dienstag 30 nov 10 all your baseband are
play

Dienstag 30. Nov. 10 [] All Your Baseband Are over-the-air - PowerPoint PPT Presentation

Feb 27, 2024 •429 likes •901 views

Dienstag 30. Nov. 10 [] All Your Baseband Are over-the-air exploitation of memory corruptions in GSM software Ralf-Philipp Weinmann Laboratory for Algorithmics, Cryptology & Computer Security University of Luxembourg

  1. Dienstag 30. Nov. 10 []

  2. All Your Baseband Are over-the-air exploitation of memory corruptions in GSM software Ralf-Philipp Weinmann Laboratory for Algorithmics, Cryptology & Computer Security University of Luxembourg https://cryptolux.org Dienstag 30. Nov. 10 []

  3. Outline  GSM / Smartphone basics  Baseband software (in)security  How to find bugs  Practicality of exploitation  Scenarios for the “baseband apocalypse”  Disclosure, outlook & conclusions Dienstag 30. Nov. 10 []

  4. Part I: GSM and smartphone basics Dienstag 30. Nov. 10 []

  5. Lay of the GSM/UMTS land MS links to (Mobile outside world Station) [BSCs, VLR, HLR/AUC, SS7] Um (air) interface BTS (base transceiver station) [Usually located at cell tower] Dienstag 30. Nov. 10 []

  6. Layers of the GSM Um Connection Management (MM) Layer 3 Mobility Management (MM) Radio Resource (RR) LAPDm (Layer 2) Layer 1 Dienstag 30. Nov. 10 []

  7. Smartphones • Somewhen in the late 20 th century, PDAs and cellular phones merged • Result: smartphones • Have driven PDAs into extinction • Usually a multi-CPU architecture: application processor (APP) and baseband (BB) processor • In 99% of all cases, ARM CPUs used for both • Trend: single-chip APP/BB (for cost Dienstag 30. Nov. 10 []

  8. Dominant Smartphone archs vs. Application Application Processor RAM Processor (slave) Serial communication RAM or shared memory Digital Baseband Processor Digital Baseband RAM (master) Processor Dienstag 30. Nov. 10 []

  9. Let’s do some quick market research before we dive into the technical details... Dienstag 30. Nov. 10 []

  10. Baseband market shares 3Q2009 Qualcomm Mediatek Texas Instruments ST-Ericsson Infineon Broadcom Freescale Other Source: Strategy Analytics Cellular Baseband Suppliers & their 3Q’ 09 shipment share) Dienstag 30. Nov. 10 []

  11. Part II: Baseband (in)security Dienstag 30. Nov. 10 []

  12. Baseband (in)security • Code base created in the 1990s… • … with a 1990s attitude towards security • Network elements are considered trusted • Both GSM and UMTS protocols have many, many length fields • (Almost) no exploit mitigations [one counter-example: XMM6180 on iPhone4 has hardware DEP enabled] Dienstag 30. Nov. 10 []

  13. I know you forgot what the GSM protocol stack looks like, so let’s see it once more before we proceed. Dienstag 30. Nov. 10 []

  14. Layers of the GSM Um Connection Management (MM) Layer 3 Mobility Management (MM) Radio Resource (RR) LAPDm (Layer 2) Layer 1 Dienstag 30. Nov. 10 []

  15. Where to look for bugs • Layer 1 not fruitful • Layer 2: messages to short • Layer 3: specified in GSM 04.08 – allows for variable length messages (TLV and LV) – Maximum length: 255 octets (length field: one octet) • However: ASN.1 used as well (e.g. RRLP) • GPRS layer very fruitful as well – GPRS not supported by OpenBTS – layer 1 di fg erent Dienstag 30. Nov. 10 []

  16. Where to look for bugs • Layer 1 not fruitful • Layer 2: messages to short • Layer 3: specified in GSM 04.08 – allows for variable length messages (TLV and LV) – Maximum length: 255 octets (length field: one octet) • However: ASN.1 used as well (e.g. RRLP) • GPRS layer very fruitful as well – GPRS not supported by OpenBTS – layer 1 di fg erent Dienstag 30. Nov. 10 []

