1 wendell crenshaw technologies presents
play

1 Wendell Crenshaw Technologies presents 1 2 Tumbleweed 2 All - PowerPoint PPT Presentation

Dec 08, 2022 •285 likes •737 views

1 Wendell Crenshaw Technologies presents 1 2 Tumbleweed 2 All Your Baseband Are Belong To Us over-the-air exploitation of memory corruptions in GSM software stacks Ralf-Philipp Weinmann Laboratory for Algorithmics, Cryptology &

  1. 1

  2. Wendell Crenshaw Technologies presents 1

  3. 2

  4. Tumbleweed 2

  6. All Your Baseband Are Belong To Us over-the-air exploitation of memory corruptions in GSM software stacks Ralf-Philipp Weinmann Laboratory for Algorithmics, Cryptology & Computer Security University of Luxembourg https://cryptolux.org

  7. Outline  GSM / Smartphone basics  Baseband software (in)security  Practicality of exploitation  Demo  Scenarios for the “baseband apocalypse”  Disclosure, outlook & conclusions

  8. Part I: GSM and smartphone basics

  9. Lay of the GSM/UMTS land MS links to outside (Mobile world Station) [BSCs, VLR, HLR/AUC, SS7] Um (air) interface BTS (base transceiver station) [Usually located at cell tower]

  10. Layers of the GSM Um interface Connection Management (MM) Layer 3 Mobility Management (MM) Radio Resource (RR) LAPDm (Layer 2) Layer 1

  11. Smartphones • Somewhen in the late 20 th century, PDAs and cellular phones merged • Result: smartphones • Have driven PDAs into extinction • Usually a multi-CPU architecture: application processor (APP) and baseband (BB) processor • In 99% of all cases, ARM CPUs used for both • Trend: single-chip APP/BB (for cost reasons)

  12. Dominant Smartphone archs vs. Application Application Processor RAM Processor (slave) Serial communication RAM or shared memory Digital Baseband Processor Digital Baseband RAM (master) Processor

  13. Let’s do some quick market research before we dive into the technical details...

  14. Baseband market shares 3Q2009 Qualcomm Mediatek Texas Instruments ST-Ericsson Infineon Broadcom Freescale Other Source: Strategy Analytics Cellular Baseband Suppliers & their 3Q’ 09 shipment share)

  15. Part II: Baseband (in)security

  16. Baseband (in)security • Code base created in the 1990s… • … with a 1990s attitude towards security • Network elements are considered trusted • Both GSM and UMTS protocols have many, many length fields • (Almost) no exploit mitigations [one counter-example: XMM6180 on iPhone4 has hardware DEP enabled]

  17. I know you forgot what the GSM protocol stack looks like, so let’s see it once more before we proceed.

  18. Layers of the GSM Um interface Connection Management (MM) Layer 3 Mobility Management (MM) Radio Resource (RR) LAPDm (Layer 2) Layer 1

  19. Where to look for bugs • Layer 1 not fruitful • Layer 2: messages to short • Layer 3: specified in GSM 04.08 – allows for variable length messages (TLV and LV) – Maximum length: 255 octets (length field: one octet) • However: ASN.1 used as well (e.g. RRLP) • GPRS layer very fruitful as well – GPRS not supported by OpenBTS – layer 1 different

  20. Where to look for bugs • Layer 1 not fruitful • Layer 2: messages to short • Layer 3: specified in GSM 04.08 – allows for variable length messages (TLV and LV) – Maximum length: 255 octets (length field: one octet) • However: ASN.1 used as well (e.g. RRLP) • GPRS layer very fruitful as well – GPRS not supported by OpenBTS – layer 1 different

  21. Where to look for bugs Things get interesting • Layer 1 not fruitful • Layer 2: messages to short • Layer 3: specified in GSM 04.08 – allows for variable length messages (TLV and LV) – Maximum length: 255 octets (length field: one octet) • However: ASN.1 used as well (e.g. RRLP) • GPRS layer very fruitful as well – GPRS not supported by OpenBTS – layer 1 different

  22. Initial Targets Image credit: Yutaka Tsutano Image credit: Jose A. Gelado Apple iPhones HTC Dream [G1] (Infineon (Qualcomm baseband) baseband)

