Mobile Network Attacks: Exploiting Basebands and Application Processors
Daniel Komaromy & Laszlo Szapula
Dates
6th-9th of May 2024Capacity
20Price
4.250€Introduction
In the ~15 years since the launch of the Osmocom and OpenBTS projects (2008), "Fuzzing the Phone in your Phone" (2009), and "All Your Basebands Are Belong To Us" (2010), baseband hacking has gone from a research novelty to an IRL threat. But also during this time, the gap between the challenges addressed by public research demonstrations and operational use has started growing.
In this course, students will learn through hands-on exercises how to setup and operate multiple generations of cellular networks using open source components and software-defined radios, how to modify their code for generating customized traffic via programming interfaces and use them for mobile attacks, and how to approach the static and dynamic baseband firmware analysis and reverse engineering of the target devices.
The training will cover the basics of cellular networks and baseband operating systems from a security standpoint and then focus on approaches, techniques, and tools for finding and exploiting baseband vulnerabilities. We will place an emphasis on real-life usage scenarios and the challenges associated with developing, maintaining, and executing full baseband exploit chains.
Learning Objectives
- Learning the fundamentals of cellular networks from 2G to 5G
- Running networks and engaging with basebands via custom cellular traffic
- Understanding baseband OS internals from a security perspective
- Reverse engineering baseband OS firmwares
- Finding and analyzing remote baseband vulnerabilities and baseband pivot vulnerabilities
- Debugging execution flows and developing exploits
Prerequisites
- Familiarity with C and memory safety vulnerabilities
- Experience in reverse engineering, RISC-like assembly (ideal: experience with Ghidra, ARM)
- Experience in working with Android OS
- Working proficiency in using Linux OS and Python
Hardware Requirements
- Laptop running Ubuntu 22.04 natively (no virtualization) wih minimum 2 USB-A ports
Software Requirements
- Access to the internet (not prevented by corporate policy)
- Installed utilities: ssh, adb, lxd (https://ubuntu.com/lxd/install), ghidra 10.3.3.
AGENDA
Day 1: Understanding Cellular Networks and Setting Up Test Environments
- Intro to Radio Access Technologies, 2G/3G/4G/5G protocols
- Cellular protocol security, shortcomings and attack surfaces
- Exercises: Installing and operating 2G/4G/5G networks using Osmocom, srsRAN, open5GS
Day 2: Finding Baseband Vulnerabilities
- Baseband reverse engineering: firmware extraction, RTOS analysis
- Building tooling and automation with Ghidra
- Identifying the attack surfaces within the binary, analyzing bugs
- Exercises: Spotting and triaging tulnerabilities, finding ways for debugging
Day 3: Exploiting Baseband Vulnerabilities
- Deep-dive of baseband OS internals, hardenings, and exploit mitigations
- Fundamentals of baseband exploitation, building exploit primitives from bugs
- Exercises: Exploiting an N-day remote baseband vulnerability
Day 4: Pivoting from Baseband to Android
- Using baseband rce for a chain: challenges and techniques for writing robust exploits
- Attack surfaces for baseband pivot vulnerabilities
- Android exploit development with a pivot attack vector
- Exercises: Exploiting an N-day baseband pivot vulnerability
Bio
Daniel Komaromy (@kutyacica) has worked in the mobile security field his entire career, going on 15+ years of vulnerability research experience playing both defense and offense. He has won Pwn2Own, presented his research at industry leading conferences (like Black Hat, REcon, and Ekoparty), and disclosed scores of critical vulnerabilities in leading mobile vendors’ products. Daniel is the founder of TASZK Security Labs, a vulnerability research oriented security consultancy outfit, and he still follows the motto: there's no crying in baseband!
Laszlo Szapula (LaTsa) interned at TASZK Security Labs and is the newest full time member of the research team, fresh off graduating from BME. His interests include reverse engineering and exploitation of kernels, chipsets, and cellular networks.
