applied security conferences and training: CanSecWest | PacSec |

Security Masters Dojo

Advanced and intermediate security training and technology enhancement for information security professionals.

CanSecWest: Security Masters Dojo Vancouver

Practical Baseband Exploitation
Register for the March 14-17, 2020 (4-day course)


Nitay Artenstein


Baseband exploitation is often considered the cream of the offensive security field. In the last decade, only a handful of such exploits were publicly released. As a result, many researchers view the ability to silently achieve code execution on a victim's device by emulating a GSM or LTE base station as a difficult, almost mythical objective.

In reality, baseband exploitation is much easier than expected. By following a simple list of steps, a baseband platform can be quickly opened up for research, debugging and exploitation. In this course, students will learn our systematic approach to baseband research - from setting up a fake base station using SDR and OpenBTS, to achieving initial debugging abilities using our embedded hooking framework, and finally reverse engineering the relevant protocols, hunting for bugs and exploiting them.

PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.

By the end of this heavily hands-on course, students will become familiar with two extremely common baseband platforms, Shannon and Mediatek, gain the skills to debug these and other baseband platforms, and learn about previously discovered bugs in basebands, and how they have been exploited.

Course Outline

Introduction and Debugging

1. Introduction to communication processors

2. Code extraction and initial analysis

3. Achieving initial read primitives, basic code analysis

4. Debugging

Cellular Protocols and Static Analysis

1. Introduction to GSM, GPRS and UMTS

2. Shannon: Static analysis and an architecture overview

3. MediaTek: A comparison with Shannon

4. Getting ready to attack: Setting up a fake base station with USRP B210 and OpenBTS

Bug Hunting and Exploitation

1. Identifying GSM, GPRS and UMTS attack surfaces in Shannon and MediaTek

2. The CC, SS and SMS protocols

3. Finding a Shannon stack overflow N-day

4. Trigger and exploitation





Nitay Artenstein is a security researcher in the fields of reverse engineering, exploit development and vulnerability research. His fields of interest include reverse engineering embedded systems and bug hunting in the Linux kernel. For the past seven years, he has been working mainly on exploiting Android devices. He suffers from a severe addiction to IDA Pro, and generally gets a kick out of digging around where he's not supposed to.

Anna Dorfman is a security researcher who is also a cryptography enthusiast. In her previous roles at Versafe (now F5 networks), Kaspersky Labs and as an independent researcher, she carried out a variety of projects focusing on reverse engineering X86 and ARM, malware research and embedded systems vulnerability research. She gave talks at ReCon, VirusBulletin and other conferences, presenting RE tools and results of recent researches.i