DEF CON 27 - Xiling Gong - Exploiting Qualcomm WLAN and Modem Over The Air

HackersOnBoard
HackersOnBoard
1,878
0
Published 2019-12-05
In this talk, we will share our research in which we successfully exploit Qualcomm WLAN in FIRMWARE layer, break down the isolation between WLAN and Modem and then fully control the Modem over the air.

Setup the real-time debugger is the key. Without the debugger, it's difficult to inspect the program flow and runtime status. On Qualcomm platform, subsystems are protected by the Secure Boot and unable to be touched externally. We'll introduce the vulnerability we found in Modem to defeat the Secure Boot and elevate privilege into Modem locally so that we can setup the live debugger for baseband.

The Modem and WLAN firmware is quite complex and reverse engineering is a tough work. Thanks to the debugger, we finally figure out the system architecture, the components, the program flow, the data flow, and the attack surfaces of WLAN firmware. We'll share these techniques in detail, along with the zero-days we found on the attack surfaces.

There are multiple mitigations on Qualcomm baseband, including DEP, stack protection, heap cookie, system call constraint, etc. All the details of the exploitation and mitigation bypassing techniques will be given during the presentation.

Starting from Snapdragon 835, WLAN firmware is integrated into the Modem subsystem as an isolated userspace process. We'll discuss these constraints, and then leverage the weakness we found to fully exploit into Modem.
All Comments (5)
  • @HackersOnBoard
    Hello dear friends Today we get notified of the censorship of our channel by the new YouTube Guidelines (who change every 6 months) because of "Content reusing without including substantial original commentary or educational value" This is a little bit tricky because these Guidelines wasn't there in 2013, 2014, 2015 and so on... It is abnormal to change the rules during a game ...even more before Christmas! Since 2013 we are trying to share the best Security Conference on our channel and we need your help to keep it up. As you already know I was fighting the disease since the last 2 years and it's difficult and without resource and support I wouldn't be able to keep up on this way. You can support us on Patreon if you find our work valuable. You can also express your dissatisfaction regarding our situation to Youtube on Twitter, Facebook, Instagram and wherever you can. to help us regain our rights. Your support in anyway will be truly appreciated Thanks guys for taking time reading me and stay tuned! Merry Christmas to you all and God bless you all! www.patreon.com/HackersOnBoard Bitcoin Wallet: 1NWM4upgKj8iF7zknzmnHG8Mm2pvAyTHqc
  • @Phred_Phlintstoner
    It's great to see this kind of information available on YouTube. I love these conference videos. Keep up the great work! Thank you!