In this talk, we will explore the baseband of a modern smartphone, discussing the design and the security countermeasures that are implemented. We will then move on and explain how to find memory corruption bugs and exploit them. As a case study, we will explain in details our 2017 Mobile Pwn2Own entry, where we gained RCE (Remote Code Execution) with a 0-day on the baseband of a smartphone, which was among the target of the competition. We exploited successfully the phone remotely over the air without any user interaction and won \$100,000 for this competition target.
Marco Grassi is currently a Senior Security Researcher of the KeenLab of Tencent (previously known as Keen Team). He is part of the team that won the "Mobile Master of Pwn" title in Tokyo for Mobile Pwn2Own 2016, working on iOS. He was also one of the main contributors at Desktop Pwn2Own 2016 for the Safari target with sandbox escape to root. He is a member of the team who won the title of "Master Of Pwn" at Pwn2Own 2016. He found a VMWare escape at Desktop pwn2own 2017, and baseband RCE and wifi iOS at Mobile pwn2own 2017 where we were awarded "Master Of Pwn" for the third time. He has spoken at several international security conferences such as Black Hat USA, DEF CON, CanSecWest, ZeroNights, Codegate, HITB and ShakaCon.
Muqing Liu is a security researcher in Keen Lab of Tencent. Currently, he focus on firmware security, binary program analysis, hacking tools developing etc. He participates in many Capture-the-Flags (CTF) as member of team 0ops and team eee. He also won third place in DEF CON 25 as team member of a*0*e.
Tianyi Xie (Jackyxty) is a senior security researcher and CTF player at KeenLab of Tencent. He is the captain of CTF Team eee and A*0*E. He is the winner of VMware category in Pwn2Own 2017 and baseband category in Mobile Pwn2Own 2017. He is also a member of the "Master of Pwn" winning team in Mobile Pwn2Own 2017.