27C3 - Version 1.6.3

27th Chaos Communication Congress
We come in peace

Ralf-Philipp Weinmann
Day Day 2 - 2010-12-28
Room Saal 2
Start time 20:30
Duration 01:00
ID 4090
Event type Lecture
Track Hacking
Language used for presentation English

The Baseband Apocalypse

all your baseband are belong to us

Attack scenarios against mobile phones have thus far concentrated on the application processor. The operating systems running on these processors are getting hardened by vendors as can be seen in the case of Apple's iOS -- the current release uses data execution prevention and code signing. In contrast, the GSM stack running on the baseband processor is neglected. The advent of open-source solutions such as OpenBSC and OpenBTS for running GSM base stations is a game-changer: Malicious base stations are not within the attack model assumed by the GSMA and ETSI.

This talks explores the viability of attacks against the baseband processor of GSM cellular phones. Results presented will be the first over-the-air memory corruption exploitation of bugs in a number of widespread GSM stacks that that allow for remote code execution.

Archived page - Impressum/Datenschutz