Securing Wireless Coprocessors from Attacks in the Internet of Things

  • Jason Staggs
  • Sujeet ShenoiEmail author
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 570)


Wireless communications coprocessors are a vital component of numerous Internet of Things and mobile devices. These subsystems enable devices to communicate directly with peers and supporting network infrastructures. Previous research has shown that wireless communications coprocessors lack fundamental security mechanisms to combat attacks originating from the air-interface and application processor (main CPU). To mitigate the risk of exploitation, methods are needed to retroactively add security mechanisms to communications coprocessors.

This chapter focuses on securing a cellular baseband processor from attacks by hostile applications in the application processor. Such attacks often leverage attention (AT) commands to exploit vulnerabilities in baseband firmware. The attacks are mitigated by installing an AT command intrusion prevention system between the application processor and baseband processor interface.


Wireless coprocessor Internet of Things intrusion prevention 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aleph One, Smashing the stack for fun and profit, Phrack, vol. 7(49), 1996Google Scholar
  2. 2.
    N. Artenstein, Broadpwn: Remotely compromising Android and iOS via a bug in Broadcom’s Wi-Fi chipsets, presented at Black Hat USA, 2017Google Scholar
  3. 3.
    G. Beniamini, Over the Air: Exploiting Broadcom’s Wi-Fi Stack (Part 1), Project Zero Team, Google, Mountain View, California (, April 4, 2017Google Scholar
  4. 4.
    G. Beniamini, Over the Air: Exploiting Broadcom’s Wi-Fi Stack (Part 2), Project Zero Team, Google, Mountain View, California (\_11.html), April 11, 2017Google Scholar
  5. 5.
    G. Beniamini, Over the Air - Vol. 2, Pt. 3: Exploiting the Wi-Fi Stack on Apple Devices, Project Zero Team, Google, Mountain View, California (, October 11, 2017Google Scholar
  6. 6.
    A. Blanco and M. Eissler, One firmware to monitor ’em all, presented at the Ekoparty Security Conference, 2012Google Scholar
  7. 7.
    G. Delugre, Reverse engineering a Qualcomm baseband, presented at the Twenty-Eighth Chaos Communication Congress, 2011Google Scholar
  8. 8.
    J. Drake, P. Fora, Z. Lanier, C. Mulliner, S. Ridley and G. Wicherski, Android Hacker’s Handbook, John Wiley and Sons, Indianapolis, Indiana, 2014Google Scholar
  9. 9.
    European Telecommunications Standards Institute, Digital Cellular Telecommunications System (Phase 2+), AT Command Set for GSM Mobile Equipment (ME), GSM 07.07, Version 5.5.5, TS/SMG-040707Q, Sophia Antipolis, France, 1996Google Scholar
  10. 10.
    N. Golde and D. Komaromy, Breaking band: Reverse engineering and exploiting the Shannon baseband, presented at REcon, 2016Google Scholar
  11. 11.
    History of Computers, The modem of Dennis Hayes and Dale Heatherington (, 2016Google Scholar
  12. 12.
    B. Hond, Fuzzing the GSM Protocol, Master’s Thesis, Computing Science Program, Radboud University, Nijmegen, The Netherlands, 2011Google Scholar
  13. 13.
    iPhone Dev Team, ultrasn0w, The iPhone Wiki (, 2009Google Scholar
  14. 14.
    iPhone Dev Team, Purplesn0w, The iPhone Wiki (, 2015Google Scholar
  15. 15.
    P. Kocialkowski, Samsung Galaxy Back-Door (, February 4, 2014Google Scholar
  16. 16.
    B. Krebs, Mirai botnet authors avoid jail time, Krebs on Security (krebs, September 19, 2018Google Scholar
  17. 17.
    A. Lonzetta, P. Cope, J. Campbell, B. Mohd and T. Hayajneh, Security vulnerabilities in Bluetooth technology as used in IoT, Journal of Sensor and Actuator Networks, vol. 7(3), article no. 28, 2018CrossRefGoogle Scholar
  18. 18.
    L. Miras, The baseband playground, presented at the Ekoparty Security Conference, 2011Google Scholar
  19. 19.
    M. Moe, Go ahead, hackers. Break my heart, Wired, March 14, 2016Google Scholar
  20. 20.
    C. Mulliner, S. Liebergeld, M. Lange and J. Seifert, Taming Mr. Hayes: Mitigating signaling based attacks on smartphones, Proceedings of the Forty-Second Annual IEEE/IFIP International Conference on Dependable Systems and Networks, 2012Google Scholar
  21. 21.
    J. Nivethan and M. Papa, A Linux-based firewall for the DNP3 protocol, Proceedings of the IEEE Symposium on Technologies for Homeland Security, 2016Google Scholar
  22. 22.
    M. Palattella, N. Accettura, X. Vilajosana, T. Watteyne, L. Grieco, G. Boggia and M. Dohler, Standardized protocol stack for the Internet of (important) Things, IEEE Communications Surveys and Tutorials, vol. 15(3), pp. 1389–1406, 2013CrossRefGoogle Scholar
  23. 23.
    F. Sanglard, Tracing the Baseband: Part 1 ( phoneModem/index.php), May 11, 2010Google Scholar
  24. 24.
    F. Sanglard, Tracing the Baseband: Part 2 ( phoneModem/index2.php), May 11, 2010Google Scholar
  25. 25.
    M. Sauter, From GSM to LTE: An Introduction to Mobile Networks and Mobile Broadband, John Wiley and Sons, Chichester, United Kingdom, 2014Google Scholar
  26. 26.
    B. Seri and A. Livne, Exploiting BlueBorne in Linux-based IoT devices, Armis, Palo Alto, California, 2019Google Scholar
  27. 27.
    W. Shaw, Cybersecuriy for SCADA Systems, PennWell, Tulsa, Oklahoma, 2006Google Scholar
  28. 28.
    SIMCom Wireless Solutions, AT Commands Set, SIM900\_ATC\_V1.00, Shanghai, China, 2010Google Scholar
  29. 29.
    Statista, Internet of Things (IoT) connected devices installed based worldwide from 2015 to 2025 (in billions), Frankfurt, Germany (www.statista com/statistics/471264/iot-number-of-connected-devices-worldwide), 2018Google Scholar
  30. 30.
    D. Tian, G. Hernandez, J. Choi, V. Frost, C. Ruales, P. Traynor, H. Vijayakumar, L. Harrison, M. Grace and K. Butler, ATtention spanned: Comprehensive vulnerability analysis of AT commands within the Android ecosystem, Proceedings of the Twenty-Seventh USENIX Security Symposium, pp. 273–290, 2018Google Scholar
  31. 31.
    Tofino Security, Tofino Firewall LSM, Lantzville, Canada (www.tofino, 2017Google Scholar
  32. 32.
    P. Tsang and S. Smith, YASIR: A low-latency, high-integrity security retrofit for legacy SCADA systems, Proceedings of the Twenty-Third IFIP TC 11 International Information Security Conference, pp. 445–459, 2008Google Scholar
  33. 33.
    R. Weinmann, All your baseband are belong to us, presented at the Conference, 2010Google Scholar
  34. 34.
    R. Weinmann, Baseband attacks: Remote exploitation of memory corruptions in cellular protocol stacks, Proceedings of the Sixth USENIX Conference on Offensive Technologies, 2012Google Scholar
  35. 35.
    H. Welte, Anatomy of Contemporary GSM Cellphone Hardware (, 2010Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2019

Authors and Affiliations

  1. 1.University of TulsaTulsaUSA

Personalised recommendations