08-17, 10:30–11:15 (Europe/Berlin), Milliways
Last year, we released FirmWire to the public, an open-source baseband analysis platform.
But what even is a baseband and why do we want to analyze it? Hint: It’s a critical part of your phone and a first point of entry for attacks.
This talk will answer your questions and provide a hands-on introduction to our framework.
This talk will discuss cellular basebands and FirmWire, our open-source platform for baseband firmware. The platform allows researchers to emulate, dynamically debug, introspect, and interact with complex baseband firmware, providing insights about its inner workings in real-time.
FirmWire’s integrated ModKit creates and injects custom tasks into the emulated baseband.
We leverage the ModKit for full-system fuzzing via AFL++ by creating custom fuzzing tasks interacting with the host, using special hypercalls.
With this setup, we uncovered several pre-authentication vulnerabilities in the LTE and GSM stacks of Samsung’s Shannon and MediaTek’s MTK baseband implementations, affecting billions of devices.
FirmWire is the outcome of a more than two-year-long international research collaboration between the University of Florida, Vrije Universiteit Amsterdam, TU Berlin, and Ruhr-University Bochum.
Topics touched in this talk:
- Cellular Basebands
- GSM & LTE
- Security Vulnerabilities
Dominik Maier holds a PhD from TU Berlin where he focussed on fuzzing. He is part of the AFLplusplus project, and currently works on connectivity security for the largest smartphone OS.
nsr is interested in all sorts of low-level firmware, tinkering, and capture the flag competitions. He developed and maintains avatar2, a framework for analyzing embedded systems firmware. Among others, he used the framework within the FirmWire project for emulating Samsung’s Shannon and MediaTek’s MTK baseband firmware, yielding to the discovery of several critical vulnerabilities.
In his day job, nsr is a assistant professor at the University of Birmingham and his research interests cover the (in-)security of embedded systems, as well as binary and microarchitectural exploitation.