PWN2OWN Mobile: Daniel Komaromy (@kutyacica) and Nico Golde (@iamnion) pwned the baseband radio in a brand new Samsung S6 Edge that I unsealed from the box and updated to latest software at the conference.

The software radios on the table are pretending to be a cellphone base station - we are doing this in an isolated room deep underground where there is no cellphone coverage to interfere with and I am the only other person in the room. As soon as we power up the new phone in the presence of their attack radio, their signal patches the radio runtime software of the baseband processor (the other cpu in your cellphone that users can't access that takes care of the radio to talk to the network) so that after the patch any phone calls I make are routed to them instead of their intended destination.

I tested this after when we went to where we did have cellphone coverage by trying to dial my Japanese cellphone and it rang on Nico's cellphone instead. The modified radio software also forwarded the original number dialled so in the real world an attacker would then use a VoIP proxy to forward the call imperceptibly and listen in on it.

Ironically enough, this year at PWN2OWN we have had some of the most significant research with the smallest prizes ever, in the true spirit of security research - to reward these guys since I don't have a lavish budget I'm going to fly them and their wives, girlfriends and family to CanSecWest next year to come snowboarding/skiing after they give a technical presentation on doing security research on baseband processors and this vulnerability. (Hat tip to the Blackberry security folks who got us in touch with the right folks to get the vulnerability information to Samsung through a VP they know there.) I would like to get these guys some further reward, beyond the bragging rights for winning PWN2OWN and being the first to show a successful baseband attack, for this significant research, especially since last year we were offering $150,000 rewards for an attack like this.

These guys have been doing this work in their spare time in addition to their day jobs and have put in a significant amount of time into doing this to secure the whole industry. So if you folks know a bounty program that would be interested in these and other significant cellphone baseband radio discoveries please contact me.
Shared publiclyView activity