The New Rise of Mobile Network and Baseband Marco Grassi (@marcograss)

About Me • Member of Tencent KEEN Security Lab (formerly known as KeenTeam) • Marco (@marcograss): • My main focus was iOS/Android/macOS and sandboxes. But recently shifted to hypervisors, basebands, firmwares etc. • pwn2own 2016 Mac OS X Team • Mobile pwn2own 2016 iOS team • pwn2own 2017 VMWare escape team • Mobile pwn2own 2017 iOS Wifi + baseband team (pwned Huawei baseband RCE)

About Tencent Keen Security Lab • Previously known as KeenTeam • White Hat Security Researchers • Several times pwn2own winners • We are based in Shanghai, China • Our blog is https://keenlab.tencent.com/en/ • Twitter @keen_lab

Agenda • 5G • Intel Baseband (iPhone) • Huawei Baseband (p30) • Conclusions

5G

5G, Why 5G? • 2G/3G/4G the goal was to have cheap phones and cheap call/data plans, to get everyone connected. • 4G, high bandwidth, rich media, HD videos, content. • Now everyone has a smartphone with a data plan, how the carriers can make more money? There are no more people to sell a smartphone and a data plan.

5G, Why 5G? • 5G => cheap radios, lot of capacity. • How carrier can make money? • Connect everything! Devices, cars, sensors. • People already connected, now the only way to expand the market is to connect “THINGS”

5G, The big players • Huawei • Qualcomm • Intel recently announced they dropped out of 5G for the iPhone baseband? • ZTE • Ericsson • Nokia • Samsung • …

5G, critical infrastructure • Expected capacity: 1 million connected objects for 1 km2 • In a 4G and lower network, most of the consumer are end users • In a 5G network? • Private deployments (in a factory for example, instead of using wires) • Connect industrial robots • Fleet of shared cars in a network slice • Medical equipment/ personal health equipment • Semaphores/ road traffic management network. • In a 4g network, reliability is important, but not TOO critical • In a 5g one, it might be, if you control critical infrastructure. • Also the connected devices are different in nature.

No content

5G, not only smartphones • This talk is mostly focused on smartphones because now they are the main consumers of baseband devices. • But this is rapidly changes, it can be readily applied to other areas such as smart cars, which have a modem of course. • Also, the “endpoints” are not the only attackable target .. Also base stations

5G not only smartphones, use cases • Enhanced Mobile Broadband (eMBB): richer and faster data consumption for humans, high definition videos, downloads etc. • Ultra-Reliable Low-Latency Communications (URLLC): MISSION CRITICAL applications, that cannot afford delays and unreliabilities. • Massive Machine-Type Communications (mMTC): Big networks of potentially low power devices. It must support low power consumtion and high capacity and low cost.

Before switching to the baseband part, a few words about the base station • Traditional attacks are focused on the mobile/modem endpoint • What about the Base Station? • If a Rogue Base Station can attack a Mobile phone, then a Rogue radio or Rogue mobile phone can attack the Base Station (opposite way) • The impact is much higher since it affects all the devices managed by that cell, (or more, core network)

Asymmetry of attack • Attacking a device on a network 3G or newer is more difficult because the device authenticate the network, and we don’t have the keys as attacker. (except if we don’t downgrade to a 2G network) • On the other hands, if we want to attack a network (base station and core network), we can simply buy a sim card and we can! • Not much research on this… yet… • Little to no research in this area. So it might be fruitful • Equipment for research is not easy to obtain, but can be found. • 2nd hand BTS and core networks can be purchased

How to attack a base station in one slide + = Modified mobile terminal software stack srsUE Modified baseband software C118 osmocom project. … Software defined Radio, or hardware, such as Motorola c118 Or a smartphone with code injected inside the modem + SIM CARD Over the air exploit RCE inside the base station or core network.

