Blowing up the Celly - Building Your Own SMS/MMS Fuzzer

Presented at DEF CON 22 (2014), Aug. 10, 2014, 1 p.m. (30 minutes)

Every time you hand out your phone number you are giving adversaries access to an ever-increasing attack surface. Text messages and the protocols that support them offer attackers an unbelievable advantage. Mobile phones will typically process the data without user interaction, and (incorrectly) handle a large number of data types, including various picture, audio, and video formats. To make matters worse, you are relying on the carriers to be your front line of defense against these types of attacks. Honestly, the mobile device sounds like it was custom built for remote exploitation. The question you should be asking yourself is: How do I find weaknesses in this attack surface? This talk will focus on the "do-it-yourself" aspect of building your own SMS/MMS fuzzer. We will take an in-depth look at exercising this attack surface virtually, using emulators, and on the physical devices using OpenBTS and a USRP. To help ease your entry into researching mobile platforms, we will examine the messaging specifications along with the file formats that are available for testing. The value of vulnerabilities in mobile platforms has never been higher. Our goal is to ensure you have all the details you need to quickly find and profit from them.


  • Matt Molinyawe - Zero Day Initiative, HP Security Research
    Matt Molinyawe is a vulnerability analyst and exploit developer for HP’s Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability. He was also part of HP’s winning team at Pwn2Own/Pwn4Fun who exploited Internet Explorer 11 on Windows 8.1 x64. Prior to being part of ZDI, he worked at L-3 Communications, USAA, and General Dynamics - Advanced Information Systems. In his spare time, he was also a 2005 and 2007 US Finalist as a Scratch DJ. He also enjoys video games and has obtained National Hero status in QWOP and beat Contra using only the laser without dying a single time. Matt has a B.S. in Computer Science from the University of Texas at Austin.
  • Brian Gorenc - Zero Day Initiative, HP Security Research
    Brian Gorenc is the manager of Vulnerability Research in HP's Security Research organization where his primary responsibility is running the world’s largest vendor-agnostic bug bounty program, the Zero Day Initiative (ZDI). He’s analyzed and performed root cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. Brian is also responsible for organizing the ever-popular Pwn2Own hacking competitions. Brian’s current research centers on discovering new vulnerabilities, analyzing attack techniques, and identifying vulnerability trends. His work has led to the discovery and remediation of numerous critical vulnerabilities in Microsoft, Oracle, Novell, HP, open-source software, SCADA systems, and embedded devices. He has also presented at numerous security conferences such as Black Hat, DEF CON, and RSA.


Similar Presentations: