TY - GEN
T1 - Opening Pandora’s box through Atfuzzer
T2 - 35th Annual Computer Security Applications Conference, ACSAC 2019
AU - Karim, Imtiaz
AU - Cicala, Fabrizio
AU - Hussain, Syed Rafiul
AU - Chowdhury, Omar
AU - Bertino, Elisa
N1 - Funding Information:
We thank the anonymous reviewers for their suggestions. This work is supported by NSF grants CNS-1657124 and CNS-1719369, Intel, and a grant by Purdue Research Foundation.
Publisher Copyright:
© 2019 Association for Computing Machinery.
PY - 2019/12/9
Y1 - 2019/12/9
N2 - This paper focuses on checking the correctness and robustness of the AT command interface exposed by the cellular baseband processor through Bluetooth and USB. A device’s application processor uses this interface for issuing high-level commands (or, AT commands) to the baseband processor for performing cellular network operations (e.g., placing a phone call). Vulnerabilities in this interface can be leveraged by malicious Bluetooth peripherals to launch pernicious attacks including DoS and privacy attacks. To identify such vulnerabilities, we propose ATFuzzer that uses a grammar-guided evolutionary fuzzing approach which mutates production rules of the AT command grammar instead of concrete AT commands. Empirical evaluation with ATFuzzer on 10 Android smartphones from 6 vendors revealed 4 invalid AT command grammars over Bluetooth and 13 over USB with implications ranging from DoS, downgrade of cellular protocol version (e.g., from 4G to 3G/2G) to severe privacy leaks. The vulnerabilities along with the invalid AT command grammars were responsibly disclosed to affected vendors and two of the reported vulnerabilities have been already assigned CVEs (CVE-2019-16400 and CVE-2019-16401).
AB - This paper focuses on checking the correctness and robustness of the AT command interface exposed by the cellular baseband processor through Bluetooth and USB. A device’s application processor uses this interface for issuing high-level commands (or, AT commands) to the baseband processor for performing cellular network operations (e.g., placing a phone call). Vulnerabilities in this interface can be leveraged by malicious Bluetooth peripherals to launch pernicious attacks including DoS and privacy attacks. To identify such vulnerabilities, we propose ATFuzzer that uses a grammar-guided evolutionary fuzzing approach which mutates production rules of the AT command grammar instead of concrete AT commands. Empirical evaluation with ATFuzzer on 10 Android smartphones from 6 vendors revealed 4 invalid AT command grammars over Bluetooth and 13 over USB with implications ranging from DoS, downgrade of cellular protocol version (e.g., from 4G to 3G/2G) to severe privacy leaks. The vulnerabilities along with the invalid AT command grammars were responsibly disclosed to affected vendors and two of the reported vulnerabilities have been already assigned CVEs (CVE-2019-16400 and CVE-2019-16401).
UR - http://www.scopus.com/inward/record.url?scp=85077815569&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85077815569&partnerID=8YFLogxK
U2 - 10.1145/3359789.3359833
DO - 10.1145/3359789.3359833
M3 - Conference contribution
AN - SCOPUS:85077815569
T3 - ACM International Conference Proceeding Series
SP - 529
EP - 543
BT - Proceedings - 35th Annual Computer Security Applications Conference, ACSAC 2019
PB - Association for Computing Machinery
Y2 - 9 December 2019 through 13 December 2019
ER -