CellGuard goes public! 📶 Check if your iPhone was close to potentially malicious cellular base stations, even on non-jailbroken devices.

@cheoljun_p (CheolJun Park) and @hdtuanss (Tuan Hoang Dinh) at KAIST SysSec lab will give the following presentation at Qualcomm Product Security Summit 2024. "Finding memory bugs in the cellular baseband via over-the-air interface" https://t.co/TuovxINKBi

CVE-2022-40536 Transient DOS due to improper authentication in modem Security Rating: High Affected chipsets: Qualcomm basebands CheolJun Park @ KAIST SysSec Lab https://t.co/TRjWDd5T2q https://t.co/WY1LbpH8k6

CVE-2022-40521 Transient DOS due to improper authorization in Modem Security Rating: High Affected chipsets: Qualcomm basebands CheolJun Park @ KAIST SysSec Lab https://t.co/TRjWDd5T2q https://t.co/ZbaJWXyLLs

CVE-2023-37366 Modem crash due to incorrect handling of malformed NAS message Security Rating: High Affected chipsets: Tensor (Pixel), Exynos basebands CheolJun Park of KAIST SysSec Lab, Marc Egli (@Spittfires_) of EPFL & KAIST SysSec Lab https://t.co/j0ftJqvzIj

CVE-2023-32890 Modem crash due to incorrect handling of malformed RRC message Security Rating: Medium Affected chipsets: Mediatek CheolJun Park of KAIST SysSec Lab, Marc Egli (@Spittfires_) of EPFL & KAIST SysSec Lab https://t.co/pVRrKXpjT3 https://t.co/1Umj1Dq709

4 baseband CVEs @ KAIST SysSec Jan24 '24: CVE-2023-32890 MediaTek @cheoljun_p @Spittfires_ Dec23 '23: CVE-2023-37366 Samsung Exynos @cheoljun_p @Spittfires_ Jun23 '22: CVE-2022-40521 Qualcomm Snapdragon @cheoljun_p Jun23 '22: CVE-2022-40536 Qualcomm Snapdragon @cheoljun_p 🧵

5G user-side security testing framework explained by Evangelos Bitsikas

* LTESniffer: An Open-source LTE Downlink/Uplink Eavesdropper * We open-source LTESniffer, accepted at @acm_wisec '23. LTESniffer supports: Real-time decoding of + Downlink traffic from the base station. + Uplink traffic from nearby users. https://t.co/WuQ3PtswUw

Kudos to my co-authors @baesangwook89, BeomSeok Oh, Jiho Lee, Eunkyu Lee, @insu_yun, and @yongdaek Also, we sincerely appreciate the @srsRANProject

DoLTEst is also fully open-sourced! You can simply test your phone (UE) using a SDR and a programmable SIM card. When UE connects to DoLTEst, it moves the testing UE's state to the target state, and sends the test messages. Check out our repo: https://t.co/WPY2prS2Nr

DoLTEst generates 1,848 invalid/prohibited test cases based on the specification, and implemented on top of srsRAN. We tested 43 devices from top 5 baseband manufacturers. As a result, we found 26 flaws that can lead to location tracking, SMS injection, eavesdropping and etc.

Unfortunately, 3GPP protocol conformance specifications contains only 14 negative test cases out of total 993 scenarios.

DoLTEst will be presented on Wednesday @USENIXSecurity! DoLTEst is a test suite designed to detect non-standard-compliant security bugs by negative testing that checks if prohibited or invalid messages are properly handled.🧵 https://t.co/UAXXzHEbCn

Starting a discord server for Wireless Security (cellular, wifi, bluetooth, SDRs, ...) https://t.co/3jn0RgWWKE

Lastly, I would like to thank the great CISPA support team and office mates in 2.14 (Keno, Faezeh) for helping me to get used to the CISPA life. + my colleague @changhun_s also came to CISPA. (3/3)

Little about me: -Had a talk on #36C3 about signal overshadowing attack for unicast LTE message. (+ a maintainer of the SigOver GitHub) -Also, I will talk about the downlink negative testing framework for LTE devices, called 'DoLTEst' in USENIX Security'22. (2/3)

Hello @CISPA!  I'm a Ph.D. student from @yongdaek's group in KAIST and will be staying with Thorsten's group for 3 months.  ⁃Discussions on LTE/5G or PHY layer security are always welcomed:) ⁃Say hi when you see me.  ⁃Thanks for the party yesterday, really enjoyed it ☺️ (1/3)

The first #srsRAN release of 2022 is coming next week! 22.04 will bring 5G SA support to srsENB and srsUE. Keep an eye on our social media and mailing list for further updates!

* SVE-2021-23582 (CVE-2022-23425): LTE NAS Authentication Bypass Eunsoo Kim, CheolJun Park of KAIST Severity: Critical Improper input validation in Exynos baseband prior to SMR Feb-2022 Release 1 allows attackers to send arbitrary NAS signaling messages with fake base station.