Baseband exploitation is often considered the cream of the offensive security field. In the last decade, only a handful of such exploits were publicly released. As a result, many researchers view the ability to silently achieve code execution on a victim's device by emulating a GSM or LTE base station as a difficult objective. In reality, baseband exploitation is much easier than expected. By following a simple list of steps, a baseband platform can be quickly opened up for research, debugging and exploitation. In this course, students will learn our systematic approach to baseband research - from setting up a fake base station using SDR and open-source BTS software, to achieving initial debugging abilities using our embedded hooking framework, and finally reverse engineering the relevant protocols, hunting for bugs and exploiting them. By the end of this heavily hands-on course, students will become familiar with two extremely common baseband platforms, Shannon and Mediatek, gain the skills to debug these and other baseband platforms, and learn about previously discovered bugs in basebands, and how they have been exploited.
Nitay Artenstein is a senior security researcher and the leader of an international research group. He has been a speaker at various security conferences, including Black Hat and Recon, and has conducted training sessions in Linux kernel exploitation and baseband research. He suffers from a severe addiction to IDA Pro (at least until he gets used to Ghidra’s GUI), and generally gets a kick out of digging around where he’s not supposed to.
Pedro Ribeiro is a vulnerability researcher and reverse engineer with over 12 years of experience. Pedro has found and exploited hundreds of vulnerabilities in various software and hardware products. He has over 160 CVE ID’s attributed to his name (most of which related to remote code execution vulnerabilities) and has authored over 60 Metasploit modules which have been released publicly.
Besides his vulnerability research activities, he is the founder and director of a penetration testing and reverse engineering consultancy based in London (Agile Information Security), with a variety of clients worldwide. More information about Pedro’s publicly disclosed vulnerabilities can be found at https://github.com/pedrib/PoC
Baseband exploitation is often considered the cream of the offensive security field. In the last decade, only a handful of such exploits were publicly released. As a result, many researchers view the ability to silently achieve code execution on a victim’s device by emulating a GSM or LTE base station as a difficult objective.
In reality, baseband exploitation is much easier than expected. By following a simple list of steps, a baseband platform can be quickly opened up for research, debugging and exploitation. In this course, students will learn our systematic approach to baseband research - from setting up a fake base station using SDR and open-source BTS software, to achieving initial debugging abilities using our embedded hooking framework, and finally reverse engineering the relevant protocols, hunting for bugs and exploiting them.
By the end of this heavily hands-on course, students will become familiar with two extremely common baseband platforms, Shannon and Mediatek, gain the skills to debug these and other baseband platforms, and learn about previously discovered bugs in basebands, and how they have been exploited.