"Original" Baseband attack: A new approach to smartphone intrusion

The current attack on smartphones is focused on software running on the application processor, which is the way to break the phone's baseband processor and cause remote code execution attacks on the baseband stack. This is a new field, but domestic research in this area is almost no, sent to Freebuf unexpectedly did not audit pass. (need basic communication technology GSM,openbts and so on basis)

from the German security company. Comsecuris Company General Manager Ralf-phillip Weinmann The researchers revealed last week that miami-a previously undisclosed baseband vulnerabilities have affected China's ?? for Smartphones, laptops WWAN modules and IoT components that can attack millions of Huawei phones. In an attack scenario, an attacker could exploit this vulnerability to perform a memory corruption attack on a device that is being attacked in the air.

Original link: https://threatpost.com/baseband-zero-day-exposes-millions-of-mobile-phones-to-attack/124833/?from=timeline

What's the use of baseband?

as explained by the encyclopedia, " Baseband is Baseband A source (information source, also known as the transmitting end) emits a frequency band (frequency bandwidth) inherent in an original electrical signal that is not modulated (for spectral removal and transformation), called the basic band, or simply a baseband. "

baseband is essentially a circuit in the mobile phone, is responsible for the completion of the mobile network of wireless signal demodulation, disturbance, extension and decoding work, and the final decoding of the completed digital signal to the base station and other upper processing system for processing, the baseband is commonly known as BB , which can be understood as a communication module.

      baseband chip composition can be divided into five modules, respectively, is cpu processor, channel encoder, digital signal processor, modem and interface module. The core part is mainly two parts: the RF part and the baseband section. The RF part is to send the electrical signal to the electromagnetic wave sent out or to receive electromagnetic wave demodulation, and to achieve baseband modulation signal of the up-conversion and down-conversion. Baseband section is generally for signal processing, generally by the fixed function of the dsp Provides powerful processing power in modern communications devices, dsp It is generally used as speech signal processing, channel codec, image processing and so on.

      current mobile network is divided gsm , CDMA , cdma-2000 , WCDMA , TD-SCDMA , fdd-lte td-lte

     production cell phone baseband chip manufacturers mainly include: Qualcomm, Texas Instruments (TI) (ST) Span style= "font-family: Arial" >, Broadcom, Ericsson emp philips , agere , infineon adi , nxp

take Qualcomm Snapdragon Dragon 835 As an example, on the entire SoC chip, integrated CPU,GPU, DSP,ISP, Security module, and X16 LTE Modem:

How does the baseband work?

very simple, when we call on the phone, the Internet, the signal first to go through the baseband processing, and then in the mobile phone and the base station to establish a logical channel, voice, network data through the logical channel sent to the base station, the realization of information interconnection and communication. The importance of baseband is obvious.

a simplified digital communication system model is shown below :

Iii. means of attack

ralf-phillip Weinmann has published several attacks on baseband in the early years:

Links:https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf

The mining of baseband vulnerabilities is also through reverse analysis of firmware, almost all baseband processors areARMprocessor, so get theIDA Progood support of the disassembly, combined withGoogle Bindifftool to re-identify known features in binary files. Gain functionality by calculating multiple measurements on the flowchart of a function"fingerprint", from several standard compiler libraries and signedRTOSsymbols in a binary file to identify such asmemcpy(),Memmove() andbcopy() andRTOSfunction of the system function. This allows us to identify features that use a variable-length memory copy, allowing us to quickly see which ones are using insufficient length checks for replicated data.

The available memory corruption types are summarized in the following ways:

1. Insufficient length check

Such vulnerabilities often result in data being overwritten on the heap or on the stack, which can be exploited by attackers to take advantage of the usual methods to control the execution process. Using stack corruption vulnerabilities in these embedded systems is easier than existing desktop platforms.

2. Object / structure life cycle issues

since the GSM The state machine is used extensively in life cycle issues, which can cause memory corruption. These can be free-to-use errors (for example, dangling pointers to structures that have been freed) or uninitialized variables (most useful in the stack). A common example of a state machine is the state machine used to process incoming SMS and cell broadcasts.

3, Memory information leakage

This type of vulnerability is not a memory corruption issue, but memory information leaks can be useful for better utilization of memory corruption. Typically, they occur in the context of the above life cycle issues, at least in the baseband stack. There are no format string problems, because Most of the sprintf () functions are used in diagnostic code and are not allowed to pass strings in any format.

Iv. exploit and harm

       In short, trigger the vulnerability by using only gsm mobile device AT at command handler to set s0 register. For a stack buffer overflow or other vulnerability, control the program counter directly, and then 1 load to register r0 and redirect execution flows into this function.

in the GSM successfully exploiting memory corruption in the baseband software stack, attackers can access the phone's privacy-related hardware, an attacker who controls the phone baseband side can monitor the user completely transparently without needing to get from the application CPU side start. Another problem revolves around billing issues: Once an attacker controls the baseband, he can make calls, send advanced text messages, or cause large amounts of data to be transferred that the phone owner does not understand. This can obviously cause problems for operators and end users.

V. Summary

from the above we know that the memory corruption of baseband firmware exists and can be actually exploited. The actual use of these security issues completely undermines the integrity of the attacked phone. Just getting into the vicinity of a malicious base station is enough to take over any vulnerable phone without user interaction. The cost of development is low enough to make these attacks a reality: For mid-range laptops priced at $ openbts, attackers can purchase hardware to manipulate malicious GSM mobile phone.

"Original" Baseband attack: A new approach to smartphone intrusion