filmov
tv
#Hacktivity2021 // Exploring & Exploiting Zero-Click Remote Interfaces of Modern Huawei Smartphones
Показать описание
Dániel Komáromy, Lóránt Szabó - How To Tame Your Unicorn - Exploring and Exploiting Zero-Click Remote Interfaces of Modern Huawei Smartphones
This presentation was held at #Hacktivity2021 IT security conference on 8th October 2021.
The exploration of baseband security has come a long way in the past decade. Published research has exposed privacy issues in 3GPP protocols from GSM to LTE and traditional memory safety vulnerabilities in implementations of various chipset vendors. Yet, in some ways, we have only scratched the surface.
For one, almost all published memory corruption bugs have been classic TLV parsing vulnerabilities in Layer 3 GSM. For another, previous remote exploitation demonstrations looked at basebands as more code doing typical input parsing without considering the maze of hardware elements that surround them and stayed inside the baseband sandbox.
We have set out to challenge the status quo with our research into the newest iterations of Huawei’s Kirin SoCs. After Pwn2Own 2017, Huawei stopped supporting unlocked bootloaders, introduced new firmware encryption for SoC components, and invested heavily in improving code quality from the well-known baseband source leak. In fact, the latest Kirin chipsets that have been the subject of published research are from 2016.
We will cover our journey from unlocking the newest generations of Huawei devices through identifying and exploiting bootloader vulnerabilities to building a debugger and reversing new mitigation improvements of the baseband OS. We will dive into a part of the 3GPP stack that hasn’t received much attention before and present our results of reversing Huawei’s implementation and finding remotely exploitable vulnerabilities that work differently from previously documented baseband memory corruption bugs.
Finally, we will investigate the ways a baseband interacts with the rest of the SoC. We will show a handful of vulnerabilities that we have found, both in software and hardware, and explain how we exploited them to escape from the baseband and take over not only Android and the Linux kernel, but even TrustZone.
#HACKTIVITY is the biggest event of its kind in Central & Eastern Europe. About 1000 visitors are coming from all around the globe every year to learn more about the latest trends of cybersecurity, get inspired by people with similar interest and develop themselves via comprehensive workshops and training sessions.
This presentation was held at #Hacktivity2021 IT security conference on 8th October 2021.
The exploration of baseband security has come a long way in the past decade. Published research has exposed privacy issues in 3GPP protocols from GSM to LTE and traditional memory safety vulnerabilities in implementations of various chipset vendors. Yet, in some ways, we have only scratched the surface.
For one, almost all published memory corruption bugs have been classic TLV parsing vulnerabilities in Layer 3 GSM. For another, previous remote exploitation demonstrations looked at basebands as more code doing typical input parsing without considering the maze of hardware elements that surround them and stayed inside the baseband sandbox.
We have set out to challenge the status quo with our research into the newest iterations of Huawei’s Kirin SoCs. After Pwn2Own 2017, Huawei stopped supporting unlocked bootloaders, introduced new firmware encryption for SoC components, and invested heavily in improving code quality from the well-known baseband source leak. In fact, the latest Kirin chipsets that have been the subject of published research are from 2016.
We will cover our journey from unlocking the newest generations of Huawei devices through identifying and exploiting bootloader vulnerabilities to building a debugger and reversing new mitigation improvements of the baseband OS. We will dive into a part of the 3GPP stack that hasn’t received much attention before and present our results of reversing Huawei’s implementation and finding remotely exploitable vulnerabilities that work differently from previously documented baseband memory corruption bugs.
Finally, we will investigate the ways a baseband interacts with the rest of the SoC. We will show a handful of vulnerabilities that we have found, both in software and hardware, and explain how we exploited them to escape from the baseband and take over not only Android and the Linux kernel, but even TrustZone.
#HACKTIVITY is the biggest event of its kind in Central & Eastern Europe. About 1000 visitors are coming from all around the globe every year to learn more about the latest trends of cybersecurity, get inspired by people with similar interest and develop themselves via comprehensive workshops and training sessions.
0:54:20
1:04:09
0:40:48
0:31:38
0:03:35
0:01:38
![[Disobey 2023] Finding](https://i.ytimg.com/vi/XGSWNXa4XmU/hqdefault.jpg)
0:42:04
0:43:43
0:05:24
0:28:51
1:01:41
0:45:47
0:04:45
0:04:09
0:06:40
0:39:21
0:54:16
0:11:00
0:00:38
0:04:10
![[BSL2022] Perfect data](https://i.ytimg.com/vi/HF1Cjt1RPV4/hqdefault.jpg)
0:42:54
0:32:00
0:52:24
0:01:47