Abstract
While baseband modems are the unseen engines of cellular communication, their proprietary nature, closed-source development, and reliance on memory-unsafe C/C++ form a massive attack surface with minimal visibility. Prior work has shown that GSM and LTE basebands (e.g., Samsung’s Shannon) can be fuzzed, but only with extensive manual annotation and harnessing. These approaches fall short on modern 5G systems, where complex state dependencies and evolving firmware architectures make manual harnessing time-consuming and unscalable for reaching deep execution states.
In this talk, we delve into the reverse engineering and emulation of Samsung and Pixel 5G basebands, with a focus on Non-Access Stratum (NAS) messaging. We unpack the increased complexity and challenges introduced in the evolution from 4G to 5G, including shifts in CPU architecture, the move from C to C++, and a redesigned inter-task communication model. To tackle these challenges, we present a stateful fuzzing framework that runs directly on emulated baseband firmware. At the heart of our system is an iterative symbolic analysis technique that progressively uncovers state variables and their preconditions to reach different execution paths, enabling fuzzing to target deep, state-dependent paths while mitigating the path explosion problem.
Applying our framework to real-world devices (including Google Pixel and Samsung Galaxy models), we uncovered 7 previously unknown vulnerabilities. So far, 5 CVEs have been assigned, with several rated high or critical by vendors. We’ll walk through our findings, demonstrate real-world exploits such as SMS and malicious network-triggered crashes, and show how automation can supercharge reverse engineering to expose deep flaws that prior efforts missed.
If you’re into baseband internals, firmware fuzzing, or breaking wireless systems for the greater good, this talk is for you.