  17. Where to look for bugs Things get interesting • Layer 1 not fruitful • Layer 2: messages to short • Layer 3: specified in GSM 04.08 – allows for variable length messages (TLV and LV) – Maximum length: 255 octets (length field: one octet) • However: ASN.1 used as well (e.g. RRLP) • GPRS layer very fruitful as well – GPRS not supported by OpenBTS – layer 1 di fg erent Dienstag 30. Nov. 10 []

  18. Initial Targets Image credit: Yutaka Tsutano Image credit: Jose A. Gelado Apple iPhones HTC Dream [G1] (Infineon (Qualcomm baseband) baseband) Dienstag 30. Nov. 10 []

  19. How were the bugs found? • Fuzzing was not successful – Lots of crashes, but no easy way to triage • Static analysis • No source code publicly available – exception: TSM30 src was available for some years • Conclusion: reverse-engineer binaries Dienstag 30. Nov. 10 []

  20. How do we start? • Firmware updates often contain baseband firmware as well • Packed multiple times, need to extract • Tools for iPhone and HTC phones to do that • Qualcomm firmwares: ELF files • Infineon needs custom loaders/relocator • Later: ability to dump memory/MMU 17 Dienstag 30. Nov. 10 []

  21. Reverse-engineering • Bootstrap: use BinDi fg to port symbols from known libraries (i.e. compiler runtimes) • Identify functions that do memory transfers using REIL and BinNavi • Lots of strings and assertions (!) in firmwares • Often: clean-cut regions for RR/MM/AT command parser in binary 18 Dienstag 30. Nov. 10 []

  22. More reversing • Identified functions handling GSM frames – Problem: apparently di fg erent tasks – Assertions/logging functions very helpful 19 Dienstag 30. Nov. 10 []

  23. Types of bugs found • Many, many unchecked memory copies (can be found in binary once memcpy() et al. identified) • Object/structure lifecycle issues (e.g. use after free, uninitialized variables, state engine confusion), can lead to infoleaks as well • Protocol foo-bars: Code paths normally used for UMTS / CDMA can be triggered using GSM frames Dienstag 30. Nov. 10 []

  24. An example (in ICE • TMSI reallocation: – TMSI always, always, always is 32 bits – nonetheless encoded as TLV • Infineon stack uses length in L3 packet • Results: heap overflow • Somewhat tricky to exploit in stable way • iPhone 2/3G/3GS vs. iPhone 4: di fg erent RTOS – old iPhones: Nucleus – iPhone 4: ThreadX Dienstag 30. Nov. 10 []

  25. An example (in QCOM • GSM & UMTS use challenge-response auth • Originally: fixed-length challenge in GSM – 16 bytes RAND • 3GPP specification 24.008 added variable length challenge (AUTN) • Functionality not needed in GSM! • Allows to overwrite stack (limit 251 bytes) • Result: remote code exec, pre-auth • QCOM fixed after disclosure (pushed to OEMs) Dienstag 30. Nov. 10 []

  26. Baseband Exploitation • Baseband: what operating system? • Unlock teams often have good info on this (iPhone dev team, XDA developers) • Locate bu fg ers used for GSM L3 messages • Write custom code or use existing features (e.g. AT+S0=x handler in Infineon baseband) • Debugging is hard, write own debugger Dienstag 30. Nov. 10 []

  27. The AT+S0=n feature • Hayes command to turn on auto-answer • present in some software stacks (verified for Infineon & QCOM) • Enable with *5005*AANS# on iPhones, disable with #5005*AANS# • Excellent target to demonstrate memory corruptions • Auto-answer can be made silent/ Dienstag 30. Nov. 10 []

  28. Part III: Practicality Dienstag 30. Nov. 10 []

  29. Why should we care • New base stations: expensive (cheapest: 25k USD) • Old gear however often is sold on eBay • Threat model has entirely changed: hardware has become cheap, open-source SW appeared • Open-source projects for running GSM base stations: OpenBSC & OpenBTS • OpenBTS provided service at Burning Man 2008-2010 • HAR2009 had OpenBSC test network Dienstag 30. Nov. 10 []

  30. • Siemens BS11 • used by OpenBSC • HEAVY • E1/Abis interface • cheap: EUR 250 • hard to come by now. Image credit: Björn Heller Dienstag 30. Nov. 10 []

  31. • ip.access nanoBTS • supported by OpenBSC as well • Abis over IPv4 • approx. USD 4500 • di fg erent versions for GSM900/1800, GSM850/1900 • supports GPRS Dienstag 30. Nov. 10 []

