ARIstoteles -- Dissecting Apple's Baseband Interface

TL;DR

This paper reverse-engineers and fuzz-tests Apple's ARI protocol on iOS, revealing security gaps and providing open-source tools to aid future research on Apple device security.

Contribution

First to reverse-engineer and fuzz-test Apple's ARI protocol, creating an open-source Wireshark dissector to facilitate security research on iOS devices.

Findings

ARI protocol lacks public security research and has not been thoroughly tested by Apple.

Fuzzing revealed potential vulnerabilities in the ARI interface.

The open-source ARIstoteles tool aids future security analysis of Apple devices.

Abstract

Wireless chips and interfaces expose a substantial remote attack surface. As of today, most cellular baseband security research is performed on the Android ecosystem, leaving a huge gap on Apple devices. With iOS jailbreaks, last-generation wireless chips become fairly accessible for performance and security research. Yet, iPhones were never intended to be used as a research platform, and chips and interfaces are undocumented. One protocol to interface with such chips is Apple Remote Invocation (ARI), which interacts with the central phone component CommCenter and multiple user-space daemons, thereby posing a Remote Code Execution (RCE) attack surface. We are the first to reverse-engineer and fuzz-test the ARI interface on iOS. Our Ghidra scripts automatically generate a Wireshark dissector, called ARIstoteles, by parsing closed-source iOS libraries for this undocumented protocol. Moreover, we compare the quality of the dissector to fully-automated approaches based on static trace analysis. Finally, we fuzz the ARI interface based on our reverse-engineering results. The fuzzing results indicate that ARI does not only lack public security research but also has not been well-tested by Apple. By releasing ARIstoteles open-source, we also aim to facilitate similar research in the future.