The New Rise of Mobile Network and Baseband

Transcript

1. The New Rise of Mobile Network and Baseband Marco Grassi

   (@marcograss)

2. About Me • Member of Tencent KEEN Security Lab (formerly

   known as KeenTeam) • Marco (@marcograss): • My main focus was iOS/Android/macOS and sandboxes. But recently shifted to hypervisors, basebands, firmwares etc. • pwn2own 2016 Mac OS X Team • Mobile pwn2own 2016 iOS team • pwn2own 2017 VMWare escape team • Mobile pwn2own 2017 iOS Wifi + baseband team (pwned Huawei baseband RCE)

3. About Tencent Keen Security Lab • Previously known as KeenTeam

   • White Hat Security Researchers • Several times pwn2own winners • We are based in Shanghai, China • Our blog is https://keenlab.tencent.com/en/ • Twitter @keen_lab

4. Agenda • 5G • Intel Baseband (iPhone) • Huawei Baseband

   (p30) • Conclusions

5. 5G

6. 5G, Why 5G? • 2G/3G/4G the goal was to have

   cheap phones and cheap call/data plans, to get everyone connected. • 4G, high bandwidth, rich media, HD videos, content. • Now everyone has a smartphone with a data plan, how the carriers can make more money? There are no more people to sell a smartphone and a data plan.

7. 5G, Why 5G? • 5G => cheap radios, lot of

   capacity. • How carrier can make money? • Connect everything! Devices, cars, sensors. • People already connected, now the only way to expand the market is to connect “THINGS”

8. 5G, The big players • Huawei • Qualcomm • Intel

   recently announced they dropped out of 5G for the iPhone baseband? • ZTE • Ericsson • Nokia • Samsung • …

9. 5G, critical infrastructure • Expected capacity: 1 million connected objects

   for 1 km2 • In a 4G and lower network, most of the consumer are end users • In a 5G network? • Private deployments (in a factory for example, instead of using wires) • Connect industrial robots • Fleet of shared cars in a network slice • Medical equipment/ personal health equipment • Semaphores/ road traffic management network. • In a 4g network, reliability is important, but not TOO critical • In a 5g one, it might be, if you control critical infrastructure. • Also the connected devices are different in nature.
10. None

11. 5G, not only smartphones • This talk is mostly focused

    on smartphones because now they are the main consumers of baseband devices. • But this is rapidly changes, it can be readily applied to other areas such as smart cars, which have a modem of course. • Also, the “endpoints” are not the only attackable target .. Also base stations

12. 5G not only smartphones, use cases • Enhanced Mobile Broadband

    (eMBB): richer and faster data consumption for humans, high definition videos, downloads etc. • Ultra-Reliable Low-Latency Communications (URLLC): MISSION CRITICAL applications, that cannot afford delays and unreliabilities. • Massive Machine-Type Communications (mMTC): Big networks of potentially low power devices. It must support low power consumtion and high capacity and low cost.

13. Before switching to the baseband part, a few words about

    the base station • Traditional attacks are focused on the mobile/modem endpoint • What about the Base Station? • If a Rogue Base Station can attack a Mobile phone, then a Rogue radio or Rogue mobile phone can attack the Base Station (opposite way) • The impact is much higher since it affects all the devices managed by that cell, (or more, core network)

14. Asymmetry of attack • Attacking a device on a network

    3G or newer is more difficult because the device authenticate the network, and we don’t have the keys as attacker. (except if we don’t downgrade to a 2G network) • On the other hands, if we want to attack a network (base station and core network), we can simply buy a sim card and we can! • Not much research on this… yet… • Little to no research in this area. So it might be fruitful • Equipment for research is not easy to obtain, but can be found. • 2nd hand BTS and core networks can be purchased

15. How to attack a base station in one slide +

    = Modified mobile terminal software stack srsUE Modified baseband software C118 osmocom project. … Software defined Radio, or hardware, such as Motorola c118 Or a smartphone with code injected inside the modem + SIM CARD Over the air exploit RCE inside the base station or core network.

