Exploiting Qualcomm WLAN and Modem Over The Air

Channel:
United States All Hacking Cons
Subscribers:
5,970
Published on ● Video Link: https://www.youtube.com/watch?v=OgaHFcVVUB8


Duration: 44:56
43 views
0

Xiling Gong | Senior Security Researcher, Tencent Blade Team
Peter Pi | Senior Security Researcher, Tencent Blade Team
Location: Lagoon GHI
Date: Thursday, August 8 | 12:10pm-1:00pm
Format: 50-Minute Briefings
Tracks: Mobile, Exploit Development

In this talk, we will share our research in which we successfully exploit Qualcomm WLAN in FIRMWARE layer, break down the isolation between WLAN and Modem, and then fully control the Modem over the air.

Setting up the real-time debugger is the key. Without the debugger, it's difficult to inspect the program flow and runtime status. On the Qualcomm platform, subsystems are protected by the Secure Boot and unable to be touched externally. We'll introduce the vulnerability we found in Modem to defeat the Secure Boot and elevate privilege into Modem locally so that we can setup the live debugger for baseband.

The Modem and WLAN firmware is quite complex and reverse engineering is a tough work. Thanks to the debugger, we finally figured out the system architecture, the components, the program flow, the data flow, and the attack surfaces of WLAN firmware. We'll share these techniques in detail, along with the zero-days we found on the attack surfaces.

There are multiple mitigations on Qualcomm baseband, including DEP, stack protection, heap cookie, system call constraint, etc. All the details of the exploitation and mitigation bypassing techniques will be given during the presentation.

Starting from Snapdragon 835, WLAN firmware is integrated into the Modem subsystem as an isolated user space application constraint. We'll discuss these constraints, and then leverage the weakness we found to fully exploit Modem.


Black Hat - USA - 2019 Hacking conference
#hacking, #hackers, #infosec, #opsec, #IT, #security



Other Videos By All Hacking Cons


2022-01-07A Compendium of Container Escapes
2022-01-07Cyber Insurance 101 for CISO's
2022-01-07A Decade After Bleichenbacher '06, RSA Signature Forgery Still Works
2022-01-07HTTP Desync Attacks: Smashing into the Cell Next Door
2022-01-07Dragonblood: Attacking the Dragonfly Handshake of WPA3
2022-01-07Cybersecurity Risk Assessment for Safety-Critical Systems
2022-01-07Adventures in the Underland The CQForensic Toolkit as a Unique Weapon Against Hackers
2022-01-07Everybody be Cool, This is a Robbery!
2022-01-07Biometric Authentication Under Threat Liveness Detection Hacking
2022-01-07Hunting for Bugs, Catching Dragons
2022-01-07Exploiting Qualcomm WLAN and Modem Over The Air
2022-01-07I'm Unique, Just Like You: Human Side-Channels and Their Implications for Security and Privacy
2022-01-07All the 4G Modules Could be Hacked!
2022-01-07Exploiting the Hyper V IDE Emulator to Escape the Virtual Machine
2022-01-07Infighting Among Russian Security Services in the Cyber Sphere
2022-01-07All Your Apple are Belong to Us: Unique Identification and Cross-Device Tracking of Apple Devices
2022-01-07Exploring the New World : Remote Exploitation of SQLite and Curl
2022-01-07Firmware Cartography: Charting the Course for Modern Server Compromise
2022-01-07API-Induced SSRF: How Apple Pay Scattered Vulnerabilities Across the Web
2022-01-07Fantastic Red-Team Attacks and How to Find Them
2022-01-07Arm IDA and Cross Check Reversing the Boeing 787's Core Network


Tags:
data
hacker
security
computer
cyber
internet
technology
hacking
attack
digital
virus
information
hack
online
password
code
web
concept
thief
protection
network
secure
criminal
phishing
software
access
safety
system
firewall
program
spyware
conference
learn
how to
2022
cybersecurity
owned
securing
exploit
exploitation
recon
social engineering
Xiling Gong
Peter Pi
qualcomm
wlan
real-time
vulnerability
modem
secure boot
DEP
Stack protection
heap cookie
system call constraint