  23. Types of bugs found • Many, many unchecked memory copies (can be found in binary once memcpy() et al. identified) • Object/structure lifecycle issues (e.g. use after free, uninitialized variables, state engine confusion), can lead to infoleaks as well • Protocol foo-bars: Code paths normally used for UMTS / CDMA can be triggered using GSM frames

  24. An example (in QCOM codebase) • GSM & UMTS use challenge-response auth • Originally: fixed-length challenge in GSM – 16 bytes RAND • 3GPP specification 24.008 added variable length challenge (AUTN) • Functionality not needed in GSM! • Allows to overwrite stack (limit 251 bytes) • Result: remote code exec, pre-auth • QCOM fixed after disclosure (pushed to OEMs)

  25. How were the bugs found? • Fuzzing was not successful – Lots of crashes, but no easy way to triage • Static analysis • Located memcpy() -like functions • Identified functions handling GSM frames – Problem: apparently different tasks – Assertions/logging functions very helpful • After several were found, looked at standards and went back

  26. Baseband Exploitation • Baseband: what operating system? • Unlock teams often have good info on this (iPhone dev team, XDA developers) • Locate buffers used for GSM L3 messages • Write custom code or use existing features (e.g. AT+S0=x handler in Infineon baseband) • Debugging is hard, write own debugger first!

  27. The AT+S0=n feature • Hayes command to turn on auto-answer • present in some software stacks (verified for Infineon & QCOM) • Enable with *5005*AANS# on iPhones, disable with #5005*AANS# • Excellent target to demonstrate memory corruptions • Auto-answer can be made silent/invisible

  28. Part III: Practicality

  29. Why should we care • New base stations: expensive (cheapest: 25k USD) • Old gear however often is sold on eBay • Threat model has entirely changed: hardware has become cheap, open-source SW appeared • Open-source projects for running GSM base stations: OpenBSC & OpenBTS • OpenBTS provided service at Burning Man 2008-2010 • HAR2009 had OpenBSC test network

  30. • Siemens BS11 • used by OpenBSC • HEAVY • E1/Abis interface • cheap: EUR 250 • hard to come by now. Image credit: Björn Heller

  31. • ip.access nanoBTS • supported by OpenBSC as well • Abis over IPv4 • approx. USD 4500 • different versions for GSM900/1800, GSM850/1900 • supports GPRS

  32. Our gear: Ettus USRPv1 • price: approx USD 1250 plus Image credit: Synthesis Studios good clock • software defined radio (SDR) • versatile (different daughterboards) • OpenBTS support, GSM850/900, GSM1800/1900 • no GPRS since layer 1 is different there • clock: wrong freq (64Mhz) and imprecise

  33. Part IV: Demo

  34. Common failures (my experience) • Lacking clock precision • Misinterpreting stack traces • Triggering the wrong bug ;) • Overlooking code is placed is non-exec page

  35. Some words about clocks • Get a good one, seriously! – GSM spec requires 0.05ppm – equiv. to 50Hz in 900MHz band • Time is too precious for fixing clock issues • Using FA-SY on the road (EUR 40) – Si570 based design – not optimal: 20ppm uncalibrated – approx. 1ppm when calibrated • ClockTamer apparently much better

  36. Part V: The Baseband Apocalypse

  37. The “Baseband Apocalypse” • Place fake BTS in crowded/sensitive areas: airport lounges, financial districts, near embassies • Stealth room monitor: record audio, compress, store in RAM, piggy-back onto next data connection (mic/camera usually hang off BB CPU) • Shared mem CPUs: compromise APP CPU as well, place backdoor/rootkit

  38. The “Baseband Apocalypse” • Ping-pong games: compromise cellphone, then BTS/BSC, infect more phones from there • Brick phones permanently (e.g. erase SecZone on iPhone) • No easy forensics possible in BB land (JTAG disabled to prevent easy unlocks). Need exploits to perform forensics

  39. The scary bit • How do we defend ourselves? Turn off our cell phones? Hardly. • Use a sound-proof enclosure for phone and encrypting Bluetooth Headset? [approach allegedly used by a German company that produces “secure” end-to-end solutions for governments]

  40. Is there still hope for the paranoid? 35

  41. OsmocomBB • Free Software GSM baseband stack • implements layer 1-3 • target platform: Calypso chipsets • present in OpenMoko phones and Motorola C11x/C12x (e.g. C123) • current functionality: about GSM Phase 1 – supports sending/receiving SMS – supports voice calls

  42. Part VI: Disclosure, outlook, conclusions

  43. Disclosure & Reactions • QCOM was fantastic • Working with Apple to get 1st issue in Infineon stack fixed, update for TMSI bug out soon. • Vendor outreach by Microsoft • ST-Ericsson: “We have been using Coverity on our RTOS (incl. the entire L2/3 source code) for a few years — which may detect some of the vulnerabilities. And the canaries have always been there to enable the scheduler to detect stack overflows [...]”

