What if you do not need to be a journalist accidentally invited into a Signal group to snoop on someones communication? What if you could gain RCE on a smartphone without a complex combination of exploits, ASLR bypasses and ROP chains? Join us to learn how we got remote code execution on MediaTek basebands using BaseBridge, an extension to the FirmWire baseband emulator. BaseBridge is capable of transferring state from a physical phone to the emulator, enabling the emulated baseband to process messages as if connected to a real network. We demonstrate how BaseBridge automatically found vulnerabilities in Samsung and MediaTek basebands via fuzzing, simplified the triaging process, and how we leveraged this to develop a proof-of-concept remote code execution exploit.
Daniel is a final-year PhD student at Ruhr University Bochum, Germany. His research interests include the security of smartphones, cellular networks and firmware in general. Besides BaseBridge, he also maintains https://www.chipsets.org/, a vulnerability database for smartphone chipsets. Daniel has previously published at Usenix Security, NDSS and IEEE S&P. Aside from security, Daniel likes to dabble in software architecture, databases and data analytics.
David holds a Master’s degree in IT Security from Ruhr University Bochum. His interests include the security of cellular networks, mobile devices, and applications.
