands_manual.pdf. [Online; accessed May 1, 2020].

[10]

S. Gan, C. Zhang, X. Qin, X. Tu, K. Li, Z. Pei, and Z. Chen. 2018. CollAFL: Path sensitive fuzzing. In Proceedings of the IEEE Symposium on Security and Privacy (SP’18), Vol. 00. 660--677.

[11]

Roee Hay. 2017. fastboot oem vuln: Android bootloader vulnerabilities in vendor customizations. In Proceedings of the 11th {USENIX} Workshop on Offensive Technologies ({WOOT}’17).

[12]

Roee Hay and Michael Goberman. 2017. Attacking nexus 6 8 6P custom bootmodes. Retrieved from https://www.docdroid.net/dxKUj5c/attacking-nexus-6-6p-custom-bootmodes.pdf.

[13]

Aki Helin. [n.d.]. Radamsa. Retrieved from https://gitlab.com/akihe/radamsa. [Online; accessed May 1, 2020].

[14]

Christian Holler, Kim Herzig, and Andreas Zeller. 2012. Fuzzing with code fragments. In Proceedings of the 21st USENIX Conference on Security Symposium (Security'12). USENIX Association, 38.

Digital Library

[15]

Syed Rafiul Hussain, Omar Chowdhury, Shagufta Mehnaz, and Elisa Bertino. 2018. LTEInspector: A systematic approach for adversarial testing of 4G LTE. In Proceedings of the 25th Network and Distributed System Security Symposium (NDSS’18).

[16]

Syed Rafiul Hussain, Mitziu Echeverria, Omar Chowdhury, Ninghui Li, and Elisa Bertino. 2019. Privacy attacks to the 4G and 5G cellular paging protocols using side channel information. (2019).

[17]

Motorola Inc.[n.d.]. Motorola AT Command Set. Retrieved from https://ipfs.io/ipfs/QmXoypizjW3WknFiJnKLwHCnL72vedxjQkDDP1mXWo6uco/wiki/Motorola_phone_AT_commands.html. [Online; accessed May 1, 2020].

[18]

Multi-Tech Systems Inc.[n.d.]. AT Commands For CDMA Wireless Modems. Retrieved from https://canarysystems.com/downloads/documentation/third_party_documentation/CDMA_AT_Commands.pdf. [Online; accessed May 1, 2020].

[19]

Multi-Tech Systems Inc.[n.d.]. EVDO and CDMA AT Commands Reference Guide. Retrieved from https://www.multitech.com/documents/publications/manuals/s000546.pdf. [Online; accessed May 1, 2020].

[20]

Sony Mobile Communications Inc.[n.d.]. Sony Ericsson AT Command set. Retrieved from https://www.activexperts.com/sms-component/at/sonyericsson/. [Online; accessed May 1, 2020].

[21]

ETSI (European Telecommunications Standards Institute). [n.d.]. Digital cellular telecommunications system (Phase 2+); AT Command set for GSM Mobile Equipment (ME) (3GPP TS 07.07 version 7.8.0 Release 1998). Retrieved from https://www.etsi.org/deliver/etsi_ts/100900_100999/100916/07.08.00_60/ts_100916v070800p.pdf. [Online; accessed May 1, 2020].

[22]

ETSI (European Telecommunications Standards Institute). [n.d.]. Digital cellular telecommunications system (Phase 2+) (GSM); Universal Mobile Telecommunications System (UMTS); LTE; AT command set for User Equipment (UE) (3GPP TS 27.007 version 13.6.0 Release 13). Retrieved from https://www.etsi.org/deliver/etsi_ts/127000_127099/127007/13.06.00_60/ts_127007v130600p.pdf. [Online; accessed May 1, 2020].

[23]

ETSI (European Telecommunications Standards Institute). [n.d.]. Digital cellular telecommunications system (Phase 2+); Specification of the Subscriber Identity Module -Mobile Equipment (SIM-ME) interface (3GPP TS 51.011 version 4.15.0 Release 4). Retrieved from https://www.etsi.org/deliver/etsi_TS/151000_151099/151011/04.15.00_60/ts_151011v041500p.pdf. [Online; accessed May 1, 2020].

