Forwarded from Pegasus NSO & other spyware
BaseMirror: Automatic Reverse Engineering of Baseband
Commands from Android’s Radio Interface Layer∗
#Android #BaseBand #Exynos #Cellular
Commands from Android’s Radio Interface Layer∗
Abstract
In modern mobile devices, baseband is an integral component run-ning on top of cellular processors to handle crucial radio communi-cations. However, recent research reveals significant vulnerabilities
in these basebands, posing serious security risks like remote code execution.
Yet, effectively scrutinizing basebands remains a daunt-ing task, as they run closed-source and proprietary software on
vendor-specific chipsets. Existing analysis methods are limited by their dependence on manual processes and heuristic approaches, reducing their scalability.
This paper introduces a novel approach to unveil security issues in basebands from a unique perspective:
to uncover vendor-specific baseband commands from the Radio Interface Layer (RIL), a hardware abstraction layer interfacing with basebands. To demonstrate this concept, we have designed and de-veloped BaseMirror, a static binary analysis tool to automatically
reverse engineer baseband commands from vendor-specific RIL bi-naries. It utilizes a bidirectional taint analysis algorithm to adeptly
identify baseband commands from an enhanced control flow graph enriched with reconstructed virtual function calls.
Our methodol-ogy has been applied to 28 vendor RIL libraries, encompassing a
wide range of Samsung Exynos smartphone models on the mar-ket. Remarkably, BaseMirror has uncovered 873 unique baseband
commands undisclosed to the public. Based on these results, we develop an automated attack discovery framework to successfully derive and validate 8 zero-day vulnerabilities that trigger denial of cellular service and arbitrary file access on a Samsung Galaxy A53 device. These findings have been reported and confirmed by
Samsung and a bug bounty was awarded to us.#Android #BaseBand #Exynos #Cellular