Skip to main content

ARIstoteles – Dissecting Apple’s Baseband Interface

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12972)

Abstract

Wireless chips and interfaces expose a substantial remote attack surface. As of today, most cellular baseband security research is performed on the Android ecosystem, leaving a huge gap on Apple devices. With iOS jailbreaks, last-generation wireless chips become fairly accessible for performance and security research. Yet, iPhones were never intended to be used as a research platform, and chips and interfaces are undocumented. One protocol to interface with such chips is Apple Remote Invocation (ARI), which interacts with the central phone component CommCenter and multiple user-space daemons, thereby posing a Remote Code Execution (RCE) attack surface. We are the first to reverse-engineer and fuzz-test the ARI interface on iOS. Our Ghidra scripts automatically generate a Wireshark dissector, called ARIstoteles, by parsing closed-source iOS libraries for this undocumented protocol. Moreover, we compare the quality of the dissector to fully-automated approaches based on static trace analysis. Finally, we fuzz the ARI interface based on our reverse-engineering results. The fuzzing results indicate that ARI does not only lack public security research but also has not been well-tested by Apple. By releasing ARIstoteles open-source, we also aim to facilitate similar research in the future.

Keywords

  • Apple remote invocation
  • Baseband
  • iPhone
  • Fuzzing

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-88418-5_7
  • Chapter length: 19 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-88418-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.
Fig. 8.
Fig. 9.
Fig. 10.

Notes

  1. 1.

    https://github.com/seemoo-lab/aristoteles.

References

  1. Afek, J.: Simplifying iOS research: booting the iOS kernel to an interactive bash shell on QEMU (2020). https://www.offensivecon.org/speakers/2020/jonathan-afek.html

  2. Android Open Source Project: RIL Refactoring (2021). https://source.android.com/devices/tech/connect/ril

  3. Apple: Profiles and Logs - Bug Reporting - Apple Developer (2021). https://developer.apple.com/bug-reporting/profiles-and-logs/

  4. Corellium: Introduction to iOS Devices (2021). https://support.corellium.com/hc/en-us/articles/360053569554-Introduction-to-iOS-Devices

  5. Golde, N.: There’s Life in the Old Dog Yet: Tearing New Holes into Intel/iPhone Cellular Modems (2018). https://comsecuris.com/blog/posts/theres_life_in_the_old_dog_yet_tearing_new_holes_into_inteliphone_cellular_modems/

  6. Guy: Burned in Ashes: Baseband Fairy Tale Stories (2019). https://cfp.recon.cx/reconmtl2019/talk/7A7TBA/

  7. Heinze, D.: fpicker (2021). https://github.com/ttdennis/fpicker

  8. Heinze, D., Classen, J., Hollick, M.: ToothPicker: apple picking in the iOS Bluetooth Stack. In: 14th USENIX Workshop on Offensive Technologies (WOOT 20). USENIX Association (2020). https://www.usenix.org/conference/woot20/presentation/heinze

  9. Hernandez, G., Muench, M.: Emulating Samsung’s Baseband for Security Testing. BlackHat USA 2020 (2020)

    Google Scholar 

  10. Kleber, S., van der Heijden, R.W., Kargl, F.: Message type identification of binary network protocols using continuous segment similarity. In: IEEE INFOCOM 2020 - IEEE Conference on Computer Communications, pp. 2243–2252 (2020). https://doi.org/10.1109/INFOCOM41043.2020.9155275

  11. Kleber, S., Kopp, H., Kargl, F.: NEMESYS: network message syntax reverse engineering by analysis of the intrinsic structure of individual messages. In: 12th USENIX Workshop on Offensive Technologies (WOOT 18). USENIX Association, Baltimore (2018)

    Google Scholar 

  12. libqmi Developers: QMI modem protocol helper library (2021). https://github.com/freedesktop/libqmi

  13. Liu, B., Zhang, C., Gong, G., Zeng, Y., Ruan, H., Zhuge, J.: FANS: fuzzing android native system services via automated interface analysis. In: 29th USENIX Security Symposium (USENIX Security 20), pp. 307–323. USENIX Association (2020). https://www.usenix.org/conference/usenixsecurity20/presentation/liu

  14. Maier, D., Seidel, L., Park, S.: BaseSAFE: baseband sanitized fuzzing through emulation. In: The 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec ’20) (2020)

    Google Scholar 

  15. Mantz, D., Classen, J., Schulz, M., Hollick, M.: InternalBlue - bluetooth binary patching and experimentation framework. In: The 17th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys ’19) (2019). https://doi.org/10.1145/3307334.3326089

  16. Muench, M., Stijohann, J., Kargl, F., Francillon, A., Balzarotti, D.: What you corrupt is not what you crash: challenges in fuzzing embedded devices. In: 25th Annual Network and Distributed System Security Symposium (NDSS 2018). The Internet Society (2018)

    Google Scholar 

  17. Mulliner, C.: Fuzzing the phone in your phone. https://media.ccc.de/v/26c3-3507-de-fuzzing_the_phone_in_your_phone

  18. Mulliner, C., Miller, C.: Fuzzing the phone in your phone. https://www.blackhat.com/presentations/bh-usa-09/MILLER/BHUSA09-Miller-FuzzingPhone-PAPER.pdf

  19. National Security Agency: Ghidra (2021). https://ghidra-sre.org/

  20. Ravnås, O.A.V.: Frida - a world-class dynamic instrumentation framework (2020). https://frida.re/

  21. Ravnås, O.A.V.: Frida - stalker (2020). https://frida.re/docs/stalker/

  22. Ruge, J., Classen, J., Gringoli, F., Hollick, M.: Frankenstein: advanced wireless fuzzing to exploit new bluetooth escalation targets. In: 29th USENIX Security Symposium (USENIX Security 19). USENIX Association (2020)

    Google Scholar 

  23. Schulz, M., Wegemer, D., Hollick, M.: Nexmon: the C-based firmware patching framework (2017). https://nexmon.org

  24. scikit-learn Developers: sklearn.mainfold.MDS - scikit-learn 0.24.2 documentation (2021). https://scikit-learn.org/stable/modules/generated/sklearn.manifold.MDS.html

  25. Silvanovich, N.: iOS Messaging Tools (2019). https://github.com/googleprojectzero/iOS-messaging-tools

  26. Stone, M.: Bad binder: android in-the-wild exploit (2019). https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html

  27. Stute, M., et al.: A billion open interfaces for eve and mallory: MitM, DoS, and tracking attacks on iOS and macOS through apple wireless direct link. In: 28th USENIX Security Symposium (USENIX Security 19), pp. 37–54. USENIX Association, Santa Clara (2019)

    Google Scholar 

  28. Wireshark Foundation: Wireshark (2021). https://www.wireshark.org/

Download references

Acknowledgments

This work has been funded by the German Federal Ministry of Education and Research and the Hessen State Ministry for Higher Education, Research and the Arts within their joint support of the National Research Center for Applied Cybersecurity ATHENE.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Jiska Classen .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Kröll, T., Kleber, S., Kargl, F., Hollick, M., Classen, J. (2021). ARIstoteles – Dissecting Apple’s Baseband Interface. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12972. Springer, Cham. https://doi.org/10.1007/978-3-030-88418-5_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-88418-5_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-88417-8

  • Online ISBN: 978-3-030-88418-5

  • eBook Packages: Computer ScienceComputer Science (R0)