[24]

ETSI (European Telecommunications Standards Institute). [n.d.]. Digital cellular telecommunications system (Phase 2+), Universal Mobile Telecommunications System UMTS, LTE, AT command set for User Equipment UE. Retrieved from https://www.etsi.org/deliver/etsi_ts/127000_127099/127007/10.03.00_60/ts_127007v100300p.pdf. [Online; accessed May 1, 2020].

[25]

ETSI (European Telecommunications Standards Institute). [n.d.]. Digital cellular telecommunications system (Phase 2+); Use of Data Terminal Equipment - Data Circuit terminating; Equipment (DTE - DCE) interface for Short Message Service (SMS) and Cell Broadcast Service (CBS) (GSM 07.05 version 5.3.0). Retrieved from https://www.etsi.org/deliver/etsi_gts/07/0705/05.03.00_60/gsmts_0705v050300p.pdf. [Online; accessed May 1, 2020].

[26]

Imtiaz Karim, Fabrizio Cicala, Syed Rafiul Hussain, Omar Chowdhury, and Elisa Bertino. 2019. Opening Pandora’s box through ATFuzzer: Dynamic analysis of AT interface for Android smartphones. In Proceedings of the 35th Computer Security Applications Conference (ACSAC’19). Association for Computing Machinery, New York, NY, 529--543.

Digital Library

[27]

George Klees, Andrew Ruef, Benji Cooper, Shiyi Wei, and Michael Hicks. 2018. Evaluating fuzz testing. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’18). ACM, New York, NY, 2123--2138.

Digital Library

[28]

Caroline Lemieux, Rohan Padhye, Koushik Sen, and Dawn Song. 2018. PerfFuzz: Automatically generating pathological inputs. In Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA’18). ACM, New York, NY, 254--265.

Digital Library

[29]

Caroline Lemieux and Koushik Sen. 2018. FairFuzz: A targeted mutation strategy for increasing greybox fuzz testing coverage. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering (ASE’18). ACM, New York, NY, 475--485.

Digital Library

[30]

Yuekang Li, Bihuan Chen, Mahinthan Chandramohan, Shang-Wei Lin, Yang Liu, and Alwen Tiu. 2017. Steelix: Program-state based binary fuzzing. In Proceedings of the 11th Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2017). ACM, New York, NY, 627--637.

[31]

Yuwei Li, Shouling Ji, Chenyang Lv, Yuan Chen, Jianhai Chen, Qinchen Gu, and Chunming Wu. 2019. V-Fuzz: Vulnerability-oriented evolutionary fuzzing. CoRR abs/1901.01142 (2019).

[32]

Angela Lonzetta, Peter Cope, Joseph Campbell, Bassam Mohd, and Thaier Hayajneh. 2018. Security vulnerabilities in Bluetooth technology as used in IoT. J. Sensor Actuat. Netw. 7, 3 (2018), 28.

[33]

Huawei Technologies Co. Ltd.[n.d.]. HUAWEI MU609 HSPA LGA Module Application Guide. Retrieved from https://www.paoli.cz/out/media/HUAWEI_MU609_HSPA_LGA_Module_Application_Guide_V100R002_02(1).pdf. [Online; accessed May 1, 2020].

[34]

Ulrike Meyer and Susanne Wetzel. 2004. A man-in-the-middle attack on UMTS. In Proceedings of the 3rd ACM Workshop on Wireless Security. ACM, 90--97.

Digital Library

[35]

Barton P. Miller, Louis Fredriksen, and Bryan So. 1990. An empirical study of the reliability of UNIX utilities. Commun. ACM 33, 12 (Dec. 1990), 32--44.

Digital Library

[36]

Collin Mulliner and Charlie Miller. 2009. Fuzzing the phone in your phone. In Proceedings of the Black Hat USA Conference.

[37]

NIST (National Institute of Standards and Technology). [n.d.]. CVE-2016-4030. Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2016-4030. [Online; accessed May 1, 2020].

[38]

NIST (National Institute of Standards and Technology). [n.d.]. CVE-2016-4031. Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2016-4031. [Online; accessed May 1, 2020].

[39]

NIST (National Institute of Standards and Technology). [n.d.]. CVE-2016-4032. Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2016-4032. [Online; accessed May 1, 2020].

[40]

NIST (National Institute of Standards and Technology). [n.d.]. CVE-2019-16400. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16400. [Online; accessed May 1, 2020].

