Did I hear a shell popping in your baseband?

Author(s): Ralf-Philipp Weinmann
Category: Vulnerability Research
Duration: 45
Summary: While the majority of baseband vendors use lightweight real-time operating systems there's a chipset vendor with substantial market share in China that uses a POSIX compliant operating system.

In recent years, Android smartphones using this chipset have also seen increased adotion outside of China; moreover, a German premium car manufacturer allegedly inked a deal to exclusively use chips from this chipset vendor for cellular connectivity.

In this talk I will show how to:

* find your own over-the-air exploitable bugs in this cellular stack (not just limited to GSM)
* gain local access to a shell interface on the baseband chip
* use the built-in debugging facilities to help writing exploits
* inject a LUA interpreter to get use the compromised baseband as a pivot, either towards the network or towards the application processor.

Moreover, I will explain why this platform is ideal for further offensive research on the cellular air interface.

Likes: 0

Comments

jaisonyi

this is a cool talk...and the demonstration will be very interesting


citizenx

Previous talks on the same subject (by various aiuthors) was very light on the details.