[guardian-dev] Baseband Attacks

Patrick Bx patrickbx at gmail.com
Tue Oct 2 19:17:10 EDT 2012


Just read: "Baseband Attacks: Remote Exploitation of Memory
Corruptions in Cellular Protocol Stacks" from the WOOT 12 workshop
held this August.
PDF:https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf

TL;DR: Baseband exploits are serious, numerious, and becoming more
accessible. Pirate GSM stations could relatively easily be created
such that almost any smartphone in contact with it is completely and
permanently owned.

Definitely recommend this read if your interested in the subject.

Some highlights and thoughts I took away from it:

This was a very informative and clear paper that explained how
baseband computers/radios function on smart phones and demonstrated
some excellent reverse engineering and bug finding. It gives you a
good idea of just how vulnerable basebands are and what you have
access to by exploiting them. Forget the idea that there is some
top-secret backdoor; these things are wide open and have direct access
to microphones, cameras, and often shared ram that can lead to pwning
of the application processor (android OS and user data).

-Baseband has its own CPU with direct access to the microphone and
camera. Often RAM is shared.

"Audio routing on the majority of chipsets is done on the baseband
CPU, which means that it has access to the built-in microphone;
similarly for built-in cameras"

-For those basebands with shared memory designs (many of the Qualcomm
platforms are done this way with Intel and Qualcomm making up 60% of
baseband computers) attacks on the baseband radio could lead to direct
control over the application CPU

-Attacks could perma-brick devices by writing to the NVRAM

Many of these bugs were fixed (out of the public eye) but it seems
that these attacks were just proof-of-concepts for a much larger base
of discovered exploits. Furthermore they did not look at baseband
stacks for 3g communications which have over a 1000 pages of
documentation to design and are likely riddled with even more vulns.
Who knows about how LTE is looking.

So more or less baseband stacks are currently crap and probably the
weakest layer of smartphone security besides the barrier to entry
(lack of information about baseband communication, and need of
specialized hardware) . We need open-source standardized hackable
basebands stacks that aren't tied up in licenses (ahem, Qualcomm). I
for one would like to see a swing back to WiMAX since it is my
understanding that LTE was mostly developed by borrowing from WiMAX to
create a liscensed and monopolized version. Cell networks are
increasingly becoming our portals to the internet yet it is all based
on closed, outdated, and highly insecure network stacks.

-Patrick


More information about the Guardian-dev mailing list