  32. Our gear: Ettus USRPv1 • price: approx USD 1250 plus good clock Image credit: Synthesis Studios • software defined radio (SDR) • versatile (di fg erent daughterboards) • OpenBTS support, GSM850/900, GSM1800/1900 • no GPRS since layer 1 is di fg erent there • clock: wrong freq (64Mhz) and imprecise Dienstag 30. Nov. 10 []

  33. Part IV: Demo Dienstag 30. Nov. 10 []

  34. Common failures (my experience) • Lacking clock precision • Misinterpreting stack traces • Triggering the wrong bug ;) • Overlooking code is placed is non-exec page Dienstag 30. Nov. 10 []

  35. Some words about clocks • Get a good one, seriously! – GSM spec requires 0.05ppm – equiv. to 50Hz in 900MHz band • Time is too precious for fixing clock issues • Using FA-SY on the road (EUR 40) – Si570 based design – not optimal: 20ppm uncalibrated – approx. 1ppm when calibrated Dienstag 30. Nov. 10 []

  36. Part V: The Baseband Apocalypse Dienstag 30. Nov. 10 []

  37. The “Baseband Apocalypse” • Place fake BTS in crowded/sensitive areas: airport lounges, financial districts, near embassies • Stealth room monitor: record audio, compress, store in RAM, piggy-back onto next data connection (mic/camera usually hang o fg BB CPU) • Shared mem CPUs: compromise APP CPU as well, place backdoor/rootkit Dienstag 30. Nov. 10 []

  38. The “Baseband Apocalypse” • Ping-pong games: compromise cellphone, then BTS/BSC, infect more phones from there • Brick phones permanently (e.g. erase SecZone on iPhone) • No easy forensics possible in BB land (JTAG disabled to prevent easy unlocks). Need exploits to perform forensics Dienstag 30. Nov. 10 []

Recommend

RBS 6000 & Baseband Why Invest in RBS 6000 & Baseband Learning Service ? Better

RBS 6000 & Baseband Why Invest in RBS 6000 & Baseband Learning Service ? Better

RBS 6000 & Baseband Why Invest in RBS 6000 & Baseband Learning Service ? Better controlling and optimizing the network performance Optimal Investment Efficiently building and maintaining competence over system releases

157 views • 12 slides
Baseband Signal Processing Framework Baseband Signal Processing Framework for the OsmocomBB GSM

Baseband Signal Processing Framework Baseband Signal Processing Framework for the OsmocomBB GSM

Baseband Signal Processing Framework Baseband Signal Processing Framework for the OsmocomBB GSM Protocol Stack Harald Krll, Christian Benkeser, Stefan Zwicky, Benjamin Weber, Qiuting Huang Integrated Systems Laboratory, ETH Zurich d S b i h

306 views • 26 slides
FreeCalypso A fully liberated GSM baseband Mychaela Falconia REcon Montreal 2017 The problem of

FreeCalypso A fully liberated GSM baseband Mychaela Falconia REcon Montreal 2017 The problem of

FreeCalypso A fully liberated GSM baseband Mychaela Falconia REcon Montreal 2017 The problem of the baseband Proprietary baseband/modem/radio processors are an insult to personal computing freedom The problem is even worse for those

1.09k views • 19 slides
All Digital Multi-Gigabit Baseband P. Sandeep M. Seo M. Rodwell U. Madhow ECE Dept, UCSB ECE

All Digital Multi-Gigabit Baseband P. Sandeep M. Seo M. Rodwell U. Madhow ECE Dept, UCSB ECE

Joint Channel and Mismatch Correction for OFDM Reception with Time-interleaved ADCs All Digital Multi-Gigabit Baseband P. Sandeep M. Seo M. Rodwell U. Madhow ECE Dept, UCSB ECE Dept, UCSB All Digital Baseband Digital Baseband

549 views • 31 slides
Frank Karlitschek KDE Developer openDesktop.org KDE-Look.org KDE-Apps.org Social Desktop

Frank Karlitschek KDE Developer openDesktop.org KDE-Look.org KDE-Apps.org Social Desktop

Frank Karlitschek KDE Developer openDesktop.org KDE-Look.org KDE-Apps.org Social Desktop ownCloud Dienstag, 6. Juli 2010 Unclouding OwnCloud Dienstag, 6. Juli 2010 - Why ownCloud - Current Status - The Future Dienstag, 6. Juli 2010

