The presentation discusses the possibility and practicality of remote code execution on baseband processors, which are less understood and audited compared to application processors.
- Baseband processors are separate from application processors but communicate with each other and have a large remote attack surface
- They are written in C and C++ and lack basic mitigations, making remote exploitation easier
- The lack of mitigation is widespread among manufacturers
- Software-defined radio can be used to attack baseband processors
- Real-time operating systems run tasks responsible for different network layers and can be audited for memory corruption bugs
- Information can be collected from firmware, runtime, and online sources
The presenters demonstrated how they were able to change the phone's IMEI, which is a phone identifier, to show that they had gained remote code execution on the baseband processor. They also noted that the lack of mitigation on baseband processors makes them an attractive target for attackers.