Over the Air Baseband Exploit: Gaining Remote Code Execution on 5G Smartphones

Presented at Black Hat USA 2021, Aug. 5, 2021, 3:20 p.m. (40 minutes)

In recent years we saw the widespread adoption of 5G Cellular Networks, both for consumer devices, IoT, and critical infrastructure. The estimate of the number of devices connected to a 5G network varies, but statistics show they are vastly present in the market. Every one of these devices, in order to join the 5G network, must be equipped with a 5G modem, in charge of modulating the signal, and implementing the radio protocols. This component is also commonly referred to as "baseband".<br> <br>It is of enormous importance to secure these components, since they process untrusted data from a radio network, making them particularly attractive for a remote attacker.<br> <br>In our previous work at Black Hat US 2018, we examined the security modem for previous generation networks (such as 2G, 3G or 4G) and we achieved full remote code execution over the air.<br> <br>In this talk, we will explore what changed on 5G networks, what improved in terms of security and what did not. We will demonstrate that it is still possible to fully compromise, over the air, a 5G modem, and gain remote code execution on a new 5G Smartphone.

Presenters:

  • Xingyu Chen - Security Researcher, Keen Lab of Tencent
    <p>Xingyu Chen (@0xKira233) is a security researcher at Keen Lab of Tencent. He has a lot of interests in bug hunting. He currently focuses on virtualization and mobile security. He has found many critical vulnerabilities in different cloud products and low-level firmware in smartphones. He is also a CTF player in team eee & A*0*E, which participated in DEFCON 25 & 26. He has spoken at conferences such as OffensiveCon, Zer0Con, and Tensec.</p>
  • Marco Grassi - Senior Security Researcher, Keen Lab of Tencent
    Marco Grassi (@marcograss) is currently a Senior Security Researcher of the KeenLab of Tencent (previously known as Keen Team). He is part of the team that won the "Mobile Master of Pwn" title in Tokyo for Mobile Pwn2Own 2016, working on iOS. He was also one of the main contributors at Desktop Pwn2Own 2016 for the Safari target with sandbox escape to root. He is a member of the team that won the title of "Master Of Pwn" at Pwn2Own 2016. He found a VMWare escape at Desktop Pwn2Own 2017, and baseband RCE and wifi iOS at Mobile Pwn2Own 2017 where they were awarded "Master Of Pwn" for the third time. He has spoken at several international security conferences such as Black Hat USA, DEF CON, Infiltrate, CanSecWest, ZeroNights, Codegate, HITB and ShakaCon.

Links:

Similar Presentations: