Advanced Baseband Exploitation
Daniel Komaromy & Laszlo Szapula

Dates

11th-14th of May 2026

Capacity

24

Price

4.800€

Introduction

In the almost 20 years since the launch of the Osmocom and OpenBTS projects (2008), "Fuzzing the Phone in your Phone" (2009), and "All Your Basebands Are Belong To Us" (2010), baseband hacking has gone from a research novelty to an IRL threat. But also during this time, the gap between the challenges addressed by public research demonstrations and operational use has started growing.
 
In this course, students will learn through hands-on exercises how to setup and operate multiple generations of cellular networks using open source components and software-defined radios, how to modify their code for generating customized traffic via programming interfaces and use them for mobile attacks, and how to approach the static and dynamic baseband firmware analysis and reverse engineering of the target devices.

 
The training will cover the basics of cellular networks and baseband operating systems from a security standpoint and then focus on approaches, techniques, and tools for finding and exploiting baseband vulnerabilities. We will place an emphasis on real-life usage scenarios and the challenges associated with developing, maintaining, and executing full baseband exploit chains.
 
Our training focuses on the cutting-edge, with vulnerabilities, exploits, and hands-on exercises not only in legacy components like 2G but newest generations of radio networks including LTE, NR, and IMS architectures.

Learning Objectives

  • Learning the fundamentals of cellular networks from 2G to 5G
  • Running networks and engaging with basebands via custom cellular traffic
  • Understanding baseband OS internals from a security perspective
  • Reverse engineering baseband OS firmwares
  • Finding and analyzing remote baseband vulnerabilities and baseband pivot vulnerabilities
  • Debugging execution flows and developing exploits

Prerequisites

  • Familiarity with C and memory safety vulnerabilities
  • Experience in reverse engineering, RISC-like assembly (ideal: experience with Ghidra, ARM)
  • Experience in working with Android OS
  • Working proficiency in using Linux OS and Python

Hardware Requirements

  • x86 architecture laptop with:
    • Administrative ownership (BIOS access)
    • Minimum 2 USB-A ports (at least one USB 3.0)
    • Minimum 8GB RAM
    • At least 120GB of free space

Software Requirements

  • Native Ubuntu 22.04 installation (i.e. not a virtualization setup)
  • sudo rights (not prevented by corporate policy)
  • Internet access (not prevented by corporate policy)
  • Ghidra 11.1.2. installation
  • Installed utilities: ssh, git, adb, wireshark (additional package install requirements shared with participants pre-training)

AGENDA

Day 1: Finding Baseband Vulnerabilities

  • Baseband reverse engineering: firmware extraction, RTOS analysis
  • Building tooling and automation with Ghidra, finding ways for debugging
  • Baseband attack surfaces 101, finding and analyzing bugs
  • Exercises: Spotting and triaging vulnerabilities

Day 2: Understanding Cellular Networks and Setting Up Test Environments

  • Detailed introduction to Radio Access Technologies, 2/3/4/5G protocols
  • Cellular protocol security, shortcomings and attack surfaces
  • Exercises: Running 2/4/5G/IMS networks using customized FOSS components
  • Exercises: Triggering vulnerabilities over-the-air

Day 3: Exploiting Baseband Vulnerabilities

  • Deep-dive of baseband OS internals and exploit mitigations
  • Fundamentals of baseband exploitation, building exploit primitives from bugs
  • Exercises: Exploiting an N-day baseband vulnerability for RCE

Day 4: Pivoting from Baseband to Android

  • Using baseband rce for a chain: challenges and techniques for writing robust exploits
  • Attack surfaces for baseband pivot vulnerabilities
  • Android exploit development with a pivot attack vector
  • Exercises: Chaining N-day baseband pivot vulnerabilities with over-the-air RCE exploits

Bio

Daniel Komaromy (@kutyacica) has worked in the mobile security field his entire career, going on 15+ years of vulnerability research experience playing both defense and offense. He has won Pwn2Own, presented his research at industry leading conferences (like Black Hat, REcon, CanSecWest, Troopers, and Ekoparty), and disclosed scores of critical vulnerabilities in leading mobile vendors’ products. Daniel is the founder of TASZK Security Labs, a vulnerability research oriented security consultancy outfit, and he still follows the motto: there's no crying in baseband!

Daniel Komaromy

Daniel Komaromy

Laszlo Szapula (@LaTsa99) started as an intern at TASZK Security Labs and is now a full time member of the vulnerability research team, where he converts Ghidra projects and Club Mates into reverse engineered code. He is focused on the low-level security of Android based smartphones, including the kernel, hypervisors, trustzones and basebands. Latsa presented original research at top tier conferences like Off-by-One and Troopers and delivered exploitation trainings at OffensiveCon.

Laszlo Szapula

Laszlo Szapula

Limited Seats - Remember to reserve your ticket!

Register now