2.3k views • 186 slides
Multipurpose Baseband Instrument using AsAP Digital Signal Processing Jeremy W. Webb University

Multipurpose Baseband Instrument using AsAP Digital Signal Processing Jeremy W. Webb University

Multipurpose Baseband Instrument Highlights Multipurpose Baseband Instrument IF Multipurpose Baseband Instrument using AsAP Digital Signal Processing Jeremy W. Webb University of California, Davis Electrical & Computer Engineering VLSI

425 views • 21 slides
Complex Baseband Representation Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of

Complex Baseband Representation Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of

Complex Baseband Representation Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay July 23, 2013 1 / 19 Baseband Signals S ( f ) = 0 , | f | > W | S ( f ) | f W W 2

458 views • 19 slides
Is SDR Mature For Is SDR mature for Mobile Radios ? Mobile Baseband Solutions ? Prof. Dr. Ulrich

Is SDR Mature For Is SDR mature for Mobile Radios ? Mobile Baseband Solutions ? Prof. Dr. Ulrich

Is SDR Mature For Is SDR mature for Mobile Radios ? Mobile Baseband Solutions ? Prof. Dr. Ulrich Ramacher COM IN Our solution : Baseband Processor MuSIC 3-Level Memory Hierarchy - external DRAM/Flash - Shared Memory - Local Memories

393 views • 11 slides
Breaking Band reverse engineering and exploiting the shannon baseband Nico Golde

Breaking Band reverse engineering and exploiting the shannon baseband Nico Golde

Breaking Band reverse engineering and exploiting the shannon baseband Nico Golde <nico@comsecuris.com> @iamnion Daniel Komaromy <daniel@comsecuris.com> @kutyacica Motivation All your baseband Reverse engineering a Baseband

586 views • 55 slides
Automated Software Analysis Andreas Podelski University of Freiburg Germany Dienstag, 12. Juli

Automated Software Analysis Andreas Podelski University of Freiburg Germany Dienstag, 12. Juli

Automated Software Analysis Andreas Podelski University of Freiburg Germany Dienstag, 12. Juli 16 1 new paradigm for automatic verification given a program P , learn a set of correct programs P 1 , ... , P n check whether every behavior

696 views • 58 slides
OsmocomBB A Free Software GSM baseband firmware Harald Welte gnumonks.org gpl-violations.org

OsmocomBB A Free Software GSM baseband firmware Harald Welte gnumonks.org gpl-violations.org

GSM/3G Network Security Introduction Security Problems and the Baseband OsmocomBB Project Summary OsmocomBB A Free Software GSM baseband firmware Harald Welte gnumonks.org gpl-violations.org OpenBSC airprobe.org hmw-consulting.de Linux

621 views • 37 slides
Hybrid Information Extraction PD Dr. Gnter Neumann DFKI GmbH Dienstag, 8. Februar 2011

Hybrid Information Extraction PD Dr. Gnter Neumann DFKI GmbH Dienstag, 8. Februar 2011

Hybrid Information Extraction PD Dr. Gnter Neumann DFKI GmbH Dienstag, 8. Februar 2011 Hybrid Is a system, if consists of different technologies can be combined each one depicts a solution by its own the integration

911 views • 70 slides
OsmocomBB Free Software GSM baseband firmware for security analysis Harald Welte gnumonks.org

OsmocomBB Free Software GSM baseband firmware for security analysis Harald Welte gnumonks.org

GSM/3G Network Security Introduction Security Problems and the Baseband OsmocomBB Project Summary OsmocomBB Free Software GSM baseband firmware for security analysis Harald Welte gnumonks.org gpl-violations.org OpenBSC airprobe.org

830 views • 37 slides
CEA-608 / CEA-708 Transmission Baseband / In-picture VBI Line 21 (CEA-608 only) VANC in

CEA-608 / CEA-708 Transmission Baseband / In-picture VBI Line 21 (CEA-608 only) VANC in

CEA-608 / CEA-708 Transmission Baseband / In-picture VBI Line 21 (CEA-608 only) VANC in SDI Video essence metadata MPEG-2 user data (ATSC A/53) H.264 / H.265 SEI (A/72) Track metadata QuickTime CEA-608/708 CC tracks

356 views • 7 slides
Modulation and demodulation (reminder) analog baseband digital signal data digital analog

