$30 off During Our Annual Pro Sale. View Details »

The New Rise of Mobile Network and Baseband

The New Rise of Mobile Network and Baseband

Marco Grassi

July 01, 2019
Tweet

More Decks by Marco Grassi

Other Decks in Research

Transcript

  1. The New Rise of Mobile Network
    and Baseband
    Marco Grassi (@marcograss)

    View Slide

  2. About Me
    • Member of Tencent KEEN Security Lab (formerly known as KeenTeam)
    • Marco (@marcograss):
    • My main focus was iOS/Android/macOS and sandboxes. But recently shifted
    to hypervisors, basebands, firmwares etc.
    • pwn2own 2016 Mac OS X Team
    • Mobile pwn2own 2016 iOS team
    • pwn2own 2017 VMWare escape team
    • Mobile pwn2own 2017 iOS Wifi + baseband team (pwned Huawei baseband
    RCE)

    View Slide

  3. About Tencent Keen Security Lab
    • Previously known as KeenTeam
    • White Hat Security Researchers
    • Several times pwn2own winners
    • We are based in Shanghai, China
    • Our blog is
    https://keenlab.tencent.com/en/
    • Twitter @keen_lab

    View Slide

  4. Agenda
    • 5G
    • Intel Baseband (iPhone)
    • Huawei Baseband (p30)
    • Conclusions

    View Slide

  5. 5G

    View Slide

  6. 5G, Why 5G?
    • 2G/3G/4G the goal was to have cheap phones and cheap call/data
    plans, to get everyone connected.
    • 4G, high bandwidth, rich media, HD videos, content.
    • Now everyone has a smartphone with a data plan, how the carriers
    can make more money? There are no more people to sell a
    smartphone and a data plan.

    View Slide

  7. 5G, Why 5G?
    • 5G => cheap radios, lot of capacity.
    • How carrier can make money?
    • Connect everything! Devices, cars, sensors.
    • People already connected, now the only way to expand the market is
    to connect “THINGS”

    View Slide

  8. 5G, The big players
    • Huawei
    • Qualcomm
    • Intel recently announced they dropped out of 5G for the iPhone
    baseband?
    • ZTE
    • Ericsson
    • Nokia
    • Samsung
    • …

    View Slide

  9. 5G, critical infrastructure
    • Expected capacity: 1 million connected objects for 1 km2
    • In a 4G and lower network, most of the consumer are end users
    • In a 5G network?
    • Private deployments (in a factory for example, instead of using wires)
    • Connect industrial robots
    • Fleet of shared cars in a network slice
    • Medical equipment/ personal health equipment
    • Semaphores/ road traffic management network.
    • In a 4g network, reliability is important, but not TOO critical
    • In a 5g one, it might be, if you control critical infrastructure.
    • Also the connected devices are different in nature.

    View Slide

  10. View Slide

  11. 5G, not only smartphones
    • This talk is mostly focused on
    smartphones because now they are
    the main consumers of baseband
    devices.
    • But this is rapidly changes, it can be
    readily applied to other areas such as
    smart cars, which have a modem of
    course.
    • Also, the “endpoints” are not the only
    attackable target .. Also base stations

    View Slide

  12. 5G not only smartphones, use cases
    • Enhanced Mobile Broadband (eMBB): richer and faster data
    consumption for humans, high definition videos, downloads etc.
    • Ultra-Reliable Low-Latency Communications (URLLC): MISSION
    CRITICAL applications, that cannot afford delays and unreliabilities.
    • Massive Machine-Type Communications (mMTC): Big networks of
    potentially low power devices. It must support low power consumtion
    and high capacity and low cost.

    View Slide

  13. Before switching to the baseband part, a few
    words about the base station
    • Traditional attacks are focused on the mobile/modem endpoint
    • What about the Base Station?
    • If a Rogue Base Station can attack a Mobile phone, then a Rogue radio
    or Rogue mobile phone can attack the Base Station (opposite way)
    • The impact is much higher since it affects all the devices managed by
    that cell, (or more, core network)

    View Slide

  14. Asymmetry of attack
    • Attacking a device on a network 3G or
    newer is more difficult because the device
    authenticate the network, and we don’t
    have the keys as attacker. (except if we
    don’t downgrade to a 2G network)
    • On the other hands, if we want to attack a
    network (base station and core network),
    we can simply buy a sim card and we can!
    • Not much research on this… yet…
    • Little to no research in this area. So it
    might be fruitful
    • Equipment for research is not easy to
    obtain, but can be found.
    • 2nd hand BTS and core networks can be
    purchased

    View Slide

  15. How to attack a base station in one slide
    + =
    Modified mobile terminal software
    stack
    srsUE
    Modified baseband software
    C118 osmocom project.

    Software defined Radio, or
    hardware, such as
    Motorola c118
    Or a smartphone with code
    injected inside the modem
    + SIM CARD
    Over the air
    exploit RCE inside the
    base station or
    core network.