  44. Outlook • Will see same problems for 3GPP/UMTS • 3GPP uses mutual auth… • Need Radio Resource Control (RRC) pre-auth • RRC is about 1800 pages of specification! • ASN.1 PER !! • Only single vendor for the ASN.1 parser !!! • Femto cells as cheap attack platforms • LTE spec pre-auth simpler than 3GPP

  45. Conclusions • Memory corruptions over the Um interface: practical even with cheap hardware • Vulnerabilities in GSM baseband codebases plentiful • Small number of baseband vendors • Malicious code execution on baseband CPU: compromises security – Shared memory between BB & APP: total compromise

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Crenshaw/LAX Transit Corridor Industry Review September 12, 2011 Crenshaw/LAX Transit Corridor

Crenshaw/LAX Transit Corridor Industry Review September 12, 2011 Crenshaw/LAX Transit Corridor

Crenshaw/LAX Transit Corridor Industry Review September 12, 2011 Crenshaw/LAX Transit Corridor Industry Review Agenda Welcome Program Overview Design Overview Proposed Procurement Schedule Open Discussion Crenshaw/LAX

404 views • 21 slides
Hi. Tanya L. Crenshaw UPBOT: A Testbed for Cyber-Physical Systems Tanya Crenshaw, assistant

Hi. Tanya L. Crenshaw UPBOT: A Testbed for Cyber-Physical Systems Tanya Crenshaw, assistant

Hi. Tanya L. Crenshaw UPBOT: A Testbed for Cyber-Physical Systems Tanya Crenshaw, assistant professor Steven Beyer, senior EE undergraduate University of Portland CSET 2010 October 2006 http://varma.ece.cmu.edu/cps/ cyber physical systems

958 views • 59 slides
Project Area Steese Expy Wendell Ave Scope Rehabilitate or replace the Wendell Ave Bridge,

Project Area Steese Expy Wendell Ave Scope Rehabilitate or replace the Wendell Ave Bridge,

Project Area Steese Expy Wendell Ave Scope Rehabilitate or replace the Wendell Ave Bridge, widen sidewalks and provide pedestrian and bicycle access from Graehl Park to the bridge along the north side and to the existing facilities on the

430 views • 13 slides
Presents CITIZEN GREEN TECHNOLOGIES CITIZEN GREEN TECHNOLOGIES Forward Looking Statements

Presents CITIZEN GREEN TECHNOLOGIES CITIZEN GREEN TECHNOLOGIES Forward Looking Statements

Presents CITIZEN GREEN TECHNOLOGIES CITIZEN GREEN TECHNOLOGIES Forward Looking Statements This Presentation (together with any supplements and any other information that may be furnished to prospective investors by Global Cannabis

660 views • 26 slides
Presents Presents Presents Presents Presents Background History/Future History of the

Presents Presents Presents Presents Presents Background History/Future History of the

Presents Presents Presents Presents Presents Background History/Future History of the TERMinator Concept, ROI. Development Cycle. Business Units involved. Future of the TERMinator. International deployment?

857 views • 16 slides
Crenshaw Corridor Strategic Plan (Draft) Economic Findings November 15, 2007 Presented to The

Crenshaw Corridor Strategic Plan (Draft) Economic Findings November 15, 2007 Presented to The

Crenshaw Corridor Strategic Plan (Draft) Economic Findings November 15, 2007 Presented to The Crenshaw Corridor Stakeholder Task Force Table of Contents I. Introduction II. Understanding of the Assignment III. Socio-Demographic Overview

291 views • 26 slides
Crenshaw Transit Corridor Crenshaw Transit Corridor Study Study Working Group Meetings Working