[41]

NIST (National Institute of Standards and Technology). [n.d.]. CVE-2019-16401. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16401. [Online; accessed May 1, 2020].

[42]

André Pereira, Manuel Correia, and Pedro Brandão. 2014. Charge your device with the latest malware. In Proceedings of the Black Hat Europe Conference.

[43]

André Pereira, Manuel Correia, and Pedro Brandão. 2014. USB connection vulnerabilities on Android smartphones: Default and vendors’ customizations. In Communications and Multimedia Security, Bart De Decker and André Zúquete (Eds.). Springer Berlin, 19--32.

[44]

André Pereira, Manuel Correia, and Pedro Brandão. 2014. USB connection vulnerabilities on Android smartphones: Default and vendors’ customizations. In Proceedings of the IFIP International Conference on Communications and Multimedia Security. Springer, 19--32.

[45]

Theofilos Petsios, Jason Zhao, Angelos D. Keromytis, and Suman Jana. 2017. SlowFuzz: Automated domain-independent detection of algorithmic complexity vulnerabilities. CoRR abs/1708.08437 (2017).

[46]

Van-Thuan Pham, Marcel Böhme, Andrew E. Santosa, Alexandru Razvan Caciulescu, and Abhik Roychoudhury. 2018. Smart greybox fuzzing. CoRR abs/1811.09447 (2018).

[47]

Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos. 2017. Vuzzer: Application-aware evolutionary fuzzing. In Proceedings of the Network and Distributed System Security Symposium (NDSS’17).

[48]

P. Roberto and F. Aristide.2014. Modem interface exposed via USB. In Proceedings of the Black Hat Europe Conference. Retrieved from https://github.com/ud2/advisories/tree/master/android/samsung/nocve-2016-0004.

[49]

J. Ruderman, G. Kwong, C. Holler, J. de Mooij, D. Keeler, J. Schwartzentruber, and The SpiderMonkey. [n.d.]. jsfunfuzz. Retrieved from https://github.com/MozillaSecurity/funfuzz/tree/master/src/funfuzz/js/jsfunfuzz. [Online; accessed May 1, 2020].

[50]

David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper. 2019. Breaking LTE on layer two. In IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA. 1121--1136.

[51]

Mike Ryan. 2013. Bluetooth: With low energy comes low security. In Proceedings of the 7th {USENIX} Workshop on Offensive Technologies.

[52]

SIMCom. [n.d.]. AT Command Set SIMCOM-SIM5320-ATCEN-V2.02. Retrieved from https://cdn-shop.adafruit.com/datasheets/SIMCOM_SIM5320_ATC_EN_V2.02.pdf. [Online; accessed May 1, 2020].

[53]

PEACH TECH. [n.d.]. Peach fuzzer platform. Retrieved from https://www.peach.tech/. [Online; accessed May 1, 2020].

[54]

Wireless Solutions Telit. [n.d.]. AT commands reference guide. Retrieved from https://www.telit.com/wp-content/uploads/2017/09/Telit_AT_Commands_Reference_Guide_r24_B.pdf. [Online; accessed May 1, 2020].

[55]

Dave (Jing) Tian, Grant Hernandez, Joseph I. Choi, Vanessa Frost, Christie Raules, Patrick Traynor, Hayawardh Vijayakumar, Lee Harrison, Amir Rahmati, Michael Grace, and Kevin R. B. Butler. 2018. ATtention spanned: Comprehensive vulnerability analysis of AT commands within the Android ecosystem. In Proceedings of the 27th USENIX Security Symposium (USENIX Security’18). 273--290. Retrieved from https://www.usenix.org/conference/usenixsecurity18/presentation/tian.

[56]

Spandan Veggalam, Sanjay Rawat, Istvan Haller, and Herbert Bos. 2016. IFuzzer: An evolutionary interpreter fuzzer using genetic programming. In Computer Security -- ESORICS 2016, Ioannis Askoxylakis, Sotiris Ioannidis, Sokratis Katsikas, and Catherine Meadows (Eds.). Springer International Publishing, Cham, 581--601.

[57]

J. Wang, B. Chen, L. Wei, and Y. Liu. 2017. Skyfire: Data-driven seed generation for fuzzing. In Proceedings of the IEEE Symposium on Security and Privacy (SP’17). 579--594.

