Daniel Klischies
@dklischies.bsky.social
Firmware/OS/Cellular Security Research @ruhr-uni-bochum.de
Congrats to the entire team (cc @noopwafel.bsky.social, @nsinusr.bsky.social, @veelasha.bsky.social). We will have the paper available on Monday (on IEEE CSDL and open access). The code will become available once we've had time to clean it up + add docs. 6/6
May 11, 2025 at 10:23 AM
Congrats to the entire team (cc @noopwafel.bsky.social, @nsinusr.bsky.social, @veelasha.bsky.social). We will have the paper available on Monday (on IEEE CSDL and open access). The code will become available once we've had time to clean it up + add docs. 6/6
That lead to the discovery of 8 vulnerabilities (3 dupes) in Samsung and MediaTek BBs. Among the vulnerabilities are at least 2 RCEs exploitable OTA. One of them is preauth (CVE-2024-20154), affecting 51 MediaTek chipset and thousands of phone models. Drop by our presentations to learn more! 5/6
May 11, 2025 at 10:23 AM
That lead to the discovery of 8 vulnerabilities (3 dupes) in Samsung and MediaTek BBs. Among the vulnerabilities are at least 2 RCEs exploitable OTA. One of them is preauth (CVE-2024-20154), affecting 51 MediaTek chipset and thousands of phone models. Drop by our presentations to learn more! 5/6
From a security perspective, this unlocks a lot of additional attack surface within the emulator, previously only reachable OTA (where fuzzing is unfeasibly slow and you can't introspect). By integrating BaseBridge into FirmWire we improved coverage in AFL++ by a factor of 4. 4/6
May 11, 2025 at 10:23 AM
From a security perspective, this unlocks a lot of additional attack surface within the emulator, previously only reachable OTA (where fuzzing is unfeasibly slow and you can't introspect). By integrating BaseBridge into FirmWire we improved coverage in AFL++ by a factor of 4. 4/6
Demo time. Left: BaseBridge integrated into the FirmWire baseband emulator, emulating a MediaTek BB, into which we inject a packet requesting UE capabilities. Right side: WireShark tapping into the emulator, showing the request and the uplink response (2nd pkt) generated in the emulator. 3/6
May 11, 2025 at 10:23 AM
Demo time. Left: BaseBridge integrated into the FirmWire baseband emulator, emulating a MediaTek BB, into which we inject a packet requesting UE capabilities. Right side: WireShark tapping into the emulator, showing the request and the uplink response (2nd pkt) generated in the emulator. 3/6
We developed a way to transfer memory dumps from commercial smartphone basebands into an emulator. This provides the emulated baseband with state needed to process many different downlink network packets, to the point where it even generates the correct uplink response. 2/6
May 11, 2025 at 10:23 AM
We developed a way to transfer memory dumps from commercial smartphone basebands into an emulator. This provides the emulated baseband with state needed to process many different downlink network packets, to the point where it even generates the correct uplink response. 2/6