I was just reading the newest post by Google’s Project Zero. They just released a report on a massive bug that allows remote code execution by exploiting a vulnerability on the 802.11 Broadcom SoC used in most smartphones.

Actually, the bug is not massive (it is, after all, just a simple buffer overflow because boundaries are not well checked when processing a specific type of packet), but its consequences are massive indeed. The vulnerability is specific to the parsing of certain messages in 802.11z TDLS, a mode of P2P ad-hoc communication. The report published by Gal Beniamini is just the first part of the overall project, and it “just” shows up to remote code execution on the Broadcom wifi SoC, but it hints that it can be leveraged to gain remote code execution ability in the application’s processor:

In the next blog post, we’ll see how we can use our assumed control of the Wi-Fi SoC in order to further escalate our privileges into the application processor, taking over the host’s operating system!

Long story shirt, this vulnerability results in a massive vulnerability. Theoretically (I am eager to see the second part of this report!), an attacker can take over a smartphone’s OS by simply sending malformed WiFi frames, achieving full device takeover by WiFi proximity alone. The good news is that this bug has been patched already both for iOS devices and Android devices, so I’d say you go ahead and update your mobile’s OS if you haven’t in a while.

I strongly recommend folks to read the report by Gal Beniamini, as it is excellently written and easy to understand and follow. It’s actually a great reference/introduction to buffer overflows and how to leverage them for malicious intent. The overall exploit is rather complex, but very nicely explained step by step in the report.

Fun stuff!

I recently was approached by the FCC regarding an open call for feedback regarding 5G security and current security challenges in mobile security. The document that I submitted seems to be already in the public domain and can be accessed from here:

Some key challenges in securing 5G wireless networks

Direct link to the PDF.

I got this from a friend earlier today: https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/eUAKwjihhBs/rpxMXjZHCQAJ (Google Chrome – Intent to deprecate and remove trust in existing Symantec-issued Certificates)

It seems that, since a series of failures from Symantec to properly validate certificates (an issue that seems to be affecting over 30000 mis-issued certificates), Google Chrome is starting to deprecate and distrust Symantec-issued certificates.

I remember last year that a bunch of online services lost compatibility with Chrome as they were using Symantec-issued certificates). As highlighted in the notice from the link above, this is a problem that is not new (see this post on Google’s Security Blog from 2015).

Quoting the notice from Google, Chrome is proposing the following steps:

  • A reduction in the accepted validity period of newly issued Symantec-issued certificates to nine months or less, in order to minimize any impact to Google Chrome users from any further misissuances that may arise.

  • An incremental distrust, spanning a series of Google Chrome releases, of all currently-trusted Symantec-issued certificates, requiring they be revalidated and replaced.

  • Removal of recognition of the Extended Validation status of Symantec issued certificates, until such a time as the community can be assured in the policies and practices of Symantec, but no sooner than one year.

This is a pretty big deal and could result in a big mess of services stopping to work with Chrome… for a good reason, though, as this is clearly to ensure the security and trust in the certificates used to anchor the Internet’s security infrastructure.

If you are a SysAdmin, they are requesting feedback on this proposal.

Folks are starting to talk about this on reddit and other forums. I expect this to be in the news tomorrow… or not. After all, they are not fully distrusting Symantec, but putting them in some sort of “probation period”.


Update (03/24/17): As expected, if you google today “Chrome Symantec certificates” you get a ton of news stories on this…

I was reading this morning a new paper on the topic of LTE IMSI catchers: https://arxiv.org/pdf/1702.04434.pdf

Mjølsnes, Stig F., and Ruxandra F. Olimid. “Easy 4G/LTE IMSI Catchers for Non-Programmers.” arXiv preprint arXiv:1702.04434 (2017).

Although this is old news, it is exciting to see that the recent discovery and implementation of LTE IMSI catchers by the team of Prof. Seifert at TU Berlin (Oct 2015 – https://arxiv.org/pdf/1510.07563.pdf) has sparked the interest in this area. The paper also mentions the DoS threats that were introduced by the same team in [1]. I have done some work and implementation of LTE IMSI catchers and the DoS exploits myself in the past as well ([2] and [3]).

I was giving a talk on this topic last week at UC Irvine, trying to encourage graduate students to focus their PhD research in this area as there is still a lot of work to be done. We need the talented minds of graduate researchers to come up with new threats and, more importantly, solutions to these threats.

Back to this new paper, it is a great overview of IMSI catchers and it is great that the authors implemented the IMSI catcher using an alternative tool (Open Air Interface). I found interesting, though, that they state that implementing an IMSI cather on openLTE requires source code modification such that it is not a viable option for “non programmers”.

Although the claim of their implementation being for non-programmers is obviously correct, their LTE IMSI catcher uses very similar software and the same computing equipment as the ones in [1,2,3]. I would argue that adding 3 lines of code to openLTE is something a non-programmer could do as well. This is what the authors of [1] did. The only modification required at openLTE (as I have explicitly stated at every talk I have given) is mostly to add an fprintf statement where openLTE parses the AttachRequest message or the TAU/LocationArea Update message. Although one can do slightly fancier things.

Anyhow, maybe I am too optimistic and expecting a non-programmer to add an fprintf statement in openLTE is perhaps asking too much 🙂

Regardless, this new paper is great and very interesting and an excellent reference on this topic. I am wondering if they will be presenting their work at a conference soon?

I look forward to more and more research in this area.

[1] Shaik, Altaf, et al. “Practical attacks against privacy and availability in 4G/LTE mobile communication systems.” arXiv preprint arXiv:1510.07563(2015).

