Cellular Exploitation on a Global Scale - The Rise and Fall of the Control Protocol

Explore the hidden world of cellular device control and exploitation in this Black Hat conference talk. Delve into the reverse engineering of embedded baseband and application space code, uncovering the hidden controls present in over 2 billion cellular devices worldwide. Learn about the potential for cellular exploitation on a global scale, including Over-the-Air code execution on major cellular platforms and networks. Discover the inner workings of OMA-DM, managed objects, and embedded client locations. Examine network architecture, OMA-DM security, and various payload types. Gain insights into identifying control clients in phones and embedded devices, simulating cellular environments, and conducting cellular network attacks. Explore vulnerabilities in authentication, transport security, and encryption flaws. Understand how code execution can be achieved without memory corruption and learn about bypassing ASLR with OTA Feng Shui. Walk away with detailed knowledge of these hidden control mechanisms and access to open-source tools for assessing and protecting against new threats in the cellular landscape.

Intro
How this Research Began
The Current Standard
OMA-DM: Managed Objects
Devices with OMA-DM
Embedded Client Locations
The Reference Toolkit
RedBend Software
"RedBend Enabled" Devices
Network Architecture Diagram
OMA-DM "Standard" Security
Initial OTA Payload Types
NIA Payload Example
DM Bootstrap Payload Example • Used for initial Device Provisioning
OMA-DM Tree Serialization
Client Side Parsing
Cellular Testing Hardware
Identifying Control Clients - Phones
Identifying Control Clients - Embedded Devices
Simulating Cellular Environments
Android Tracer
Cellular Network Attacks
Rogue Base Station Attacks
Vulnerabilities in Authentication
Transport Security and Encryption Flaws
Code Execution Without Memory Corruption
Types of Vulnerabilities found
Vulnerability Example: Reading Memory
Bypassing ASLR with OTA Feng Shui