BASEBANDS

Basebands: The challenges • A Baseband includes a piece of software generally running on a separate CPU implementing a rtOS and radio stacks. • Closed Source (Except source code leaks) • No debug/introspection capabilities out of the box • Extensive reverse engineering work required • Knowledge of the Specifications is a must

INTEL BASEBAND

An alternative story • The Application Processor side of the iPhone is getting more and more mitigations and security scrutiny. • Recently, PAC, and more and more auditing. • There are several other paths of least resistance. • The Baseband is one of them • Can become a 0 clicks entry point • Basebands are VERY complex. •Complexity is an enemy of the vendor, but a friend of the attacker.

The Intel Baseband: Intro • We will not cover the baseband basics for time constraints, you can find them in other talks, most notably: • Amat Cama, A walk With Shannon (Samsung) • Comsecuris, Breaking Band (Samsung) • Keen Lab, Exploitation of a Modern Smartphone Baseband (Huawei) • Charles Nitay Anna, The Baseband Basics (Multiple) • Guy – From Zero to Infinity (Intel) • Comsecuris - There's Life in the Old Dog Yet (blogpost on iphone intel baseband) • The iPhone XR has the Intel (x-gold) XMM7560 model

Attacking the baseband in one slide + = Modified Base station software stack to trigger the exploit OpenBSC OpenBTS srsLTE … Software defined Radio, or equivalent hardware USRP BladeRF CMU200 (Testing hardware) Over the air exploit RCE inside the phone baseband

Getting the baseband • Grab the ipsw link of your choice, for example iPhone XR • Shameless plug, save time by grabbing https://github.com/marcograss/partialzip • You can download single files from inside the huge ipsw, saving time/bandwidth • Use “list” command to find the baseband firmware, for example “Firmware/ICE18-1.03.08.Release.bbfw” • Use the download command to get just that file (~40mb instead of 3- 4gb) • You are welcome.

The bbfw • The bbfw is just a zip file • Extract and it’s composed of several ELFs • SYS_SW.elf is where the main os/stack is located • It says ELF for ARM… but it’s Intel.. (from iPhone XS and XR, before it was ARM) • Patch the elf header to make it Intel arch (010 Editor with the ELF template is a good choice), load into IDA Pro

Reversing the firmware • I prefer to use the ARM version of the firmware because IDA Pro handles it better • It has several disadvantages compared to the x86 ones, • It’s the older baseband model • Lack of some network support such as CDMA • Baseband reversing is not straightforward… You can check the talk “Breaking Band” by Comsecuris, it’s basically a continuous wash and rinse, until you have a usable IDB • More challenging on Intel IMO since less strings than Samsung Shannon

Reversing the firmware • Around 120k functions • First thing to do is to find alloc / free variants, and Rtos APIs • Not too hard to find • You can then find init functions of the tasks. And the handler functions of the threads • Hint: UtaOsThreadCreate

“Important” threads • There are descriptions in memory for the threads that handle the juicy radio stuff where you want to find the RCEs. • Stuff like GMM, GRR, mobility management, EMM etc are there. • You need a good knowledge of the specs to choose what to go after..

Threads • Like most of the basebands/rtos they constantly wait for some messages, dequeue them and then handle them (including the radio messages) • Lot of messages are intra tasks, not all are relevant for over the air content

Memcpy_s • Like Qualcomm and Huawei, they have some “secure” version of memcpy, checking bounds on destinations and source (if properly specified)

Message handling Messages between tasks and over the air are usually described programmatically in arrays with id and handlers

Message handling The task routine will find the correct handler and invoke it

How to get more debugging info from baseband • Go to https://developer.apple.com/bug-reporting/profiles-and-logs/ • Download and install the “Baseband.mobileconfig” profile for iOS • Reboot the device • You can trigger also a sysdiagnose by holding both volume and the top button • Get some (very) basics information on baseband crash. (task, address of abort, …)

Escaping the baseband (example) Target 2: CommCenter Target 1: Kernel Baseband where you have code exec PCI-E UserClient etc. You have several places where you can trigger a second bug on the Application Processor from the baseband Kernel CommCenter Others (Keep in mind that at this point you will still have to face PAC, since we will go on the Application Processor) Application Processor

