The Baseband Apocalypse presented at BlackHatDC 2011

by Ralf-Philipp Weinmann,

Summary : Attack scenarios against smartphones have concentrated on vulnerable software executed on the application processor. The operating systems running on these processors are getting hardened by vendors as can best be seen in the case of Apple's iOS, which both uses uses data execution prevention and code signing to make exploitation of memory corruptions and running malicious software harder. In contrast, the GSM/3GPP stack running on the baseband processor has been neglected. The advent of open-source solutions for running GSM base stations is a game-changer: Malicious base stations are not considered in the attack model assumed by the GSMA and the ETSI; similarly vendors of baseband stacks seem to not have taken malicious input from the network side into account. This paper explores the viability of attacks against baseband processors of GSM cellular phones, the focus being on smartphones.
We demonstrate the first over-the-air exploitations of memory corruption in GSM/3GPP stacks that result in malicious code being executed on the baseband processors.