    View Slide

  16. BASEBANDS

    View Slide

  17. Basebands: The challenges
    • A Baseband includes a piece of software generally running on a
    separate CPU implementing a rtOS and radio stacks.
    • Closed Source (Except source code leaks)
    • No debug/introspection capabilities out of the box
    • Extensive reverse engineering work required
    • Knowledge of the Specifications is a must

    View Slide

  18. INTEL BASEBAND

    View Slide

  19. An alternative story
    • The Application Processor side of the iPhone is getting more and
    more mitigations and security scrutiny.
    • Recently, PAC, and more and more auditing.
    • There are several other paths of least resistance.
    • The Baseband is one of them
    • Can become a 0 clicks entry point
    • Basebands are VERY complex.
    •Complexity is an enemy of the vendor, but a friend of
    the attacker.

    View Slide

  20. The Intel Baseband: Intro
    • We will not cover the baseband basics for time constraints, you can
    find them in other talks, most notably:
    • Amat Cama, A walk With Shannon (Samsung)
    • Comsecuris, Breaking Band (Samsung)
    • Keen Lab, Exploitation of a Modern Smartphone Baseband (Huawei)
    • Charles Nitay Anna, The Baseband Basics (Multiple)
    • Guy – From Zero to Infinity (Intel)
    • Comsecuris - There's Life in the Old Dog Yet (blogpost on iphone intel
    baseband)
    • The iPhone XR has the Intel (x-gold) XMM7560 model

    View Slide

  21. Attacking the baseband in one slide
    + =
    Modified Base station software stack
    to trigger the exploit
    OpenBSC
    OpenBTS
    srsLTE

    Software defined Radio, or
    equivalent hardware
    USRP
    BladeRF
    CMU200 (Testing
    hardware)
    Over the air
    exploit RCE inside the
    phone
    baseband

    View Slide

  22. Getting the baseband
    • Grab the ipsw link of your choice, for example iPhone XR
    • Shameless plug, save time by grabbing
    https://github.com/marcograss/partialzip
    • You can download single files from inside the huge ipsw, saving
    time/bandwidth
    • Use “list” command to find the baseband firmware, for example
    “Firmware/ICE18-1.03.08.Release.bbfw”
    • Use the download command to get just that file (~40mb instead of 3-
    4gb)
    • You are welcome.

    View Slide

  23. The bbfw
    • The bbfw is just a zip file
    • Extract and it’s composed of several ELFs
    • SYS_SW.elf is where the main os/stack is located
    • It says ELF for ARM… but it’s Intel.. (from iPhone XS and XR, before it
    was ARM)
    • Patch the elf header to make it Intel arch (010 Editor with the ELF
    template is a good choice), load into IDA Pro

    View Slide

  24. Reversing the firmware
    • I prefer to use the ARM version of the firmware because IDA Pro
    handles it better
    • It has several disadvantages compared to the x86 ones,
    • It’s the older baseband model
    • Lack of some network support such as CDMA
    • Baseband reversing is not straightforward… You can check the talk
    “Breaking Band” by Comsecuris, it’s basically a continuous wash and
    rinse, until you have a usable IDB
    • More challenging on Intel IMO since less strings than Samsung
    Shannon

    View Slide

  25. Reversing the firmware
    • Around 120k functions
    • First thing to do is to find alloc /
    free variants, and Rtos APIs
    • Not too hard to find
    • You can then find init functions
    of the tasks. And the handler
    functions of the threads
    • Hint: UtaOsThreadCreate

    View Slide

  26. “Important” threads
    • There are descriptions in
    memory for the threads
    that handle the juicy radio
    stuff where you want to find
    the RCEs.
    • Stuff like GMM, GRR,
    mobility management,
    EMM etc are there.
    • You need a good knowledge
    of the specs to choose what
    to go after..

    View Slide

  27. Threads
    • Like most of the
    basebands/rtos they
    constantly wait for some
    messages, dequeue them
    and then handle them
    (including the radio
    messages)
    • Lot of messages are intra
    tasks, not all are relevant for
    over the air content

    View Slide

  28. Memcpy_s
    • Like Qualcomm and Huawei,
    they have some “secure”
    version of memcpy, checking
    bounds on destinations and
    source (if properly specified)

    View Slide

  29. Message
    handling
    Messages between tasks and over the air are usually described
    programmatically in arrays with id and handlers

    View Slide

  30. Message
    handling
    The task routine will find the
    correct handler and invoke it

    View Slide

  31. How to get more debugging info from
    baseband
    • Go to https://developer.apple.com/bug-reporting/profiles-and-logs/
    • Download and install the “Baseband.mobileconfig” profile for iOS
    • Reboot the device
    • You can trigger also a sysdiagnose by holding both volume and the
    top button
    • Get some (very) basics information on baseband crash. (task, address
    of abort, …)

    View Slide

  32. Escaping the baseband (example)
    Target 2:
    CommCenter
    Target 1:
    Kernel
    Baseband where you
    have code exec
    PCI-E
    UserClient
    etc.
    You have several places where you can trigger a second bug on the Application Processor from the baseband
    Kernel
    CommCenter
    Others
    (Keep in mind that at this point you will still have to face PAC, since we will go on the
    Application Processor)
    Application Processor

