New Video from @BlackHatOfficialYT Explores Smartphone Baseband Vulnerabilities

In this video, Marius and Dion explore the vulnerabilities of smartphone basebands, focusing on layer 2 of the GSM protocol. They discuss the challenges faced during the setup of fuzzing tests and the results obtained, including crashes on real phones. Smartphone basebands consist of several processors, including the application processor (AP) and the cellular processor (CP). The CP, often called the "basement," is responsible for radio connectivity and contains millions of lines of proprietary code, making it an attractive target for attacks. The researchers used the FirmWIre framework to emulate cellular modem firmware and inject test packets into the different layers of the GSM protocol. The GSM protocol is divided into several layers: the physical layer (layer 1), the data link layer (layer 2), and the network layer (layer 3). Layer 2, known as LAPDm, is responsible for frame concatenation and transmission to higher layers. The researchers targeted this layer for their fuzzing tests, using messages with specific protocol discriminators to direct messages to the appropriate tasks in the cellular stack. One of the main challenges encountered was managing the complex state of the basebands. The researchers had to correctly initialize tasks and provide the necessary magic constants for messages to be processed correctly. They also had to manage specific data structures to avoid state conflicts. Through these efforts, they were able to pass messages through the cellular stack and observe the results. After overcoming these challenges, the researchers were able to confirm the vulnerabilities found by reproducing them on real phones. They used open-source tools to create a fake base station and send crash messages to the phones. The results showed that the vulnerabilities discovered in the emulation were also present on newer devices, which is a significant finding. The vulnerabilities found include heap-based buffer overflows, null references, and stack-based buffer overflows. These vulnerabilities affect different layers of the protocol and different phone models, highlighting the importance of security in cellular stacks. In conclusion, the researchers emphasize the importance of state in overcoming fuzzing obstacles, especially when traversing communication stacks. They recommend disabling the use of 2G stacks when possible, as despite years of research, critical vulnerabilities persist in these legacy stacks.