image image

Practical Baseband Exploitation

23rd - 25th September 2019 | 3 Days


Nitay Artenstein & Anna Dorfman

Baseband exploitation is often considered the cream of the offensive security field. In the last decade, only a handful of such exploits were publicly released. As a result, many researchers view the ability to silently achieve code execution on a victim's device by emulating a GSM or LTE base station as a difficult, almost mythical objective.

In reality, baseband exploitation is much easier than expected. By following a simple list of steps, a baseband platform can be quickly opened u p for research, debugging and exploitation. In this course, students will learn our systematic approach to baseband research - from setting up a fake base station using SDR and OpenBTS, to achieving initial debugging abilities using our embedded hooking framework, and finally reverse engineering the relevant protocols, hunting for bugs and exploiting them.

By the end of this heavily hands-on course, students will become familiar with two extremely common baseband platforms, Shannon and Mediatek, gain the skills to debug these and other baseband platforms, and learn about previously discovered bugs in basebands, and how they have been exploited.

Detailed Syllabus:

    1. Introduction to communication processors
    • The evolution and challenges of communication systems
    • Baseband processors: An architecture overview
    • MAC and network layers
    • CP architectures: Broadcom, Qualcomm, MediaTek, Samsung
    • Samsung's baseband chip: Shannon
    • MediaTek's baseband and Nucleus RTOS

    2. Code extraction and initial analysis
    • Challenges of baseband code extraction
    • Getting the firmware
    • Initial analysis: Parsing the firmware header
    • Loading into IDA: Base addresses and program segmentation

    3. Achieving initial read primitives, basic code analysis
    • Bypassing code signing in Shannon
    • AT commands as a Shannon attack surface
    • Identifying functions and symbols in the code and writing a function mapping script
    • Extracting debug strings and parsing them to name functions in the IDB

    4. Debugging
    • Conditions for building a debugger
    • Getting RWX permissions
    • Hooks: Using our multi-platform hooking framework
    1. Introduction to GSM, GPRS and UMTS
    • Guide to the relevant 3GPP protocols
    • Working with the specs
    • Determining the protocol attack surface

    2. Shannon: Static analysis and an architecture overview
    • Tasks, memory management and code structure
    • Debugging functionality
    • Samsung IPC: Talking to the Application Processor

    3. MediaTek: A comparison with Shannon
    • Nucleus OS: implementation in MediaTek
    • Debugging the MediaTek baseband
    • Interaction with the AP

    4. Getting ready to attack: Setting up a fake base station with USRP B210 and OpenBTS
    1. Identifying GSM, GPRS and UMTS attack surfaces in Shannon and MediaTek

    2. The CC, SS and SMS protocols
    • Packet structure and PCAP analysis
    • Identifying packet handlers in the baseband code

    3. Finding a Shannon stack overflow N-day

    4. Trigger and exploitation
    • Modifying OpenBTS to send a custom packet
    • Exploiting a stack overflow bug to achieve code execution

Course Requirements:

  • C and Python
  • Good reverse engineering knowledge
  • Recommended: ARM assembly
  • IDA Pro required (freeware version not adequate since it doesn't support ARM)

About the Trainers:

Nitay Artenstein is a security researcher in the fields of reverse engineering, exploit development and vulnerability research. His fields of interest include reverse engineering embedded systems and bug hunting in the Linux kernel. For the past seven years, he has been working mainly on exploiting Android devices. He suffers from a severe addiction to IDA Pro, and generally gets a kick out of digging around where he's not supposed to.

Anna Dorfman is a security researcher who’s also a cryptography enthusiast. In her previous roles at Versafe (now F5 networks), Kaspersky Labs and as an independent researcher, she carried out a variety of projects focusing on reverse engineering X86 and ARM, malware research and embedded systems vulnerability research. She gave talks at ReCon, VirusBulletin and other conferences, presenting RE tools and results of recent researches.