Exploitation of a Modern Smartphone Baseband

The presentation discusses the possibility and practicality of remote code execution on baseband processors, which are less understood and audited compared to application processors.

• Baseband processors are separate from application processors but communicate with each other and have a large remote attack surface
• They are written in C and C++ and lack basic mitigations, making remote exploitation easier
• The lack of mitigation is widespread among manufacturers
• Software-defined radio can be used to attack baseband processors
• Real-time operating systems run tasks responsible for different network layers and can be audited for memory corruption bugs
• Information can be collected from firmware, runtime, and online sources

The presenters demonstrated how they were able to change the phone's IMEI, which is a phone identifier, to show that they had gained remote code execution on the baseband processor. They also noted that the lack of mitigation on baseband processors makes them an attractive target for attackers.

In this talk, we will explore the baseband of a modern smartphone, discussing the design and the security countermeasures that are implemented. We will then move on and explain how to find memory corruption bugs and exploit them. As a case study, we will explain in details our 2017 Mobile Pwn2Own entry, where we gained RCE (Remote Code Execution) with a 0-day on the baseband of a smartphone, which was among the target of the competition. We exploited successfully the phone remotely over the air without any user interaction and won $100,000 for this competition target.