known as KeenTeam) • Marco (@marcograss): • My main focus was iOS/Android/macOS and sandboxes. But recently shifted to hypervisors, basebands, firmwares etc. • pwn2own 2016 Mac OS X Team • Mobile pwn2own 2016 iOS team • pwn2own 2017 VMWare escape team • Mobile pwn2own 2017 iOS Wifi + baseband team (pwned Huawei baseband RCE)
• White Hat Security Researchers • Several times pwn2own winners • We are based in Shanghai, China • Our blog is https://keenlab.tencent.com/en/ • Twitter @keen_lab
cheap phones and cheap call/data plans, to get everyone connected. • 4G, high bandwidth, rich media, HD videos, content. • Now everyone has a smartphone with a data plan, how the carriers can make more money? There are no more people to sell a smartphone and a data plan.
capacity. • How carrier can make money? • Connect everything! Devices, cars, sensors. • People already connected, now the only way to expand the market is to connect “THINGS”
for 1 km2 • In a 4G and lower network, most of the consumer are end users • In a 5G network? • Private deployments (in a factory for example, instead of using wires) • Connect industrial robots • Fleet of shared cars in a network slice • Medical equipment/ personal health equipment • Semaphores/ road traffic management network. • In a 4g network, reliability is important, but not TOO critical • In a 5g one, it might be, if you control critical infrastructure. • Also the connected devices are different in nature.
on smartphones because now they are the main consumers of baseband devices. • But this is rapidly changes, it can be readily applied to other areas such as smart cars, which have a modem of course. • Also, the “endpoints” are not the only attackable target .. Also base stations
(eMBB): richer and faster data consumption for humans, high definition videos, downloads etc. • Ultra-Reliable Low-Latency Communications (URLLC): MISSION CRITICAL applications, that cannot afford delays and unreliabilities. • Massive Machine-Type Communications (mMTC): Big networks of potentially low power devices. It must support low power consumtion and high capacity and low cost.
the base station • Traditional attacks are focused on the mobile/modem endpoint • What about the Base Station? • If a Rogue Base Station can attack a Mobile phone, then a Rogue radio or Rogue mobile phone can attack the Base Station (opposite way) • The impact is much higher since it affects all the devices managed by that cell, (or more, core network)
3G or newer is more difficult because the device authenticate the network, and we don’t have the keys as attacker. (except if we don’t downgrade to a 2G network) • On the other hands, if we want to attack a network (base station and core network), we can simply buy a sim card and we can! • Not much research on this… yet… • Little to no research in this area. So it might be fruitful • Equipment for research is not easy to obtain, but can be found. • 2nd hand BTS and core networks can be purchased
= Modified mobile terminal software stack srsUE Modified baseband software C118 osmocom project. … Software defined Radio, or hardware, such as Motorola c118 Or a smartphone with code injected inside the modem + SIM CARD Over the air exploit RCE inside the base station or core network.
software generally running on a separate CPU implementing a rtOS and radio stacks. • Closed Source (Except source code leaks) • No debug/introspection capabilities out of the box • Extensive reverse engineering work required • Knowledge of the Specifications is a must
iPhone is getting more and more mitigations and security scrutiny. • Recently, PAC, and more and more auditing. • There are several other paths of least resistance. • The Baseband is one of them • Can become a 0 clicks entry point • Basebands are VERY complex. •Complexity is an enemy of the vendor, but a friend of the attacker.
baseband basics for time constraints, you can find them in other talks, most notably: • Amat Cama, A walk With Shannon (Samsung) • Comsecuris, Breaking Band (Samsung) • Keen Lab, Exploitation of a Modern Smartphone Baseband (Huawei) • Charles Nitay Anna, The Baseband Basics (Multiple) • Guy – From Zero to Infinity (Intel) • Comsecuris - There's Life in the Old Dog Yet (blogpost on iphone intel baseband) • The iPhone XR has the Intel (x-gold) XMM7560 model
station software stack to trigger the exploit OpenBSC OpenBTS srsLTE … Software defined Radio, or equivalent hardware USRP BladeRF CMU200 (Testing hardware) Over the air exploit RCE inside the phone baseband
choice, for example iPhone XR • Shameless plug, save time by grabbing https://github.com/marcograss/partialzip • You can download single files from inside the huge ipsw, saving time/bandwidth • Use “list” command to find the baseband firmware, for example “Firmware/ICE18-1.03.08.Release.bbfw” • Use the download command to get just that file (~40mb instead of 3- 4gb) • You are welcome.
