Security

Dissecting modern (3G/4G) cellular modems

Let's have a detailed look at some modern 3G/4G cellular modems and see what we can find out about their internals using undocumented debug interfaces and software or hardware based hacking techniques.
Cellular modems are not only present in smartphones, tablets and laptops, but these days also in many M2M and internet-of-toilets (IoT) applications. Long gone are the days where those modules were GSM/GPRS/EDGE only with ancient ARM7TMDI or ARM926EJS cores and a relatively small-sized firmware in the range of kilobytes to very few megabytes, like on the famous OsmocomBB supported phones. Modern cellular modems re-use the cellular chipsets of smartphones one or two generations ago, like the MDM9615 used in the iPhone 5. As those chipsets contain plenty of processors and are quite sophisticated SoCs on their own, one can even find (undocumented) Linux or Android in some modems, which of course makes them a very attractive target for further exploration or running your own code inside the modem. We will give a short overview about the current market of cellular modems, the major chipset suppliers and chipset families and then pick one or two examples and show the methods used for reverse engineering them to a point where they can be used for much more than the AT command or QMI interface officially documented/supported by the manufacturer. This includes the execution of custom code inside modems, as well as protocol tracing of the air-interface. We'll also look at the FOTA (Firmware Update Over The Air) features, and perform a security analysis of our findings. This talk understands itself following the tradition of various baseband processor related talks at many CCC events of the past decade, including 25C3: Anatomy of smartphone hardware and 28C3: Reverse-engineering a Qualcomm baseband. Both speakers (Harald Welte and Holger Freyther) have been working on Free Software related to cellular telephony for more than a decade, including projects like Openmoko, OpenBSC, OsmocomBB and many other Osmocom projects.

Additional information

Type lecture
Language English

More sessions

12/27/16
Security
Martin Schmiedecker
Saal 6
Certificate transparency - what is it, and what can be done with it?
12/27/16
Security
Saal G
Hardware is often considered as an abstract layer that behaves correctly, just executing instructions and outputting a result. However, the internal state of the hardware leaks information about the programs that are executing. In this talk, we focus on how to extract information from the execution of simple x86 instructions that do not require any privileges. Beyond classical cache-based side-channel attacks, we demonstrate how to perform cache attacks without a single memory access, as well as ...
12/27/16
Security
Yannay Livneh
Saal 6
PHP-7 is a new version of the most prevalent server-side language in use today. Like previous version, this version is also vulnerable to memory corruptions. However, the language has gone through extensive changes and none of previous exploitation techniques are relevant. In this talk, we explore the new memory internals of the language from exploiters and vulnerability researchers point of view. We will explain newly found vulnerabilities in the 'unserialize' mechanism of the language and ...
12/27/16
Security
Chris Gerlinsky
Saal 2
Follow the steps taken to crack a conditional access and scrambling system used in millions of TV set-top-boxes across North America. From circuit board to chemical decapsulation, optical ROM extraction, glitching, and reverse engineering custom hardware cryptographic features. This talk describes the techniques used to breach the security of satellite and cable TV systems that have remained secure after 15+ years in use.
12/27/16
Security
Trammell Hudson
Saal 1
Heads is an open source custom firmware and OS configuration for laptops and servers that aims to provide slightly better physical security and protection for data on the system. Unlike Tails, which aims to be a stateless OS that leaves no trace on the computer of its presence, Heads is intended for the case where you need to store data and state on the computer. It targets specific models of commodity hardware and takes advantage of lessons learned from several years of vulnerability research. ...
12/27/16
Security
Mathy Vanhoef
Saal 6
We analyze the generation and management of WPA2 group keys. These keys protect broadcast and multicast Wi-Fi traffic. We discovered several issues and illustrate their importance by decrypting all group (and unicast) traffic of a typical Wi-Fi network.
12/27/16
Security
Sebastian Schinzel
Saal 2
We present DROWN, a novel cross-protocol attack on TLS that uses a server supporting SSLv2 as an oracle to decrypt modern TLS connections. Using Internet-wide scans, we find that 33% of all HTTPS servers are vulnerable to this protocol-level attack.