16. BASEBANDS

17. Basebands: The challenges • A Baseband includes a piece of

    software generally running on a separate CPU implementing a rtOS and radio stacks. • Closed Source (Except source code leaks) • No debug/introspection capabilities out of the box • Extensive reverse engineering work required • Knowledge of the Specifications is a must

18. INTEL BASEBAND

19. An alternative story • The Application Processor side of the

    iPhone is getting more and more mitigations and security scrutiny. • Recently, PAC, and more and more auditing. • There are several other paths of least resistance. • The Baseband is one of them • Can become a 0 clicks entry point • Basebands are VERY complex. •Complexity is an enemy of the vendor, but a friend of the attacker.

20. The Intel Baseband: Intro • We will not cover the

    baseband basics for time constraints, you can find them in other talks, most notably: • Amat Cama, A walk With Shannon (Samsung) • Comsecuris, Breaking Band (Samsung) • Keen Lab, Exploitation of a Modern Smartphone Baseband (Huawei) • Charles Nitay Anna, The Baseband Basics (Multiple) • Guy – From Zero to Infinity (Intel) • Comsecuris - There's Life in the Old Dog Yet (blogpost on iphone intel baseband) • The iPhone XR has the Intel (x-gold) XMM7560 model

21. Attacking the baseband in one slide + = Modified Base

    station software stack to trigger the exploit OpenBSC OpenBTS srsLTE … Software defined Radio, or equivalent hardware USRP BladeRF CMU200 (Testing hardware) Over the air exploit RCE inside the phone baseband

22. Getting the baseband • Grab the ipsw link of your

    choice, for example iPhone XR • Shameless plug, save time by grabbing https://github.com/marcograss/partialzip • You can download single files from inside the huge ipsw, saving time/bandwidth • Use “list” command to find the baseband firmware, for example “Firmware/ICE18-1.03.08.Release.bbfw” • Use the download command to get just that file (~40mb instead of 3- 4gb) • You are welcome.

23. The bbfw • The bbfw is just a zip file

    • Extract and it’s composed of several ELFs • SYS_SW.elf is where the main os/stack is located • It says ELF for ARM… but it’s Intel.. (from iPhone XS and XR, before it was ARM) • Patch the elf header to make it Intel arch (010 Editor with the ELF template is a good choice), load into IDA Pro

24. Reversing the firmware • I prefer to use the ARM

    version of the firmware because IDA Pro handles it better • It has several disadvantages compared to the x86 ones, • It’s the older baseband model • Lack of some network support such as CDMA • Baseband reversing is not straightforward… You can check the talk “Breaking Band” by Comsecuris, it’s basically a continuous wash and rinse, until you have a usable IDB • More challenging on Intel IMO since less strings than Samsung Shannon

25. Reversing the firmware • Around 120k functions • First thing

    to do is to find alloc / free variants, and Rtos APIs • Not too hard to find • You can then find init functions of the tasks. And the handler functions of the threads • Hint: UtaOsThreadCreate

26. “Important” threads • There are descriptions in memory for the

    threads that handle the juicy radio stuff where you want to find the RCEs. • Stuff like GMM, GRR, mobility management, EMM etc are there. • You need a good knowledge of the specs to choose what to go after..

27. Threads • Like most of the basebands/rtos they constantly wait

    for some messages, dequeue them and then handle them (including the radio messages) • Lot of messages are intra tasks, not all are relevant for over the air content

28. Memcpy_s • Like Qualcomm and Huawei, they have some “secure”

    version of memcpy, checking bounds on destinations and source (if properly specified)

29. Message handling Messages between tasks and over the air are

    usually described programmatically in arrays with id and handlers

30. Message handling The task routine will find the correct handler

    and invoke it

31. How to get more debugging info from baseband • Go

    to https://developer.apple.com/bug-reporting/profiles-and-logs/ • Download and install the “Baseband.mobileconfig” profile for iOS • Reboot the device • You can trigger also a sysdiagnose by holding both volume and the top button • Get some (very) basics information on baseband crash. (task, address of abort, …)

32. Escaping the baseband (example) Target 2: CommCenter Target 1: Kernel

    Baseband where you have code exec PCI-E UserClient etc. You have several places where you can trigger a second bug on the Application Processor from the baseband Kernel CommCenter Others (Keep in mind that at this point you will still have to face PAC, since we will go on the Application Processor) Application Processor