[58]

Junjie Wang, Bihuan Chen, Lei Wei, and Yang Liu. 2018. Superion: Grammar-aware greybox fuzzing. CoRR abs/1812.01197 (2018).

[59]

Wikipedia. [n.d.]. Wikipedia. Retrieved from https://en.wikipedia.org/wiki/Hayes_command_set. [Online; accessed May 1, 2020].

[60]

Christos Xenakis and Christoforos Ntantogian. 2015. Attacking the baseband modem of mobile phones to breach the users’ privacy and network security. In Proceedings of the 7th International Conference on Cyber Conflict: Architectures in Cyberspace (CyCon’15). IEEE, 231--244.

[61]

Christos Xenakis, Christoforos Ntantogian, and Orestis Panos. 2016. (U) SimMonitor: A mobile application for security evaluation of cellular networks. Comput. Secur. 60 (2016), 62--78.

Digital Library

[62]

M. Zalewski. [n.d.]. American fuzzy lop. Retrieved from http://lcamtuf.coredump.cx/afl/. [Online; accessed May 1, 2020].

[63]

Michal Zalewski. [n.d.]. Mangleme. Retrieved from https://github.com/WebKit/webkit/tree/master/Tools/mangleme. [Online; accessed May 1, 2020].

Cited By

Shrestha SIrby EThapa RDas S(2022)SoK: A Systematic Literature Review of Bluetooth Security Threats and Mitigation MeasuresEmerging Information Security and Applications10.1007/978-3-030-93956-4_7(108-127)Online publication date: 12-Jan-2022
https://doi.org/10.1007/978-3-030-93956-4_7
Shrestha SIrby EThapa RDas S(undefined)SoK: A Systematic Literature Review of Bluetooth Security Threats and Mitigation MeasuresSSRN Electronic Journal10.2139/ssrn.3959316
https://doi.org/10.2139/ssrn.3959316

Index Terms

ATFuzzer: Dynamic Analysis Framework of AT Interface for Android Smartphones
1. Security and privacy
  1. Network security
    1. Mobile and wireless security
  2. Systems security
    1. Denial-of-service attacks
    2. Distributed systems security

Recommendations

Opening Pandora's box through ATFuzzer: dynamic analysis of AT interface for Android smartphones
ACSAC '19: Proceedings of the 35th Annual Computer Security Applications Conference

This paper focuses on checking the correctness and robustness of the AT command interface exposed by the cellular baseband processor through Bluetooth and USB. A device's application processor uses this interface for issuing high-level commands (or, AT ...
A survey of detection methods for XSS attacks
Abstract
Cross-site scripting attack (abbreviated as XSS) is an unremitting problem for the Web applications since the early 2000s. It is a code injection attack on the client-side where an attacker injects malicious payload into a vulnerable ...
Improved Network Traffic by Attacking Denial of Service to Protect Resource Using Z-Test Based 4-Tier Geomark Traceback (Z4TGT)
Abstract
Network security plays a vital role in protecting the resources available in the network against various threats. There are vulnerabilities in every system connected to the network. Due to these, unauthorized users try to access and utilize the ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Digital Threats: Research and Practice

Digital Threats: Research and Practice Volume 1, Issue 4

Special Issue on ACSAC'19: Part 1

December 2020

198 pages

EISSN:2576-5337

DOI:10.1145/3442335

Editors:
Arun Lakhotia
University of Louisiana at Lafayette and Cythereal, USA
,
Leigh Metcalf
CERT, USA

Issue’s Table of Contents

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 December 2020

Accepted: 01 August 2020

Received: 01 May 2020

Published in DTRAP Volume 1, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

NSF

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
3,585
Total Downloads

Downloads (Last 12 months)442
Downloads (Last 6 weeks)44

Reflects downloads up to 12 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Shrestha SIrby EThapa RDas S(2022)SoK: A Systematic Literature Review of Bluetooth Security Threats and Mitigation MeasuresEmerging Information Security and Applications10.1007/978-3-030-93956-4_7(108-127)Online publication date: 12-Jan-2022
https://doi.org/10.1007/978-3-030-93956-4_7
Shrestha SIrby EThapa RDas S(undefined)SoK: A Systematic Literature Review of Bluetooth Security Threats and Mitigation MeasuresSSRN Electronic Journal10.2139/ssrn.3959316
https://doi.org/10.2139/ssrn.3959316

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents