At USENIX Security? Then check out:

Studying the Use of CVEs in Academia, won distinguished paper award www.usenix.org/conference/u...

Discovering and Exploiting Vulnerable Tunnelling Hosts, won most innovative research Pwnie @ DEFCON www.usenix.org/conference/u...

Big thanks to all co-authors!!

Our OffensiveCon talk on stateful baseband emulation (and how improper string handling led to baseband RCE) is available on YouTube: youtu.be/zoAITq7jUM8. It has been a pleasure; awesome conference, brilliant people. Slides and paper: www.danielklischies.net/research/bas...

Congrats to the entire team (cc @noopwafel.bsky.social, @nsinusr.bsky.social, @veelasha.bsky.social). We will have the paper available on Monday (on IEEE CSDL and open access). The code will become available once we've had time to clean it up + add docs. 6/6

That lead to the discovery of 8 vulnerabilities (3 dupes) in Samsung and MediaTek BBs. Among the vulnerabilities are at least 2 RCEs exploitable OTA. One of them is preauth (CVE-2024-20154), affecting 51 MediaTek chipset and thousands of phone models. Drop by our presentations to learn more! 5/6

From a security perspective, this unlocks a lot of additional attack surface within the emulator, previously only reachable OTA (where fuzzing is unfeasibly slow and you can't introspect). By integrating BaseBridge into FirmWire we improved coverage in AFL++ by a factor of 4. 4/6

Demo time. Left: BaseBridge integrated into the FirmWire baseband emulator, emulating a MediaTek BB, into which we inject a packet requesting UE capabilities. Right side: WireShark tapping into the emulator, showing the request and the uplink response (2nd pkt) generated in the emulator. 3/6

We developed a way to transfer memory dumps from commercial smartphone basebands into an emulator. This provides the emulated baseband with state needed to process many different downlink network packets, to the point where it even generates the correct uplink response. 2/6

📢 Excited to announce that the results on BaseBridge, our project on improving cellular baseband emulation, are going public this week. Dyon will present at IEEE S&P on Monday 3pm, while David and I will be on stage at @offensivecon.bsky.social on Saturday 11am with even more details! 1/6

I gave an introductory talk on baseband security, focusing on root-causes of vulnerabilities, at this year's wonderful RuhrSec conference. The recording is now now available: www.youtube.com/watch?v=APBy...

Reviewer 2 just rejected your latest offensive security paper? Or didn't submit it anywhere yet? There's still more than a day left to (re)submit to USENIX WOOT '25 and get reviews from a community who will appreciate all those clever hacks, weird bugs 👾 and fun exploits! woot25.usenix.hotcrp.com

Drahtlose Systeme wie Autotüren sind attraktive Ziele für Hacker. Ein Team des Exzellenzclusters CASA hat einen Weg gefunden, sie optimiert anzugreifen. Und schlägt Gegenmaßnahmen vor: news.rub.de/wissenschaft...