Research Background The number of cellular baseband players in the top-tier smartphone market is fairly small: Qualcomm, HiSilicon, Samsung, MediaTek, and Intel. With the exception of Intel, most of these manufacturers have been in the spotlight of relatively recent public security research in the mobile space (albeit more is needed and coming!). Intel’s market share is relatively small counting by the number of flagship devices they could score. The bulk of the market is dominated by Qualcomm solutions.

Background In mid-January, the Zero Day Initiative announced the rules for the 2017 version of the contest, including considerably high rewards for owning VMware and performing an escape from the guest to the host. VMware itself is not a new target, but was first included as a target in 2016. VMware as a target already suffered from various exploits in the past and has a reasonably large attack surface. Interestingly, a fair share of serious vulnerabilities that could be used for guest escapes was uncovered back in 2006-2009 and then again starting in roughly 2015 again with work by Kostya Kortchinsky and lokihardt targeting VMware’s virtual printing and drag-and-drop/copy-and-paste functionality.

Intro Today’s mobile systems are composed of multiple separate, but highly interconnected processing units, each running their own code. Previous research has proven that these components, especially the wireless baseband processors, are susceptible to remote or vicinity attacks. Such exploits have been demonstrated in practice against all major baseband SoC vendors during the last few years. Compromising the baseband (modem or MD as referred to in MTK source code) is a powerful attack as it provides access to all data passing through the modem while being virtually undetectable by current protection mechanisms.

Introducing LuaQEMU When dealing with complex code in firmware, it is often desirable to have some kind of dynamic runtime introspection as well as the ability to modify behavior on the fly. For example when reverse engineering embedded solutions such as cellular basebands or custom operating system code, the analysts understanding of a target is often fueled by assisting binary analysis with the ability to look at protocol stacks, operating system tasks, and memory at runtime.

In the last 36 hours, news of a “cyber attack” against Deutsche Telekom DSL routers has been making headlines in German media. Customers have been asked to restart their devices to receive firmware updates, but little information on the actual cause has been made available, which has led to rumours and speculation. The dominant theory proposed thus far was that a strain of the Mirai botnet family was responsible for the outage .

Last month we gave a presentation at REcon about Samsung baseband security. The slides are available here. In the talk, we discuss steps for understanding the proprietary firmware format, reverse engineering the RTOS, figuring out the security architecture, analyzing the attack surface to find vulnerabilities, and, finally, writing an exploit to achieve remote code execution. During our journey, we found several tricks that often prove useful during the reverse engineering of embedded devices nicely applicable to our usecase.