• Extract and it’s composed of several ELFs • SYS_SW.elf is where the main os/stack is located • It says ELF for ARM… but it’s Intel.. (from iPhone XS and XR, before it was ARM) • Patch the elf header to make it Intel arch (010 Editor with the ELF template is a good choice), load into IDA Pro
version of the firmware because IDA Pro handles it better • It has several disadvantages compared to the x86 ones, • It’s the older baseband model • Lack of some network support such as CDMA • Baseband reversing is not straightforward… You can check the talk “Breaking Band” by Comsecuris, it’s basically a continuous wash and rinse, until you have a usable IDB • More challenging on Intel IMO since less strings than Samsung Shannon
to do is to find alloc / free variants, and Rtos APIs • Not too hard to find • You can then find init functions of the tasks. And the handler functions of the threads • Hint: UtaOsThreadCreate
threads that handle the juicy radio stuff where you want to find the RCEs. • Stuff like GMM, GRR, mobility management, EMM etc are there. • You need a good knowledge of the specs to choose what to go after..
for some messages, dequeue them and then handle them (including the radio messages) • Lot of messages are intra tasks, not all are relevant for over the air content
to https://developer.apple.com/bug-reporting/profiles-and-logs/ • Download and install the “Baseband.mobileconfig” profile for iOS • Reboot the device • You can trigger also a sysdiagnose by holding both volume and the top button • Get some (very) basics information on baseband crash. (task, address of abort, …)
Baseband where you have code exec PCI-E UserClient etc. You have several places where you can trigger a second bug on the Application Processor from the baseband Kernel CommCenter Others (Keep in mind that at this point you will still have to face PAC, since we will go on the Application Processor) Application Processor
Relevant IOKIT classes and components that we can gather from ioreg: • Connected over pci-e (baseband-pcie) is a IOPCIDevice • Has 2 IODeviceMemory, one of 0x1000 and one of 0x100 • AppleBasebandPCI • Baseband (IOPlatformDevice) • Has a interesting “function-coredump” • AppleBasebandD101 • AppleBasebandPCIICEControl • AppleBasebandPCIRTIDevice • AppleBasebandPCIRTIInterface • AppleBasebandPCIPDPADAMSkywalk • Others… Not enough space… But you can see there is a lot of «meat»
binary, 24mb plus libraries • Runs as “_wireless” user • It has a couple of “helpers” CommCenterMobileHelper, CommCenterRootHelper • “CommCenter is a 30 mb binary, even with PAC I bet you can find the right primitives” - qwerty
often requires a jailbreak on the latest version… • You can do some of the research on older models, or wait in 2019 for Intel to push some new Android models with the new XMM • Asus Zenfone 2 (Android,old as fuck) • Some Sierra Wireless Modules
mainstream basebands, making the bar for RCE higher, and this could be in theory implemented right now • Intel CET or ARM64 PAC in the future when new SoC come out?
980 • The baseband load address appears to be 0x20000000 • Ram size should be 0x9B00000 • The architecture is ARM like in the past years • “sec_balong_modem.bin” in modem.fw, the stuff prefixed with sec_ is encrypted • You can load it in IDA Pro fairly easy (if you can get the decrypted firmware OFC)
2 mitigations significantly higher the bar for exploitation • For example, some stack overflow are dead with the stack cookies, or need an additional cookie leaks • ASLR requires an infoleak as well maybe • If it’s implemented properly. Often mistakes are made especially in the first implementations.
code in the p30 went under lot more scrutiny and rewrite (NEWNAS) • Many bugs were fixed actually • Sadly Huawei ships very old builds on phones that are still updated, even more than 1 year old builds of the modem. • Only the latest model is constantly updated. • AFAIK the baseband modem doesn’t affect the Android “Security Patch Level”, but I might be wrong.
widely available online after several years. • Most of the bugs you find in the source code are likely dead, the source code is old. • Still extremely useful for starting RE. • That’s how we find our pwn2own RCE (auditing) • You can probably still find bugs this way.
will be more relevant in the future. • Vendors are trying to increase the mitigations in the baseband, Huawei especially is putting significant efforts. • The area of research of Base Station and Core Network memory corruption attacks still remains open because of the high entry barrier. • Security By Obscurity in 2019 rarely works.. Even Apple is giving up on encrypting firmwares, but Huawei now is encrypting as much as possible. • Like with Apple, researchers will find ways to get the firmwares.
marcograss
ankh2054
kohei_1979
.png){kind=avatar}
satai
culturaltransition
icttitech
kanekomasahiro
tajima_kaho
terasawat
ontheslope
nanoshimarobot
shunk031
rasmusluckow
asonas
colly
thirion
marktimemedia
tammyeverts
hatefulcrawdad
marcelosomers
smashingmag
davidcarrasco
mfonobong
jcasabona
