Over the Air Baseband Exploit: Gaining Remote Code Execution on 5G Smartphones

In recent years we saw the widespread adoption of 5G Cellular Networks, both for consumer devices, IoT, and critical infrastructure. The estimate of the number of devices connected to a 5G network varies, but statistics show they are vastly present in the market. Every one of these devices, in order to join the 5G network, must be equipped with a 5G modem, in charge of modulating the signal, and implementing the radio protocols. This component is also commonly referred to as "baseband". It is of enormous importance to secure these components, since they process untrusted data from a radio network, making them particularly attractive for a remote attacker. In our previous work at Black Hat US 2018, we examined the security modem for previous generation networks (such as 2G, 3G or 4G) and we achieved full remote code execution over the air. In this talk, we will explore what changed on 5G networks, what improved in terms of security and what did not. We will demonstrate that it is still possible to fully compromise, over the air, a 5G modem, and gain remote code execution on a new 5G Smartphone.