Explore the security vulnerabilities of the interface between baseband chips and iOS in this 55-minute conference talk. Dive into the challenges of fuzzing this critical interface, which should protect against escalations from the baseband into operating system components. Discover how the implementation is riddled with bugs, leading to various unexpected effects on iPhones, including loss of identity and location information, and accumulation of thousands of undeletable SMS messages. Learn about baseband chip vulnerabilities, Remote Code Execution (RCE) attacks, and the complexities of escalating from baseband to operating system. Gain insights into fuzzing techniques, challenges, and solutions, as well as the broader implications for iOS security and wireless research opportunities on both jailbroken and non-jailbroken devices.
Overview
Syllabus
Intro
Baseband Security Assumptions
SS7 Attacks
Baseband RCE+LPE Strategies?
Generation-based Fuzzing + Crash Feedback
Modifying vs. Injecting Packets
Injection Example: Trace Replay
Frankenstein
DTrace & AFL
Bluetooth Inplace Modification
Apple Remote Invocation Format
F1: Calling for help...
Modifying Existing Packets
ICEPicker X): Local AFL++
External Blind Corpus-based Injection
External radarsa
Memory Sanitization
Identifying Bottlenecks
Statistics
Taught by
media.ccc.de
