Fuzzing GSM for fun and profit

Presented at ToorCon San Diego 17 (2015), Oct. 25, 2015, noon (20 minutes)

Fuzzing GSM and layer protocols: The ultimate goal is a baseband remote. However, SMS’s SCKL message (binary content delivery over decimal) was fuzzed in this Faraday cage and yielded a java unhandled exception crash. If one could send a packet and gain kernel code execution, that would be useful for jailbreaking their phone. And nobody else’s. The reason is because such an exploit is worth more if sold as an exploit than if given away as a jailbreak (the vuln to which will be patched immediately). I will release the modified versions of OpenBTS + fuzzmod.c (my binary fuzzer) and fuzzsms.c, as well as higher up the stack.

Presenters:

• The Phr3$h Pr1nc3 0f Bellk0r3
  TBA

Similar Presentations:

• VB2019 / Play fuzzing machine - hunting iOS and macOS kernel vulnerabilities automatically and smartly
• Black Hat USA 2010 / Base Jumping: Attacking GSM Base Station Systems and Mobile Phone Base Bands