Security analysis of LTE baseband layer software

Abstract

With the evolution of mobile communication technology, user equipment has been changed from feature phone to smartphone. This innovation has brought dual processor architecture of application processor (AP) and communication processor (CP). Security research of smartphone has been, unfortunately, focused on AP. More specifically, most of the research results are focusing on applications on top of APs. More specifically, researchers have looked at the application layer software security or operating system software security (especially, Android). Cellular security is another direction researchers have been focusing, but most of the research has focused on private information leakage issue due to core network protocol vulnerabilities. Because of the separation between application layer and baseband layer, security research on the baseband layer is required. Especially, security research on baseband layer in LTE network has never been discussed in the literature. Note that GSM baseband has been widely investigated thanks to baseband attack research with OpenBTS project. In this thesis, we analyze the LTE baseband layer software of Samsung Exynos, and found several vulnerabilities. In addition, we showed that over-the-air attacks from a rogue base station using OpenLTE with a software defined radio are possible. To the best of our knowledge, this is the first work on security analysis of the LTE baseband layer software, and showed that the LTE baseband can also be an attack surface from the mobile security.