FirmWire: Taking Baseband Security Analysis to the Next Level
This talk will provide an introduction to FirmWire, our open-source emulation platform for cellular baseband images. The platform allows researchers to dynamically debug, introspect, and interact with complex baseband firmware, providing insights about its inner workings in real-time.
FirmWire’s integrated ModKit builds upon these powerful capabilities to create and inject custom tasks inside the emulated baseband. We leverage this ModKit to enable full-system fuzzing via AFL++ by creating custom fuzzing tasks interacting with the host, using special hypercalls. With this setup, we uncovered one pre-authentication vulnerability in MediaTek's MTK and several pre-authentication vulnerabilities in the LTE and GSM stacks of Samsung’s Shannon baseband implementation, affecting millions of devices.
FirmWire is the outcome of a more than two-year-long international research collaboration between the University of Florida, Vrije Universiteit Amsterdam, TU Berlin, and Ruhr-University Bochum. We will release it to the public in 2022.
Grant Hernandez, Security Reseracher
Grant is a mobile vulnerability researcher. He previously worked on Qualcomm's QPSI OTA team with a modem security focus. He completed his PhD on embedded firmware analysis in 2020 from the University of Florida where he explored symbolic execution of USB firmware, exposed how AT commands are used on Android devices, recovered Android security policies from firmware, and built a baseband emulation platform – FirmWire.
Dominik Maier, Google
Dominik is a security engineer at Google and part of the Open Source AFLplusplus project, which maintains the AFL++ and LibAFL fuzzing frameworks. During his PhD at TU Berlin he worked on fuzzing weird targets, including basebands. In his spare-time he likes to travel and participate in CTFs with ENOFLAG.
Marius Muench, Vrije Universiteit Amsterdam
Marius is a postdoctoral researcher at Vrije Universiteit Amsterdam. His research interests cover (in-)security of embedded systems, as well as binary and microarchitectural exploitation. He obtained his PhD from Sorbonne University in cooperation with EURECOM. He developed and maintains avatar2, a framework for analyzing embedded systems firmware, which is also used within the FirmWire project.
