Researchers Uncover 5G Baseband Vulnerabilities in Samsung and Google Devices

🎬 Researchers Ali Ranchber and Chen Yang from Pennsylvania State University presented findings on vulnerabilities in Samsung and Google Pixel devices' 5G baseband firmware at Black Hat. Their work focused on the Non-Access Stratum (NAS) protocol, a critical layer handling session management and device mobility in cellular networks, which is typically encrypted and integrity-protected. They developed Loris, an emulation environment for Samsung’s 5G Shannon basebands, integrating symbolic execution via the Angr engine to automate state-aware fuzzing of 4G and 5G basebands. The tool overcame challenges like protocol state dependencies and C++ virtual method complexities, enabling efficient testing without manual setup. Their fuzzing uncovered seven exploitable crashes—including heap and stack overflows—leading to remote code execution (RCE) and denial-of-service attacks on real devices like the Samsung Galaxy S21 and Google Pixel 6. Five vulnerabilities received CVEs, with one classified as critical; attacks were validated using a USRP B210 and open-source base station software. The researchers highlighted basebands' lack of exploit protections (e.g., ASLR) and weak stack canaries, which could be bypassed via heap overflows to manipulate non-volatile memory (NVM) flags. Their methodology achieved over double the code coverage of prior approaches, demonstrating the need for automated tools to address growing baseband complexity.