Содержание
- 2. A Typical Smartphone How many processors? The application processor (AP) – The one advertisements talk about
- 4. Radio access technology
- 6. Physical Layer LAPDm Radio Resource Management Mobility Management Connection Management Layer 3 GSM PROTOCOL STACK
- 7. Baseband Protocol stack Code base created in the 1990s… With a 1990s attitude towards security Network
- 8. Finding Bugs Fuzzing – Providing invalid, unexpected and random data as protocol messages Baseband crashes, but
- 9. Reverse engineering binaries Tools for identifying interesting code paths – IDA Pro Disassembler and Google BinDiff
- 10. The bugs! Insufficient length checks, aka, unchecked memory copies Found in binary once memcpy() et al.
- 11. Example (Infineon Code base) TMSI – Temporary Mobile Subscriber Identity Always a 32 bit value For
- 12. Example (Qualcomm code base) For authentication in GSM, BTS transmits a 16 byte challenge value called
- 13. ‘AT + s0 = n’ feature exploited Hayes AT command set – a specific command language
- 15. Target – HTC Dream (Qualcomm) Rogue BTS - Ettus Research USRPv1, provides RF processing capability Supports
- 16. Impact Place Rogue BTS in crowded/sensitive areas Audio routing on most chipsets is done on baseband
- 17. Solutions? Open source baseband stack Quicker at identifying bugs But still hard to patch them as
- 19. Скачать презентацию