    View Slide

  33. Intel Baseband Application Processor
    interface on iPhone XS/XR (Kernel)
    • Relevant IOKIT classes and components that we can gather from ioreg:
    • Connected over pci-e (baseband-pcie) is a IOPCIDevice
    • Has 2 IODeviceMemory, one of 0x1000 and one of 0x100
    • AppleBasebandPCI
    • Baseband (IOPlatformDevice)
    • Has a interesting “function-coredump”
    • AppleBasebandD101
    • AppleBasebandPCIICEControl
    • AppleBasebandPCIRTIDevice
    • AppleBasebandPCIRTIInterface
    • AppleBasebandPCIPDPADAMSkywalk
    • Others… Not enough space… But you can see there is a lot of «meat»

    View Slide

  34. Intel Baseband Application Processor
    interface on iPhone XS/XR (Usermode)
    • AppleBasebandUserClient
    • Used by «CommCenter» but also by «locationd» to communicate
    with the kernel

    View Slide

  35. CommCenter
    • Usermode launchdeamon related to the modem
    • Huge binary, 24mb plus libraries
    • Runs as “_wireless” user
    • It has a couple of “helpers” CommCenterMobileHelper,
    CommCenterRootHelper
    • “CommCenter is a 30 mb binary, even with PAC I bet you can find the
    right primitives” - qwerty

    View Slide

  36. How to make your research easier
    • Researching on iPhone often
    requires a jailbreak on the latest
    version…
    • You can do some of the research on
    older models, or wait in 2019 for
    Intel to push some new Android
    models with the new XMM
    • Asus Zenfone 2 (Android,old as fuck)
    • Some Sierra Wireless Modules

    View Slide

  37. The future (guesses)
    • ASLR will soon come to all mainstream basebands, making the bar for
    RCE higher, and this could be in theory implemented right now
    • Intel CET or ARM64 PAC in the future when new SoC come out?

    View Slide

  38. HUAWEI

    View Slide

  39. Huawei p30 baseband
    • The phone is based on kirin 980
    • The baseband load address appears to be 0x20000000
    • Ram size should be 0x9B00000
    • The architecture is ARM like in the past years
    • “sec_balong_modem.bin” in modem.fw, the stuff prefixed with sec_
    is encrypted
    • You can load it in IDA Pro fairly easy (if you can get the decrypted
    firmware OFC)

    View Slide

  40. Huawei baseband
    new mitigations
    • “MODEM_SANITIZER”
    kernel configuration
    • Seems not set at the
    moment on the p30
    • If enabled it hints that stack
    cookies + modem ASLR it’s
    deployed.
    • balong_product_co
    nfig_drv.mk
    • New Kirin 980

    View Slide

  41. Sanitizers?
    • v_blkMem.h
    • ASAN tracking has a pid
    • Maybe used to track
    baseband tasks memory?
    • Hard to say without their
    debug builds, have to
    speculate.

    View Slide

  42. ASLR is coming? Crumbs
    in the baseband Huawei
    p30 code
    • Calls are indirect
    • Register load with target is
    split in 2
    • In future add ASLR offset to
    upper bits?
    • IDA resolves those
    • Just speculations

    View Slide

  43. Stack cookies Huawei
    • Stack canary introduced in
    selected functions

    View Slide

  44. Huawei baseband new mitigations
    • For sure when enabled those 2 mitigations significantly higher the bar
    for exploitation
    • For example, some stack overflow are dead with the stack cookies, or
    need an additional cookie leaks
    • ASLR requires an infoleak as well maybe
    • If it’s implemented properly. Often mistakes are made especially in
    the first implementations.

    View Slide

  45. Significant code efforts, but only on new
    models…
    • The code in the p30 went under lot
    more scrutiny and rewrite
    (NEWNAS)
    • Many bugs were fixed actually
    • Sadly Huawei ships very old builds
    on phones that are still updated,
    even more than 1 year old builds of
    the modem.
    • Only the latest model is constantly
    updated.
    • AFAIK the baseband modem
    doesn’t affect the Android “Security
    Patch Level”, but I might be wrong.

    View Slide

  46. Few words about the
    leaked source code
    • Weirdly, still widely available
    online after several years.
    • Most of the bugs you find in
    the source code are likely
    dead, the source code is old.
    • Still extremely useful for
    starting RE.
    • That’s how we find our
    pwn2own RCE (auditing)
    • You can probably still find
    bugs this way.

    View Slide

  47. Conclusions
    • 5G will bring more modems around, baseband research will be more
    relevant in the future.
    • Vendors are trying to increase the mitigations in the baseband,
    Huawei especially is putting significant efforts.
    • The area of research of Base Station and Core Network memory
    corruption attacks still remains open because of the high entry barrier.
    • Security By Obscurity in 2019 rarely works.. Even Apple is giving up on
    encrypting firmwares, but Huawei now is encrypting as much as
    possible.
    • Like with Apple, researchers will find ways to get the firmwares.

    View Slide

  48. Acknowledgements
    • Friend who want to stay anonymous
    • 陈良
    • Keen Lab

    View Slide

  49. Questions?

    View Slide

  50. View Slide