Talk Title:

Fuzzing GPRS Layer-2 for Fun and Profit

Abstract:

Mobile phones are integrated parts of today's society. To connect to cellular networks, they use specialized baseband processors, which expose a large attack surface due to their wireless nature and the many types of supported mobile generations. Over the last decade, security research discovered plenty of flaws in these devices with devastating consequences, such as remote compromise via SMS.

One especially powerful tool for vulnerability discovery proved to be emulation of the baseband's firmware. However, as we will show, most prior efforts focus on emulation of single components and parsers or only focused on network (Layer-3) protocols and messages. In this talk, we will take a different approach and explore the attack surface exposed by Layer-2 with a focus on GPRS; Despite the availability of more recent cellular communication technologies, GPRS stacks are still present in nowadays' phones and provide a lucrative attack surface.

We will discuss how we got acquainted with Layer-2 data frames and how we used our insights to create fuzzing harnesses within the FirmWire framework. Due to the structure of the cellular network stack, our approach resulted in simultaneous fuzzing of Layer-3 tasks. Our approach led to the discovery of multiple high and critical-severity vulnerabilities in already well-explored parts of the cellular stack in modern Samsung and Google phones.

This talk will highlight our findings, including tales from our found vulnerabilities and modern baseband defenses. We also discuss how we verified the existence of our—at the time—freshly discovered zero days in recent smartphones over-the-air, including latest-gen flagship phones.

Speaker Bio:

Dyon Goos is an Independent Researcher and holds a Master's degree in Computer Science from the Vrije Universiteit Amsterdam. He is interested in the security of embedded devices and his main research areas cover fuzzing and reverse engineering cellular baseband stacks. Currently, Dyon is working as an Independent Researcher on analyzing basebands.

Marius Muench is an assistant professor at the University of Birmingham. His research interests cover (in-)security of embedded systems, binary & microarchitectural exploitation, and defenses. He obtained his PhD from Sorbonne University in cooperation with EURECOM and worked as a postdoctoral researcher at the Vrije Universiteit Amsterdam. He developed and maintains avatar2, a framework for analyzing embedded systems firmware, and FirmWire, an emulation and fuzzing platform for cellular basebands. Throughout his career, Marius publicly shared his findings and presented at venues such as Black Hat, REcon, and Hardwear.io.