Crenshaw Transit Corridor Crenshaw Transit Corridor Study Study Working Group Meetings Working

Crenshaw Transit Corridor Crenshaw Transit Corridor Study Study Working Group Meetings Working Group Meetings March 2009 March 2009 1 Concepts to Think About Today Alternatives and Design Options Grade Separation Analysis

349 views • 15 slides
Andrea Electronics Corporation Presents Andrea Electronics Corporation Presents Array Microphone

Andrea Electronics Corporation Presents Andrea Electronics Corporation Presents Array Microphone

Andrea Electronics Corporation Presents Andrea Electronics Corporation Presents Array Microphone Products and Technologies for the Internet of Things 2018 Our History of Audio Innovation Founded in 1934 by Radio Pioneer Frank A.D. Andrea, Sr.

655 views • 16 slides
Using FMS Using FMS Adam Crenshaw Funding Analyst Metropolitan Transportation Commission (510)

Using FMS Using FMS Adam Crenshaw Funding Analyst Metropolitan Transportation Commission (510)

Using FMS Using FMS Adam Crenshaw Funding Analyst Metropolitan Transportation Commission (510) 817-5794 ACrenshaw@mtc.ca.gov March, 2012 Using FMS - Overview FMS User Accounts TIP Revision Process FMS Universal Application (UA)

526 views • 34 slides
Outreach Briefings October 22-29, 2019 Crenshaw Northern Ext xtension - Vid ideo

Outreach Briefings October 22-29, 2019 Crenshaw Northern Ext xtension - Vid ideo

Outreach Briefings October 22-29, 2019 Crenshaw Northern Ext xtension - Vid ideo https://www.youtube.com/watch?v=w21PlAU afZU 2 Goals of Todays Meeting Project overview and history Alternatives being evaluated Current study

592 views • 26 slides
Introduction to Apache Spark Slides from: Patrick Wendell - Databricks What hat is is Sp

Introduction to Apache Spark Slides from: Patrick Wendell - Databricks What hat is is Sp

Introduction to Apache Spark Slides from: Patrick Wendell - Databricks What hat is is Sp Spark? rk? Fast st and Expr pressiv essive Cluster Computing Engine Compatible with Apache Hadoop Efficient ficient Usa sabl ble Rich APIs

1.18k views • 25 slides
Introduction to Apache Spark Slides from: Patrick Wendell - Databricks 1 What is Sp Spark?

Introduction to Apache Spark Slides from: Patrick Wendell - Databricks 1 What is Sp Spark?

Introduction to Apache Spark Slides from: Patrick Wendell - Databricks 1 What is Sp Spark? rk? Fast ast and Ex Expres essiv sive Cluster Computing Engine Compatible with Apache Hadoop Eff fficie cient nt Usabl able Rich APIs in

792 views • 31 slides
HMDA LETS GET IT RIGHT! Home Mortgage Disclosure Act December 19, 2017 Joan Crenshaw,

HMDA LETS GET IT RIGHT! Home Mortgage Disclosure Act December 19, 2017 Joan Crenshaw,

12/18/2017 HMDA LETS GET IT RIGHT! Home Mortgage Disclosure Act December 19, 2017 Joan Crenshaw, CRCM, CAFP Director jcrenshaw@bkd.com 1 12/18/2017 TO RECEIVE CPE CREDIT Participate in entire webinar Answer polls when they

527 views • 33 slides
BBC Technologies: Our LATAM Experience Who are BBC Technologies? BBC Technologies Where we are

BBC Technologies: Our LATAM Experience Who are BBC Technologies? BBC Technologies Where we are

BBC Technologies: Our LATAM Experience Who are BBC Technologies? BBC Technologies Where we are today Technology World leaders in Advance Processing Technologies for small fruits and vegetables. R&D Strong focus on research

383 views • 17 slides
PRESENTS: PRESENTS: THE PRODUCT WHERE NATURE GIVES A HELPING HAND A ready to use

PRESENTS: PRESENTS: THE PRODUCT WHERE NATURE GIVES A HELPING HAND A ready to use

PRESENTS: PRESENTS: THE PRODUCT WHERE NATURE GIVES A HELPING HAND A ready to use formulation containing Triclopyr BEE in a propriety blend of raw natural and processed plant oils for LOW VOLUME basal, cut stump and foliar

