Communication chips that Apple uses in iPhones only withstand endurance tests to a limited extent. This was demonstrated by Jiska Classen from the research group for mobile radio security at the TU Darmstadt at the remote Chaos Communication Congress (rC3). Again and again you could see on their recordings how the devices “said goodbye” in an uncontrollable state – sometimes with unusual sound effects. They lost their “orientation” and some had to be reset to their original state.

Classen used the fuzzing method for her experiments. In this case, large amounts of random data are continuously sent to the system to be tested via one or more input interfaces in order to automatically check its robustness. The scientist focused on the baseband chip, which is responsible for network functions such as telephony, SMS transmission and internet access. By smuggling in manipulated data packets, according to their thesis, security gaps in the higher-level, actually shielded iOS operating system could then possibly be exploited in order to execute their own commands.

New approaches for mobile radio research This strategy is already very interesting from the perspective of reverse engineering, i.e. the replication of critical proprietary functions, stated Classen. In the resulting profiles you can see a lot of messages for baseband management. With iPhones, on which usage restrictions have been removed by jailbreak, you can smuggle in data packets and change the behavior of the modem without any problems. This paves the way for new approaches in mobile communications research.

Specifically, the expert initially felt the chips and devices via Wireless Protocol Fuzzing on the tooth, so subjected the protocol implementations for wireless communication to a stress test. To do this, she sent images to the image parser responsible for processing to see what was being executed and how. She combined the relevant files into a corpus and supplemented this with standard-compliant JPEGs and artificially generated images. So she could see which files caused a crash and what exactly was the cause.

Ddd-di-di-dd-di-d-di-d -di-d-dimm! Classen also succeeded in replacing bits and bytes with his own data and smuggling them in during ongoing calls or incoming short messages. After observing the effects that the manipulated data induced, she was able to refine the method and send large amounts of short messages to the baseband chip. The iPhone then received so many text messages in a short time that it no longer had time to play the typical dimming tone for each one. Instead, only an unspecific “Ddd-di-di-dd-di-d-di-d-di-d-dimm” could be heard.

Classen was also able to force calls to hotlines to be dropped, whereby the tested iPhone repeated the last syllables of an announcement in a staccato manner. In another case, the user should re-enter his PIN; at other times, the test device constantly reported a busy line by mistake. In another demo, an SMS could no longer be deleted, so a reset was necessary. According to the researcher, the process can still be expanded, as many functions could not be carried out even with a good starting body.

Frankenstein module for Bluetooth Classen also showed in her lecture which fuzzers she used and how she adapted and combined these tools for the iPhone chips with her own code. So far, the research group has mainly examined Bluetooth chips. Team colleague Jan Ruge built a module called “Frankenstein” to emulate the Bluetooth firmware at the same speed as with conventional hardware and thus to be able to carry out realistic tests for complete protocol stacks.

As The scientist named ToothPicker, Frida as well as DTrace and American Fuzzy Lop (AFL) as other helpful tools. In some cases, she let this fuzzer run for several weeks and thus repeatedly generated crashes, for example on the iPhone models 7 and 8, and discovered weak points. Some problems would also have extended to the macOS desktop and laptop operating system. One hurdle was that the channels were closed after receiving some invalid packets when establishing a wireless connection. This behavior could be turned off with Frida.

Undocumented remote interface With the Analyzes revealed Classen differences between iPhone 8 models for the US and Europe. While the USA variant contains a Qualcomm chip with the documented MSM interface (QMI), the European variant contains an Intel chip with a previously largely unknown interface called Apple Remote Invocation (ARI). Data packets sent over the air could in principle control these two interfaces, even if an intermediate layer was built in. The two different libraries could be fuzzed with Frida. In some cases, the CommCenter was taken out of service, calls were lost and Internet connections had to be re-established. Sometimes the virtual communication center continued to run and also processed packets with incorrect values.

During the tests, Classen made an iPhone 8 almost unusable. The start-up procedure only ran until pongoOS before the actual boot process of the iOS. Normal starting was only possible after a few hours. The Intel variant noted log files totaling 500 megabytes, so that the internal memory quickly filled up. Then the deletion of photos no longer worked and SSH logins failed.

In general, fuzzing would “confuse iPhones very much”, explained the researcher. They requested reactivation, lost their location function and displayed flash messages highlighted in gray. There is still a lot of leeway for hackers to try out. But it is better not to use your private smartphone for this. Classen sent crash reports and information about possible security holes to Apple. The group has identified the major weaknesses with the iOS updates 14. 2 and 14. 3 closed.

(dz)