BaseMirror: Automatic Reverse Engineering of Baseband Commands from Android's Radio Interface Layer

TL;DR

This paper presents BaseMirror, a static analysis tool that automatically reverse engineers baseband commands from Android's RIL binaries, revealing security vulnerabilities and zero-day exploits in vendor-specific basebands.

Contribution

We introduce a novel static analysis approach and tool, BaseMirror, for automatic reverse engineering of baseband commands from vendor RIL binaries, enabling security analysis of closed-source basebands.

Findings

Discovered 873 previously unknown baseband commands.

Validated 8 zero-day vulnerabilities leading to service denial and file access.

Successfully reported vulnerabilities to Samsung, earning a bug bounty.

Abstract

In modern mobile devices, baseband is an integral component running on top of cellular processors to handle crucial radio communications. However, recent research reveals significant vulnerabilities in these basebands, posing serious security risks like remote code execution. Yet, effectively scrutinizing basebands remains a daunting task, as they run closed-source and proprietary software on vendor-specific chipsets. Existing analysis methods are limited by their dependence on manual processes and heuristic approaches, reducing their scalability. This paper introduces a novel approach to unveil security issues in basebands from a unique perspective: to uncover vendor-specific baseband commands from the Radio Interface Layer (RIL), a hardware abstraction layer interfacing with basebands. To demonstrate this concept, we have designed and developed BaseMirror, a static binary analysis tool to automatically reverse engineer baseband commands from vendor-specific RIL binaries. It utilizes a bidirectional taint analysis algorithm to adeptly identify baseband commands from an enhanced control flow graph enriched with reconstructed virtual function calls. Our methodology has been applied to 28 vendor RIL libraries, encompassing a wide range of Samsung Exynos smartphone models on the market. Remarkably, BaseMirror has uncovered 873 unique baseband commands undisclosed to the public. Based on these results, we develop an automated attack discovery framework to successfully derive and validate 8 zero-day vulnerabilities that trigger denial of cellular service and arbitrary file access on a Samsung Galaxy A53 device. These findings have been reported and confirmed by Samsung and a bug bounty was awarded to us.