Our OffensiveCon talk on stateful baseband emulation (and how improper string handling led to baseband RCE) is available on YouTube: https://t.co/n8KqwHZ966. It has been a pleasure; awesome conference, brilliant people. Slides and paper:

Congrats to the entire team (cc @noopwafel, @nSinusR, @veelasha_m). We will have the paper available on Monday (on IEEE CSDL and open access). The code will become available once a few other disclosure processes have concluded and we've had time to clean it up + add docs. 6/6

That lead to the discovery of 8 vulnerabilities (3 dupes). Among the vulnerabilities are at least 2 RCEs exploitable OTA. One of them is preauth (CVE-2024-20154), affecting 51 MediaTek chipset and thousands of phone models. Drop by our presentations to learn more! 5/6

From a security perspective, this unlocks a lot of additional attack surface within the emulator, previously only reachable OTA (where fuzzing is unfeasibly slow and you can't introspect). By integrating BaseBridge into FirmWire we improved coverage in AFL++ by a factor of 4. 4/6

Demo time. Left: BaseBridge with FirmWire baseband emulator, emulating a MediaTek BB, into which we inject a packet requesting UE capabilities. Right side: WireShark tapping into the emulator, showing the request and the uplink response (2nd pkt) generated in the emulator. 3/6

We developed a way to transfer memory dumps from commercial smartphone basebands into an emulator. This provides the emulated baseband with state needed to process many different downlink network packets, to the point where it even generates the correct uplink response. 2/6

📢 Excited to announce that the results on BaseBridge, our project on improving cellular baseband emulation, are going public this week. @dyonwg_ will present at @IEEESSP on Monday 3pm, while David and I will be on stage at @offensive_con on Saturday 11am with more details! 1/6

I gave an introductory talk on baseband security, focusing on root-causes of vulnerabilities, at this year's @ruhrsec conference. Recording now available:

🚀 Check out the #RuhrSec 2025 program! 💡 14 expert talks are waiting for you. 🎟️ Don’t miss out—get your ticket now and join us! 👉 https://t.co/3QMjYQ3n2U #itsecurity #itsicherheit #cybersecurity #cybersicherheit #itsecurityconference #bochum #NRW

Excited to announce that we will present our latest work on baseband fuzzing at @BlackHatEvents USA this year! Join @dyonwg_ and me on a journey of fuzzing layer 2 and finding multiple critical OTA vulnerabilities! More info: https://t.co/HDBnRDmmCq See you in August!

Humbled and grateful that our paper Fuzztruction received a Distinguished Paper Award and was the runner up to the Internet Defense Prize @USENIXSecurity #usesec23 Find the paper at https://t.co/JBZ9L3obGs Thanks @m_u00d8, @ScepticCtf, @74ck_0, @thorstenholz

(2/2) I'm thrilled to be presenting our results at the conference next week, Thursday 10.08 1:30pm, Track 1 (Cellular Networks). See you in Anaheim! (cc @m_u00d8, @ScepticCtf, Mikhail, @davidrupprecht1, @veelasha_m)

📣Our paper on undefined behavior in cellular specs has been accepted at #usesec23. We derive examples of undefined behavior from LTE specs, and use them to discover multiple baseband vulns, including a DoS via SMS. Preprint, Artifacts, Tutorial: https://t.co/RrS6GCL1uu (1/2)

I am experimenting with receiving SMS in LTE (via NAS messages, not via IMS), sent via srsRAN. Works fine for Mediatek-based phones. However, Huawei and Samsung modems seem to only receive/forward one message per Minute to the AP (while still sending an RP-ACK). Does sb know why?

This has been a really cool project to work on. As the MediaTek Baseband uses rather arcane Mips16e2 and DSP instructions, we (@danielklischies tinkered with me on this) added tooling support in Ghidra and Qemu to understand and get the Basebands up and running.