Intel Baseband Application Processor interface on iPhone XS/XR (Kernel) • Relevant IOKIT classes and components that we can gather from ioreg: • Connected over pci-e (baseband-pcie) is a IOPCIDevice • Has 2 IODeviceMemory, one of 0x1000 and one of 0x100 • AppleBasebandPCI • Baseband (IOPlatformDevice) • Has a interesting “function-coredump” • AppleBasebandD101 • AppleBasebandPCIICEControl • AppleBasebandPCIRTIDevice • AppleBasebandPCIRTIInterface • AppleBasebandPCIPDPADAMSkywalk • Others… Not enough space… But you can see there is a lot of «meat»

Intel Baseband Application Processor interface on iPhone XS/XR (Usermode) • AppleBasebandUserClient • Used by «CommCenter» but also by «locationd» to communicate with the kernel

CommCenter • Usermode launchdeamon related to the modem • Huge binary, 24mb plus libraries • Runs as “_wireless” user • It has a couple of “helpers” CommCenterMobileHelper, CommCenterRootHelper • “CommCenter is a 30 mb binary, even with PAC I bet you can find the right primitives” - qwerty

How to make your research easier • Researching on iPhone often requires a jailbreak on the latest version… • You can do some of the research on older models, or wait in 2019 for Intel to push some new Android models with the new XMM • Asus Zenfone 2 (Android,old as fuck) • Some Sierra Wireless Modules

The future (guesses) • ASLR will soon come to all mainstream basebands, making the bar for RCE higher, and this could be in theory implemented right now • Intel CET or ARM64 PAC in the future when new SoC come out?

HUAWEI

Huawei p30 baseband • The phone is based on kirin 980 • The baseband load address appears to be 0x20000000 • Ram size should be 0x9B00000 • The architecture is ARM like in the past years • “sec_balong_modem.bin” in modem.fw, the stuff prefixed with sec_ is encrypted • You can load it in IDA Pro fairly easy (if you can get the decrypted firmware OFC)

Huawei baseband new mitigations • “MODEM_SANITIZER” kernel configuration • Seems not set at the moment on the p30 • If enabled it hints that stack cookies + modem ASLR it’s deployed. • balong_product_co nfig_drv.mk • New Kirin 980

Sanitizers? • v_blkMem.h • ASAN tracking has a pid • Maybe used to track baseband tasks memory? • Hard to say without their debug builds, have to speculate.

ASLR is coming? Crumbs in the baseband Huawei p30 code • Calls are indirect • Register load with target is split in 2 • In future add ASLR offset to upper bits? • IDA resolves those • Just speculations

Stack cookies Huawei • Stack canary introduced in selected functions

Huawei baseband new mitigations • For sure when enabled those 2 mitigations significantly higher the bar for exploitation • For example, some stack overflow are dead with the stack cookies, or need an additional cookie leaks • ASLR requires an infoleak as well maybe • If it’s implemented properly. Often mistakes are made especially in the first implementations.

Significant code efforts, but only on new models… • The code in the p30 went under lot more scrutiny and rewrite (NEWNAS) • Many bugs were fixed actually • Sadly Huawei ships very old builds on phones that are still updated, even more than 1 year old builds of the modem. • Only the latest model is constantly updated. • AFAIK the baseband modem doesn’t affect the Android “Security Patch Level”, but I might be wrong.

Few words about the leaked source code • Weirdly, still widely available online after several years. • Most of the bugs you find in the source code are likely dead, the source code is old. • Still extremely useful for starting RE. • That’s how we find our pwn2own RCE (auditing) • You can probably still find bugs this way.

Conclusions • 5G will bring more modems around, baseband research will be more relevant in the future. • Vendors are trying to increase the mitigations in the baseband, Huawei especially is putting significant efforts. • The area of research of Base Station and Core Network memory corruption attacks still remains open because of the high entry barrier. • Security By Obscurity in 2019 rarely works.. Even Apple is giving up on encrypting firmwares, but Huawei now is encrypting as much as possible. • Like with Apple, researchers will find ways to get the firmwares.

Acknowledgements • Friend who want to stay anonymous • 陈良 • Keen Lab

Questions?

No content