FirmWire: Taking Baseband Security Analysis to the Next Level

Presented at CanSecWest 2022, May 19, 2022, 2:15 p.m. (60 minutes)

This talk will provide an introduction to FirmWire, our open-source emulation platform for cellular baseband images. The platform allows researchers to dynamically debug, introspect, and interact with complex baseband firmware, providing insights about its inner workings in real-time. FirmWire’s integrated ModKit builds upon these powerful capabilities to create and inject custom tasks inside the emulated baseband. We leverage this ModKit to enable full-system fuzzing via AFL++ by creating custom fuzzing tasks interacting with the host, using special hypercalls. With this setup, we uncovered one pre-authentication vulnerability in MediaTek's MTK and several pre-authentication vulnerabilities in the LTE and GSM stacks of Samsung’s Shannon baseband implementation, affecting millions of devices. FirmWire is the outcome of a more than two-year-long international research collaboration between the University of Florida, Vrije Universiteit Amsterdam, TU Berlin, and Ruhr-University Bochum. We will release it to the public in 2022.

Presenters:

• Grant Hernandez - Security Researcher
  Grant is a mobile vulnerability researcher. He previously worked on Qualcomm's QPSI OTA team with a modem security focus. He completed his PhD on embedded firmware analysis in 2020 from the University of Florida where he explored symbolic execution of USB firmware, exposed how AT commands are used on Android devices, recovered Android security policies from firmware, and built a baseband emulation platform – FirmWire.
• Marius Muench - Vrije Universiteit Amsterdam
  Marius is a postdoctoral researcher at Vrije Universiteit Amsterdam. His research interests cover (in-)security of embedded systems, as well as binary and microarchitectural exploitation. He obtained his PhD from Sorbonne University in cooperation with EURECOM. He developed and maintains avatar2, a framework for analyzing embedded systems firmware, which is also used within the FirmWire project.
• Dominik Maier - Google
  Dominik is part of the Open Source AFLplusplus project, which maintains the AFL++ and LibAFL fuzzing frameworks. During his PhD at TU Berlin he worked on fuzzing weird targets, including cellular basebands. He recently joined Google. In his spare-time he likes to travel.

Links:

• https://cansecwest2022.sched.com/event/ztKc/firmwire-taking-baseband-security-analysis-to-the-next-level

Similar Presentations:

• Black Hat USA 2020 Virtual / Emulating Samsung's Baseband for Security Testing
• Black Hat USA 2012 / Scaling Up Baseband Attacks: More (Unexpected) Attack Surface
• REcon 2022 / Researching the Unisoc baseband, like in the army