Please note: the training ticket does not include access to the conference. Similarly, the conference ticket does not grant access to the trainings. If you have any questions, reach out to us.

Training Objectives:

In the ~15 years since the launch of the Osmocom and OpenBTS projects (2008), "Fuzzing the Phone in your Phone" (2009), and "All Your Basebands Are Belong To Us" (2010), hackers, vendors, academia, and also offensive security companies and their LEA clients have been turning increasing attention to the baseband as a binary exploitation attack vector.

In that time, scores of quality presentations have been published (some, we offer with false modesty, by yours truly), vendors and standardization bodies raised the security bar in meaningful ways, and the perception shifted from baseband research being met perhaps with "woah, sick!" to being called "not that difficult".

But also during this time, the gap between the challenges addressed by research demonstrations and operational use has started growing. Alas, the difficulties in going from the former to the later will be the focus of our training.

In this course, students will learn through hands-on exercises how to setup and operate rogue cellular networks with various radio access technologies, using open source components and software-defined radios, how to use them for mobile intercept attacks, how to make modifications for generating malicious traffic via programming interfaces, and how to open up devices for static and dynamic baseband firmware analysis.

The training will include multitudes of case studies on the attack surfaces, vulnerabilities, and hardening measures of various mainstream baseband implementations and challenge students with hands-on exercises for identifying and realizing baseband vulnerabilities.

All throughout, the material will cover approaches, techniques, and tools for addressing the various challenges associated with developing and maintaining baseband vulnerability chains for operational use.

Our training is built on content that is original (includes vulnerabilities of ours that vendors have fixed from our disclosures but we have not yet described publicly), fresh (uses baseband and network component variants and vulnerabilities from 2022 and 2023), and diverse (considers the implementations of Samsung, Mediatek, and Huawei).

What to Expect? | Key Learning Objectives:

• Learn about:
  • cellular network architectures and protocols from 2G to 5G
  • complexities of realizing mobile intercept attacks IRL
  • baseband OS internals from a security perspective
  • over-the-air baseband attack surfaces
  • in-depth case studies of vulnerabilities and baseband hardening
  • baseband sandbox escape attack surfaces inside System-on-Chip designs
  • engineering challenges of constructing and maintaining baseband chains
• Hands-on exercises in:
  • running operational rogue networks
  • identifying and analyzing vulnerabilities in firmware
  • realizing vulnerabilities over-the-air and vulnerabilities for compromising the system from the baseband

Training Detailed Description:

Day 1: Running Rogue Networks

• cellular remote attack surface (2/3/4/5G): theory
• running networks, implementing circuit and data switched services: theory and exercises
• interception with a rogue network

Day 2: RCE Bug Hunting

• finding RCE vulns in baseband OSes - reverse engineering and automation: theory
• dealing with firmware variants: theory and exercises
• find a vulnerability in binary code: exercise (MediaTek vulnerability in 2G)
• find a vulnerability using patch diffing: exercise (Samsung vulnerability in LTE)
• triggering RCE vulnerabilities - assembling and delivering over-the-air PoCs and inspecting the execution flow: theory and exercises (using the above bugs)

Day 3: Full Chain Exploitation

• baseband mitigations vs exploit primitives: theory
• challenges of maintenance and reliability at scale: theory
• baseband sandbox escapes attack surface: theory
• build a functional SBX exploit: exercise

Who Should Attend? | Target Audience:

Product Security Engineers

Security Researchers

What to Bring? | Software and Hardware Requirements:

MUST

Workstation that has:

• access to the internet (not prevented by corporate policy)
• ability to run natively (not virtualized) standard Linux utilities (ssh, adb, lxc, docker) and ghidra
• have minimum 2 USB-A ports

IDEAL

• Stock Ubuntu 22.04 natively (not virtualization)

What to Bring? | Prerequisite Knowledge and Skills:

MUST

• knowledge of C, Python, RISC-like assembly
• experienced in reverse engineering and memory safety vulnerabilities
• experience in working with Android OS
• working proficiency in commodity Linux OS as a development platform

IDEAL

• experience with Ghidra
• experience with ARM and MIPS assembly

Resources Provided at the Training | Deliverables:

documentation: theory slides, lab exercise manuals

training kit: smartphone and SDR devices needed for the exercises

For congestion management and optimal learning experience, exercises using SDRs and phones will be carried out in pairs.

ABOUT THE TRAINERS

Daniel Komaromy (@kutyacica): Daniel has worked in the mobile security field his entire career, going on 15+ years of vulnerability research experience playing both defense and offense. At Qualcomm, he hunted baseband 0-days, authored exploit mitigations, trained developers, and fought the SDLC machine. Later, he worked as a security consultant in the automotive security industry, followed by years of playing offense at Pwn2Own, CTFs around the world, and also for real. He has disclosed scores of critical vulnerabilities in leading mobile vendors’ products and presented his research at industry leading conferences (like Black Hat, REcon, and Ekoparty). Today he is the founder and director of security research at TASZK Security Labs, a vulnerability research oriented security consultancy outfit, and he still follows the motto: there's no crying in baseband!