33. Intel Baseband Application Processor interface on iPhone XS/XR (Kernel) •

    Relevant IOKIT classes and components that we can gather from ioreg: • Connected over pci-e (baseband-pcie) is a IOPCIDevice • Has 2 IODeviceMemory, one of 0x1000 and one of 0x100 • AppleBasebandPCI • Baseband (IOPlatformDevice) • Has a interesting “function-coredump” • AppleBasebandD101 • AppleBasebandPCIICEControl • AppleBasebandPCIRTIDevice • AppleBasebandPCIRTIInterface • AppleBasebandPCIPDPADAMSkywalk • Others… Not enough space… But you can see there is a lot of «meat»

34. Intel Baseband Application Processor interface on iPhone XS/XR (Usermode) •

    AppleBasebandUserClient • Used by «CommCenter» but also by «locationd» to communicate with the kernel

35. CommCenter • Usermode launchdeamon related to the modem • Huge

    binary, 24mb plus libraries • Runs as “_wireless” user • It has a couple of “helpers” CommCenterMobileHelper, CommCenterRootHelper • “CommCenter is a 30 mb binary, even with PAC I bet you can find the right primitives” - qwerty

36. How to make your research easier • Researching on iPhone

    often requires a jailbreak on the latest version… • You can do some of the research on older models, or wait in 2019 for Intel to push some new Android models with the new XMM • Asus Zenfone 2 (Android,old as fuck) • Some Sierra Wireless Modules

37. The future (guesses) • ASLR will soon come to all

    mainstream basebands, making the bar for RCE higher, and this could be in theory implemented right now • Intel CET or ARM64 PAC in the future when new SoC come out?

38. HUAWEI

39. Huawei p30 baseband • The phone is based on kirin

    980 • The baseband load address appears to be 0x20000000 • Ram size should be 0x9B00000 • The architecture is ARM like in the past years • “sec_balong_modem.bin” in modem.fw, the stuff prefixed with sec_ is encrypted • You can load it in IDA Pro fairly easy (if you can get the decrypted firmware OFC)

40. Huawei baseband new mitigations • “MODEM_SANITIZER” kernel configuration • Seems

    not set at the moment on the p30 • If enabled it hints that stack cookies + modem ASLR it’s deployed. • balong_product_co nfig_drv.mk • New Kirin 980

41. Sanitizers? • v_blkMem.h • ASAN tracking has a pid •

    Maybe used to track baseband tasks memory? • Hard to say without their debug builds, have to speculate.

42. ASLR is coming? Crumbs in the baseband Huawei p30 code

    • Calls are indirect • Register load with target is split in 2 • In future add ASLR offset to upper bits? • IDA resolves those • Just speculations

43. Stack cookies Huawei • Stack canary introduced in selected functions

44. Huawei baseband new mitigations • For sure when enabled those

    2 mitigations significantly higher the bar for exploitation • For example, some stack overflow are dead with the stack cookies, or need an additional cookie leaks • ASLR requires an infoleak as well maybe • If it’s implemented properly. Often mistakes are made especially in the first implementations.

45. Significant code efforts, but only on new models… • The

    code in the p30 went under lot more scrutiny and rewrite (NEWNAS) • Many bugs were fixed actually • Sadly Huawei ships very old builds on phones that are still updated, even more than 1 year old builds of the modem. • Only the latest model is constantly updated. • AFAIK the baseband modem doesn’t affect the Android “Security Patch Level”, but I might be wrong.

46. Few words about the leaked source code • Weirdly, still

    widely available online after several years. • Most of the bugs you find in the source code are likely dead, the source code is old. • Still extremely useful for starting RE. • That’s how we find our pwn2own RCE (auditing) • You can probably still find bugs this way.

47. Conclusions • 5G will bring more modems around, baseband research

    will be more relevant in the future. • Vendors are trying to increase the mitigations in the baseband, Huawei especially is putting significant efforts. • The area of research of Base Station and Core Network memory corruption attacks still remains open because of the high entry barrier. • Security By Obscurity in 2019 rarely works.. Even Apple is giving up on encrypting firmwares, but Huawei now is encrypting as much as possible. • Like with Apple, researchers will find ways to get the firmwares.

48. Acknowledgements • Friend who want to stay anonymous • 陈良

    • Keen Lab

49. Questions?

50. None