Modulation and demodulation (reminder) analog baseband digital signal data digital analog

COM-405 Mobile Networks Module A (Part A2) Introduction Prof. JP Hubaux http://mobnet.epfl.ch Note: some of the slides of this and other modules and derived from Schillers book 1 Modulation and demodulation (reminder) analog baseband

1.06k views • 76 slides
1 Wendell Crenshaw Technologies presents 1 2 Tumbleweed 2 All Your Baseband Are Belong To

1 Wendell Crenshaw Technologies presents 1 2 Tumbleweed 2 All Your Baseband Are Belong To

1 Wendell Crenshaw Technologies presents 1 2 Tumbleweed 2 All Your Baseband Are Belong To Us over-the-air exploitation of memory corruptions in GSM software stacks Ralf-Philipp Weinmann Laboratory for Algorithmics, Cryptology &

737 views • 45 slides
Ethernet broadband or baseband signalling Hub and repeaters Ethernet switches and

Ethernet broadband or baseband signalling Hub and repeaters Ethernet switches and

Ethernet broadband or baseband signalling Hub and repeaters Ethernet switches and bridges: Ethernet packets Ethernet topologies Bus, star, tree. Carrier-Sense Multiple Access with Collision Detection (CSMA/CD) All nodes

500 views • 27 slides
Optimal Receiver using Complex Baseband Representation Saravanan Vijayakumaran

Optimal Receiver using Complex Baseband Representation Saravanan Vijayakumaran

Optimal Receiver using Complex Baseband Representation Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay September 26, 2013 1 / 13 Passband Signals in Passband Noise

140 views • 13 slides
Long Term Exploitation Baseband security? 4Get about it. Background: 2G GSM

Long Term Exploitation Baseband security? 4Get about it. Background: 2G GSM

Long Term Exploitation Baseband security? 4Get about it. Background: 2G GSM specification started in 1982 Standardized by GSMA First commercial launch 1992 TDMA based, circuit- switched 2.5G: GPRS (packet- switched)

1.29k views • 64 slides
simulation-based approach for performance evaluation of sdr baseband architectures Brussels,

simulation-based approach for performance evaluation of sdr baseband architectures Brussels,

A simulation-based approach for performance evaluation of sdr baseband architectures Brussels, Belgium 28 th June, 2012 Goal and objectives Trends in the field of radio communication Mobile devices with more and more wireless

680 views • 13 slides
HW & SW co-verification of baseband HSPA Processor with Seamless PSP Zheng Li, Xuedong Yang,

HW & SW co-verification of baseband HSPA Processor with Seamless PSP Zheng Li, Xuedong Yang,

HW & SW co-verification of baseband HSPA Processor with Seamless PSP Zheng Li, Xuedong Yang, Bing Wang, Zhitao Lu, Lawrence Yang, James Gualdoni, Jagan Raghavendran Steven Swanchara, William Hinkel, Scott Wincklhofer, Marc Shelton, Raymond

416 views • 23 slides
Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks

Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks

Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks Author: Ralf-Philipp Weinmann University of Luxembourg WOOT, USENIX, 2012. Presenter: Hyuntae Kim Part 1. Introduction - GSM overview - MS-BTS

1.2k views • 42 slides
Baseband Fading Channel Simulator For Inter-Vehicle Communication Using SystemC-AMS Abdelbasset

Baseband Fading Channel Simulator For Inter-Vehicle Communication Using SystemC-AMS Abdelbasset

September 23-24, 2010 San Jose, California, USA Baseband Fading Channel Simulator For Inter-Vehicle Communication Using SystemC-AMS Abdelbasset Massouri Antoine Lvque Laurent Clavier Michel Vasilivski Andreas Kaiser Marie-Minerve

258 views • 22 slides
A 90nm Low-Power GSM/EDGE Multimedia- Enhanced Baseband Processor with 380MHz ARM9 and

A 90nm Low-Power GSM/EDGE Multimedia- Enhanced Baseband Processor with 380MHz ARM9 and

A 90nm Low-Power GSM/EDGE Multimedia- Enhanced Baseband Processor with 380MHz ARM9 and Mixed-Signal Extensions Steffen Buch 1) , Thomas Lftner 1) , Jrg Berthold 1) , Christian Pacha 1) , Georg Georgakos 1) , Guillaume Sauzon 1) , Olaf Hmke

869 views • 29 slides

More recommend