Did I hear a shell popping in your baseband?
Category: Vulnerability Research
Summary: While the majority of baseband vendors use lightweight real-time operating systems there's a chipset vendor with substantial market share in China that uses a POSIX compliant operating system.
In recent years, Android smartphones using this chipset have also seen increased adotion outside of China; moreover, a German premium car manufacturer allegedly inked a deal to exclusively use chips from this chipset vendor for cellular connectivity.
In this talk I will show how to:
* find your own over-the-air exploitable bugs in this cellular stack (not just limited to GSM)
* gain local access to a shell interface on the baseband chip
* use the built-in debugging facilities to help writing exploits
* inject a LUA interpreter to get use the compromised baseband as a pivot, either towards the network or towards the application processor.
Moreover, I will explain why this platform is ideal for further offensive research on the cellular air interface.