Desire and confirmed that it did indeed contain a length
check in the function parsing the AUTN parameter.
While we did not investigate 3G stacks in detail, we
expect even handsets that operate in 3G-only mode to
be vulnerable to similar memory corruption problems –
even though they require mutual authentication. Fem-
tocells with modified software allow attackers to oper-
ate rogue 3G base stations [3]. The specification of the
3GPP Radio Resource Control layer gives a significantly
increased attack surface: On almost 1500 pages the most
basic layer 3 protocol for 3GPP is defined [12]. More-
over, in contrast to the simple TLV encoding employed
in GSM, the information elements of the RRC are ASN.1
encoded, using Packed Encoding Rules (PER). As the
message parsing functions of the RRC layer can be trig-
gered before the authentication process has completed,
this gives a large attack surface.
To increase the security of baseband stacks, we sug-
gest to vendors that baseband operating stacks undergo
a systematic and continuous code audit and use harden-
ing options similar to the ones used in desktop operating
systems. This will make practical exploitation of security
vulnerabilities in baseband stacks more difficult [23, 22].
Also, privilege-separation for establishing well-defined
boundaries between the different portions of a baseband
stack can be a very effective measure for making bugs
that can be triggered by consuming untrusted data much
harder to exploit; this however requires a design overhaul
of the respective baseband stack.
We understand that our findings have caused extensive
code reviews of multiple baseband stacks to happen.
Acknowledgements: We’re grateful to Joshua Lackey
and Harald Welte for providing detailed and thoughtful
comments on an early draft of the paper. Andr
´
e Stemper
(University of Luxembourg) helped in practical ways by
applying his excellent soldering skills! Without the prod-
ucts and support of the ex-Zynamics teams, many code
paths would have been much harder to analyze. Planet-
being and MuscleNerd provided invaluable tips about the
iPhone 4 baseband. Last but not least, we are indebted
to the WOOT reviewers for their constructive comments
and to Aur
´
elien Francillon for being an extremely kind
an knowledgable shepherd to this paper.
References
[1] BARKAN, E., BIHAM, E., AND KELLER, N. Instant ciphertext-
only cryptanalysis of GSM encrypted communication. In
CRYPTO 2003 (2003), D. Boneh, Ed., vol. 2729 of Lecture Notes
in Computer Science, Springer, pp. 600–616.
[2] BIRYUKOV, A., SHAMIR, A., AND WAGNER, D. Real time
cryptanalysis of A5/1 on a PC. In FSE 2000 (2001), B. Schneier,
Ed., vol. 1978 of Lecture Notes in Computer Science, Springer,
pp. 1–18.
[3] BORGAONKAR, R., GOLDE, N., AND REDON, K. Femtocells:
A poisonous needle in the operators hay stack. presented at Black
Hat Las Vegas 2011, July 2011.
[4] BURGESS, D. A., AND SAMRA, H. S. The Open BTS project.
http://openbts.sourceforge.net/, Aug. 2008.
[5] COLLABORATIVE EFFORT. The iPhone Wiki. http://
theiphonewiki.com, November 2010.
[6] DELUGR
´
E, G. R
´
etroconception et d
´
ebogage dun baseband
qualcomm. In Symposium sur la scurit des technologies de
l’information et des communications (SSTIC 2012) (June 2012),
pp. 393–411.
[7] EBERSP
¨
ACHER, J., V
¨
OGEL, H.-J., BETTSTETTER, C., AND
HARTMANN, C. GSM – Architecture, Protocols and Services,
3rd ed. Wiley, 2009. ISBN 0470030704.
[8] ETSI. Digital cellular telecommunications system (Phase 2+)
(GSM); Mobile radio interface signalling layer 3;General aspects
(GSM 04.07 version 7.3.0 Release 1998), Dec. 1999. ETSI EN
300 940 V7.7.1.
[9] ETSI. Digital cellular telecommunications system (Phase 2+)
(GSM); Mobile radio interface layer 3 specification (GSM 04.08
version 7.7.1 Release 1998), Oct. 2000. ETSI EN 300 940 V7.7.1.
[10] ETSI. Digital cellular telecommunications system (Phase 2+);
Numbering, addressing and identification (3GPP TS 03.03 ver-
sion 7.8.0 Release 1998), Sept. 2003. ETSI TS 100 927 V7.8.0.
[11] ETSI. 3rd Generation Partnership Project; Technical Specifica-
tion Group Core Network and Terminals; Mobile radio interface
Layer 3 specification; Core network protocols; Stage 3 (Release
8), Dec. 2008. 3GPP TS 24.008 V8.4.0.
[12] ETSI. Universal Mobile Telecommunications System (UMTS);
Radio Resource Control (RRC); Protocol specification (3GPP TS
25.331 version 7.17.0 Release 7), July 2010. ETSI TS 125 331
V7.17.0.
[13] G
¨
UNEYSU, T., KASPER, T., NOVOTN
´
Y, M., PAAR, C., AND
RUPP, A. Cryptanalysis with COPACOBANA. IEEE Transac-
tions on Computers 57, 11 (2008), 1498–1513.
[14] KRISSLER, S., NOHL, K., AND STEVENSON, F. A. The A5/1
security project. http://reflextor.com/trac/a51.
[15] KUNDOJJALA, S. Baseband market share tracker: Qual-
comm and Intel together capture 60 percent of 2011 baseband
revenue. http://www.strategyanalytics.com/default.
aspx?mod=reportabstractviewer&a0=7261, April 2012.
[16] MILLER, C., BLAZAKIS, D., ZOVI, D. D., ESSER, S., IOZZO,
V., AND WEINMANN, R.-P. iOS Hacker’s Handbook. Wiley,
2012, ch. 11, p. 408.
[17] MILLER, C., AND MULLINER, C. Fuzzing the
phone in your phone. presented at Black Hat
Las Vegas 2009, July 2009. https://www.
blackhat.com/presentations/bh-usa-09/MILLER/
BHUSA09-Miller-FuzzingPhone-PAPER.pdf.
[18] MULLINER, C., GOLDE, N., AND SEIFERT, J.-P. SMS of
Death: From analyzing to attacking mobile phones on a large
scale. In USENIX Security Symposium 2011 (2011), USENIX
Association.
[19] PURPLELABS. TSM30 firmware. http://web.archive.
org/web/20060627121308/http://sourceforge.net/
projects/plabs, Nov 2004. Sourceforge project has been
deleted.
[20] STEVENSON, F. A. [A51] The call of Kraken. Mailing list
post: http://lists.lists.reflextor.com/pipermail/
a51/2010-July/000683.html, July 2010.
[21] THE AIRPROBE TEAM. AirProbe – an air-interface analysis tool
for GSM. http://www.airprobe.org.
9