Baseband processors are the components of your mobile phone that communicate with the cellular network. In 2010 I demonstrated the first vulnerabilities in baseband stacks that were remotely exploitable using a fake base station.
Subsequently, people assumed that baseband attacks are attack vectors requiring some physical proximity of the attacker to the target. In this talk we will uproot this narrow definition and show an unexpected attack vector that allows an attacker to remotely exploit bugs in a certain component of the baseband stack over an IP connection. Depending on the configuration of certain components in the carrier network, a large population of smartphones may be simultaneously attacked without even needing to set up your own base station.
Ralf-Philipp Weinmann is a research associate at the Interdisciplinary Centre for Security, Reliability and Trust (SnT) of the University of Luxembourg. His research interests lie in the intersection of cryptography, privacy, mobile security and reverse-engineering. In the past years was involved in speeding up attacks against WEP, the deDECTed.org team that broke the proprietary crypto of DECT, PWN2OWN wins and the first demonstrated remote vulnerabilities in cellular baseband stacks. He is one of the authors of the iOS Hacker's Handbook.