BaseSAFE: Finding Vulnerabilities in Smartphone Basebands

What is a Baseband?

Each modern smartphone contains a wide variety of different processors. Not only are there multiple processors for the mobile operating system (e.g. Android, iOS), but a range of processors, mostly unheard of by the user, that work inside the phone day in, day out. Even the tiny SIM cards have microprocessors built into them!

The processor handling all cellular communication in a phone is the baseband processor. These tiny cores run their own, full-blown operating systems. A range of vendors develop these operating systems. Basebands use real-time operating systems (RTOS), which are vastly different from Android or iOS. They are specifically tailored to handle communication and data transfers with low latency.

A main task of this cellular baseband is to establish communication with the operator’s base stations. Even though this sounds quite simple, in detail the baseband supports complex protocol stacks to perform various high-throughput tasks in realtime.

In addition to maintaining synchronous communication with the cell tower, the cellular baseband handles all the user’s phone calls, messaging, mobile data transmission, and more.

It’s well-known among researchers that complexity is the enemy of software security.

A baseband contains countless high-complexity protocol parsers, pieces of software interpreting information recieved over the air. Thus, the baseband’s firmware must be one of the largest attack vectors in any modern smartphone.

Still, to this date, security testing of mobile basebands is hard, and either performed behind closed doors, in a black-box fashion, or through manual static analysis – by staring at the binary. Baseband and device manufacturers limit direct access to the baseband in various ways. They block access to debugging interfaces and even encrypt the entire baseband firmware. This secrecy and closed-sourceness, and even usage of relatively unknown or custom architectures, such as Qualcomm Hexagon, increase the barrier to mobile baseband analysis, while at the same time making it a more interesting and rewarding target.

Researchers at TU Berlin take a novel approach to baseband research. Initially, they reverse-engineer baseband firmwares to understand the undocumented inner workings of these systems. With this knowledge, they are able to rehost parts of the firmware, which means running the firmware in an emulator, instead of on the real device.

While the baseband chip itself is heavily locked down, the emulator allows the security researchers to run deep analyses on the firmware during execution.

A major analysis the researchers use in their so-called “BaseSAFE” platform is coverage-guided fuzzing.

In recent years, fuzzing has become a standard tool for vulnerability research in low-level code. The target, in this case a parser in the baseband, gets executed over and over again, millions of times, with different inputs. The fuzzing tool, AFL++ in this case, sees what part of the code it reached, learns if it found new behavior in the target, and generates the next test inputs in a smart way. Feedback-guided fuzzing is so effective in finding critical bugs, because it generates unexpected inputs that the programmers did not think about.

Through emulation, BaseSAFE gathers deep insights into the execution, and therefore is able to fuzz the firmware with coverage feedback. First, a security researcher implements a so-called “harness” for the target. For their proof-of-concept, the researchers from TU Berlin call LTE parsers in the baseband directly. In combination with AFL++, BaseSAFE found vulnerabilities in the tested baseband, used by a wide variety of Android devices. Through fuzzing BaseSAFE recovers valid inputs from their actual implementation in the firmware, and discovers unhandled corrupted signaling messages, leading to crashes and overflows. The researchers could even replay the attacks found in their emulator against a real device, proving that their concept works.

To sum it up, BaseSAFE allows security researchers to find critical bugs in cellular basebands and similar embedded systems.

2020 WiSec Best Teaser Award

This article was written in collaboration with researchers Dominik Maier and Shinjo Park from the Technische Universität Berlin. Read the full in-depth research paper here.

Dr.-Ing. Altaf Shaik, is currently a senior researcher at the Technical University of Berlin in Germany. He conducts research in telecommunications, esp., 5G radio access and core network security. He combines a professional background in programming, wireless communications and offensive network security. His renowned research exposed several vulnerabilities in the commercial 4G and 5G specifications and commercial networks that allow attackers to perform powerful attacks affecting millions of base stations, handsets, M2M and NB-IoT devices.