Real Time Cryptanalysis of A5/1 on a PC
FSE '00 Proceedings of the 7th International Workshop on Fast Software Encryption
IEEE Transactions on Computers
SMS of death: from analyzing to attacking mobile phones on a large scale
SEC'11 Proceedings of the 20th USENIX conference on Security
iOS Hacker's Handbook
Let me answer that for you: exploiting broadcast information in cellular networks
SEC'13 Proceedings of the 22nd USENIX conference on Security
| Hi-index | 0.00 |
Published attacks against smartphones have concentrated on software running on the application processor. With numerous countermeasures like ASLR, DEP and code signing being deployed by operating system vendors, practical exploitation of memory corruptions on this processor has become a time-consuming endeavor. At the same time, the cellular baseband stack of most smart-phones runs on a separate processor and is significantly less hardened, if at all. In this paper we demonstrate the risk of remotely exploitable memory corruptions in cellular baseband stacks. We analyze two widely deployed baseband stacks and give exemplary cases of memory corruptions that can be leveraged to inject and execute arbitrary code on the baseband processor. The vulnerabilities can be triggered over the air interface using a rogue GSM base station, for instance using OpenBTS together with a USRP software defined radio.