Fuzzing GSM for fun and profit

Presented at ToorCon San Diego 17 (2015), Oct. 25, 2015, noon (20 minutes)

Fuzzing GSM and layer protocols: The ultimate goal is a baseband remote. However, SMS’s SCKL message (binary content delivery over decimal) was fuzzed in this Faraday cage and yielded a java unhandled exception crash. If one could send a packet and gain kernel code execution, that would be useful for jailbreaking their phone. And nobody else’s. The reason is because such an exploit is worth more if sold as an exploit than if given away as a jailbreak (the vuln to which will be patched immediately). I will release the modified versions of OpenBTS + fuzzmod.c (my binary fuzzer) and fuzzsms.c, as well as higher up the stack.


Similar Presentations: