We often believe that bypassing the security mechanisms of 3G/LTE is merely an academic challenge because a secure communication channel is established between the user and the cellular base station upon connection. Even if someone could bypass these mechanisms, discover a vulnerability in the modem, and execute their code on it, it supposedly wouldn’t compromise the device’s business logic. This logic (like user applications, browser history, calls, and SMS on a smartphone) resides on the Application processor (AP) and supposedly cannot be accessed from the modem. Or can it?

To find this out, we conducted a security research of a modern Unisoc UIS7862A SoC featuring an embedded 2G/3G/4G modem and as a result discovered several critical vulnerabilities across different layers of the cellular protocols stack. More over we found hardware backdoor that allow us to easily bypass security restrictions and gain access to AP RAM through CP code execution. In our presentation, we will demonstrate how the entire SoC can be completely compromised via just a single 0-day RCE vulnerability in the modem. We will detail the steps we took to:

1. Use 0-day vulnerabilities to gain arbitrary code execution on the modem (Communication Processor – CP).
2. Compromise the host OS (AP) through DMA attack from CP to AP via a code execution on the modem.
3. Remotely install and run DOOM on an Android device as a full-chain proof of concept of the described vulnerabilities.

It is important to note, that some of the discovered vulnerabilities are impossible to fix in the already produced devices, because their source lays in the hardware architecture of the SoC itself, and thus can not be fixed with a software update. The demonstrated full chain Proof-of-Concept of starting from gaining remote code execution on the modem, and subsequent complete compromise of the Application Processor, is also the first such PoC to be publicly demonstrated.