Mobile Network Attacks: Exploiting Smartphones Through Baseband
Daniel Komaromy & Laszlo Szapula

Dates

12th-15th of May 2025

Capacity

20

Price

4.800€

Introduction

In the 15+ years since the launch of the Osmocom and OpenBTS projects (2008), "Fuzzing the Phone in your Phone" (2009), and "All Your Basebands Are Belong To Us" (2010), baseband hacking has gone from a research novelty to an IRL threat. But also during this time, the gap between the challenges addressed by public research demonstrations and operational use has started growing.

In this course, students will learn through hands-on exercises how to setup and operate multiple generations of cellular networks using open source components and software-defined radios, how to modify their code for generating customized traffic via programming interfaces and use them for mobile attacks, and how to approach the static and dynamic baseband firmware analysis and reverse engineering of the target devices.

The training will cover the basics of cellular networks and baseband operating systems from a security standpoint and then dive into approaches, techniques, and tools for finding and exploiting baseband vulnerabilities. We will place an emphasis on real-life usage scenarios and by popular demand, the 2025 iteration of our training will have an increased focus on next-gen protocols and vulnerabilities!

Learning Objectives

  • Learning the fundamentals of cellular networks from 2G to 5G
  • Running networks and engaging with basebands via custom cellular and IP traffic
  • Understanding baseband OS internals from a security perspective
  • Reverse engineering baseband OS firmwares
  • Finding and analyzing remote baseband vulnerabilities and baseband pivot vulnerabilities
  • Debugging execution flows and developing exploits

Prerequisites

  • Familiarity with C and memory safety vulnerabilities
  • Experience in reverse engineering, RISC-like assembly (ideal: experience with Ghidra, ARM)
  • Experience in working with Android OS
  • Working proficiency in using Linux OS and Python

Hardware Requirements

  • Laptop with minimum 2 USB-A ports (at least one of them USB 3), running Ubuntu 24.04 natively (no virtualization)

Software Requirements

  • Access to the internet (not prevented by corporate policy)
  • Installed utilities: ssh, adb, ghidra 11.1.2., incus (6.x)

AGENDA

Day 1: Understanding Cellular Networks and Setting Up Test Environments

  • Intro to Radio Access Technologies, 2/3/4/5G protocols
  • Cellular protocol security, shortcomings and attack surfaces
  • Exercises: Installing and operating 2/4/5G and IMS networks using customized FOSS components like Osmocom and srsRAN

Day 2: Finding Baseband Vulnerabilities

  • Baseband reverse engineering: firmware extraction, RTOS analysis
  • Building tooling and automation with Ghidra
  • Identifying the attack surfaces within the binary, analyzing bugs, finding ways for debugging
  • Exercises: Spotting and triaging vulnerabilities

Day 3: Exploiting Baseband Vulnerabilities

  • Deep-dive of baseband OS internals and exploit mitigations
  • Fundamentals of baseband exploitation, building exploit primitives from bugs
  • Exercises: Exploiting an N-day remote baseband vulnerability

Day 4: Pivoting from Baseband to Android

  • Using baseband RCE for a chain: challenges and techniques for writing robust exploits
  • Attack surfaces for baseband pivot vulnerabilities
  • Android exploit development with a pivot attack vector
  • Exercises: Chaining N-day baseband pivot vulnerabilities with over-the-air RCE exploits

Bio

Daniel Komaromy (@kutyacicahas worked in the mobile security field his entire career, going on 15+ years of vulnerability research experience playing both defense and offense. He has won Pwn2Own, presented his research at industry leading conferences (like Black Hat, REcon, CanSecWest, and Ekoparty), and disclosed scores of critical vulnerabilities in leading mobile vendors’ products. Daniel is the founder of TASZK Security Labs, a vulnerability research oriented security consultancy outfit, and he still follows the mottothere's no crying in baseband!

Laszlo Szapula (LaTsastarted with Hackthebox challenges and graduated from BME, where he finished first at the CrySys SecChallenge in 2022, and became a member of the CrySys Student Core. His previous works cover the Android kernel, hypervisors, trusted execution environments and basebands. Nowadays, he is a full-time security researcher at TASZK Security Labs where he converts Ghidra projects and Club Mates into reverse engineered code.

Limited Seats - Remember to reserve your ticket!

register now