601 views • 39 slides
Derivatives and Hedging Accounting: FAS 133 and Beyond presents presents M Mastering the

Derivatives and Hedging Accounting: FAS 133 and Beyond presents presents M Mastering the

Derivatives and Hedging Accounting: FAS 133 and Beyond presents presents M Mastering the Evolving Guidance on Derivative t i th E l i G id D i ti Instrument Accounting and Valuations A Live 110-Minute Teleconference/Webinar with

931 views • 76 slides
Verifying the SET Protocol: Overview Lawrence C Paulson, Computer Laboratory, University of

Verifying the SET Protocol: Overview Lawrence C Paulson, Computer Laboratory, University of

Verifying the SET Protocol: Overview Lawrence C Paulson, Computer Laboratory, University of Cambridge (Joint with Giampaolo Bella and Fabio Massacci) Plan of Talk The SET Protocol Defining the Formal Models Verifying the

570 views • 24 slides
Lec ectur ure 12 e 12 Public Key Certification and Revocation [lecture slides are adapted

Lec ectur ure 12 e 12 Public Key Certification and Revocation [lecture slides are adapted

Lec ectur ure 12 e 12 Public Key Certification and Revocation [lecture slides are adapted from previous slides by Prof. Gene Tsudik] 1 CertificationTree / Hierarchy Logical tree of CA-s PK root root [PK CA1 ]SK root CA1 CA3 [PK CA2 ]SK

578 views • 40 slides
Network Protocol Design and Evaluation 04 - Protocol Specification, Part III Stefan Rhrup

Network Protocol Design and Evaluation 04 - Protocol Specification, Part III Stefan Rhrup

Network Protocol Design and Evaluation 04 - Protocol Specification, Part III Stefan Rhrup University of Freiburg Computer Networks and Telematics Summer 2009 Overview In previous parts of this chapter: Modeling behaviour with

773 views • 74 slides
Glacier Hydrology Ian Hewitt, University of Oxford hewitt@maths.ox.ac.uk Water sources - Basal

Glacier Hydrology Ian Hewitt, University of Oxford hewitt@maths.ox.ac.uk Water sources - Basal

Glacier Hydrology Ian Hewitt, University of Oxford hewitt@maths.ox.ac.uk Water sources - Basal melting - Surface melting, precipitation Subglacial hydrology - Sheet flow - Tunnels / channels - Cavities - Canals - Lakes Large-scale models Glacier

446 views • 22 slides
A Little Knowledge is a Dangerous Thi Thing Technology Transfer Workshops Technology Transfer

A Little Knowledge is a Dangerous Thi Thing Technology Transfer Workshops Technology Transfer

NORDUnet Nordic I nfrastructure for Research & Education A Little Knowledge is a Dangerous Thi Thing Technology Transfer Workshops Technology Transfer Workshops Training the community in new networking technologies Jerry Sobieski

660 views • 30 slides
Security Verification with F* Cdric Fournet Catalin Hritcu Aseem Rastogi *the Everest

Security Verification with F* Cdric Fournet Catalin Hritcu Aseem Rastogi *the Everest

Computer-Aided Security Proofs, Aarhus, Oct 9 13 2017 Security Verification with F* Cdric Fournet Catalin Hritcu Aseem Rastogi *the Everest VERified End-to-end Secure Transport Everest*: Verified Drop-in Replacements for TLS/HTTPS

464 views • 34 slides
Corporation for National and Community Service Programs and Funding Nov. 6, 2019 Welcome

Corporation for National and Community Service Programs and Funding Nov. 6, 2019 Welcome

Corporation for National and Community Service Programs and Funding Nov. 6, 2019 Welcome William Snow Office of Special Needs Assistance Programs U.S. Department of Housing and Urban Development Corporation for National & Community

545 views • 51 slides
The Role of the Head in the Interpretation of English Deverbal Compounds Gianina Iordchioaia i ,

The Role of the Head in the Interpretation of English Deverbal Compounds Gianina Iordchioaia i ,

The Role of the Head in the Interpretation of English Deverbal Compounds Gianina Iordchioaia i , Lonneke van der Plas ii , Glorianna Jagfeld i (Universitt Stuttgart i , University of Malta ii ) Wen wurmt der Ohrwurm? An interdisciplinary,

608 views • 37 slides

More recommend