There will be Bugs: Exploiting Basebands in Radio Layer Two

Baseband exploitation in public originally focused on message decoding bugs in layer 3 (NAS and RRC) and more recently in layer 4 (traffic over IP). In this presentation we uncover a new area of exploration for remote baseband exploitation in layer 2. In the past, this part of cellular specifications has been overlooked due to its function and packet size limitations. However, a deeper dive uncovers possibilities that show up in both old and new standards. Importantly, this is a layer that is below the ciphering applied to cellular communications, providing an attack surface reachable not only with fake base stations but with direct MITM-ing of legitimate cell tower communications too. The presentation will describe the chain of vulnerabilities we have found and explain how to exploit them for remote code execution in the baseband of flagship Samsung smartphones. The new class of bugs meant new challenges both in developing and delivering an exploit. I will describe how we have modified radio software to inject a more complex sequence of malicious layer two traffic without the normal operation interfering with the execution of the attack. In addition, I will explain how we have created debugging and heap visualization tooling for the target, introduce the heap shaping techniques we have come up with in order to write a reliable exploit, and discuss creating baseband exploits that take into consideration the huge fragmentation of firmware variants in-the-wild.

About the Presenter: Daniel Komaromy

Daniel Komaromy (@kutyacica) has worked in the mobile security field his entire career, going on 15+ years of vulnerability research experience playing both defense and offense. He has won Pwn2Own, presented his research at industry leading conferences (like Black Hat, REcon, and Ekoparty), and disclosed scores of critical vulnerabilities in leading mobile vendors’ products. Daniel is the founder of TASZK Security Labs, a vulnerability research oriented security consultancy outfit, and he still follows the motto: there's no crying in baseband!