[2] Jover, Roger Piqueras. “LTE security and protocol exploits.” ShmooCon (2016).

[3] Jover, Roger Piqueras. “LTE security, protocol exploits and location tracking experimentation with low-cost software radio.” arXiv preprint arXiv:1607.05171 (2016).

Authentication in mobile networks is executed leveraging a symmetric key system. For each mobile subscriber, there is a secret key that is known only by the mobile device and the network operator. Actually, it is not the device itself holding the key, but the SIM card. On the network side, in the case of LTE, the secret key is stored in the Home Subscriber Server (HSS).

Based on this pre-shared secret key, a mobile device and the network can mutually authenticate itself. Though, this is not necessarily the case. For some reason someone must have thought, when designing 2G-GSM, that having the end point authenticate the mobile network was not a requirement… too bad that not having mutual authentication opens the door to all types of rogue base station MitM attacks. Bad things also happen when this pre-shared “secret” key is sent from the SIM card manufacturer to the mobile operator in the clear in a bunch of DVDs and someone manages to steal them.

After years or security research in mobile networks, identifying, implementing and testing protocol exploits, I started thinking that perhaps it would be a good idea to transition the security architecture of a mobile networks towards a PKI-based system. This is why I really enjoy reading research papers with PKI proposals for mobile networks, which is a rather rare topic in the research community. Thanks to Google Scholar, a very interesting paper showed up in my radar: Chandrasekaran, Varun, and Lakshminarayanan Subramanian. “A Decentralized PKI In A Mobile Ecosystem.

PKI would increase the complexity of each cryptographic operation, but it is not like device and network authenticate each other constantly. Definitively, a lot of research would have to be done to validate whether it would be possible.

With a PKI-based authentication architecture in mobile networks, so many cool things could potentially be done. For example, it is very well understood that, regardless of mutual authentication and strong encryption, a mobile device engages in a substantial exchange of unprotected messages  with *any* LTE base station (malicious or not) that advertises itself with the right broadcast information (and this broadcast information is transmitted in the clear in the SIB broadcast messages). And this is the source of a series of protocol exploits and attacks. Perhaps, by means of PKI, broadcast messages could be “signed” by the operator in a way that mobile devices could verify their freshness (to avoid replay attacks) and verify that the base station is legitimate. This would allow mobile devices to verify the legitimacy of a base station before starting to engage in RACH procedures, RRC connection establishments, NAS attach exchanges, etc.

Anyhow, very interesting paper on cool things that could be done applying PKI to mobile networks. Worth reading it.


Mobile cellular communications are a fascinating world. Although there’s impressive advances in technology in the research world – both academic and industrial research -, the technological progress and advance of such networks is driven by the standards community (i.e. 3GPP).

This is an approach that has worked since the inception of GSM and has delivered the impressive technology current smartphones use to connect to the Internet, stream the latest “cute dog doing something cute” video and watch the goals by Celta against Madrid in yesterday’s game (hooray for Celta!). In parallel, this model provides enough time for both equipment manufacturers and network operators to get a good return on the investment of billions of dollars of network equipment.

Nowadays, though, we are experiencing two technology trends that are challenging the status quo in wireless and mobile technology. For the first time ever, standards are late to cope for the demand – and obscene amounts of potential revenue and services – in two key technological trends:

  • IoT: There is a massive demand of wireless connectivity for embedded M2M devices. For many applications, such as smart city, agriculture, smart grid, etc, some of the requirements are to have very cheap devices (the “target” used in the industry is $1 per chip) with very low battery consumption (again, the “target” from the industry is 10 years, thoguh I think that is a bit optimistic). The demand is here, but the standards have not delivered. And, in this huge gap one can find two exciting trends: the money-making/raising machine of Sigfox and the LoRa/LoRaWAN community. Two new technologies fueling new services, new applications and exciting new ventures. Meanwhile, the 3GPP community is playing catch up with LTE Cat-M and NB-IoT. (This document provides a bit of an overview. – LoRa is much slower, but for the aforementioned applications one does not need much speed, and latency is not a major deal breaker either)
  • Connected cars, self-driving cars, etc: Similar scenario. Although the self-driving car technology is still just in its inception, there is already several use cases that require connectivity between vehicles and from vehicles to the “road”. 5G mobile networks aim at sub-10ms latency and large capacity for connectivity to 1000x more devices, yet at this point no one really knows what 5G will be (other than the really exciting transition to mmWave and application of massive arrays and beamforming). In parallel, an alternative technology – Dedicated Short Range Communications – seems to be gaining momentum.

In both cases, once the mobile industry and the standards catch up and finally deploy 5G, LTE Cat-M/NB-IoT, all these alternative technologies might simply fade away. But, as of now, the folks at SigFox, the startups deploying smart-city applications running on LoRa, etc are making a lot of money and the status quo is not getting – yet – any piece of the cake.

Exciting times!

(Yes, after months? maybe years? I decided to get back to being somehow active on my blog… Most likely I’ll just be posting about security and wireless/mobile interesting stuff)

I was reading this morning a very cool paper from a team at MITRE implementing a jamming mitigation engine leveraging beamforming. The idea is to generate a null in reception at the direction from which the jamming signal is coming from.

Link to the paper: http://ieeexplore.ieee.org/abstract/document/7795331/

It is very interesting that this type of jamming mitigation is becoming popular. It is an area with a lot of potential, specially in the context of 5G, communication at mmWaves and massive arrays of antennas.

My former team and I worked in a very similar idea in the past. We both implemented a beamforming-based mitigation for radio jamming against LTE (details in this paper) and there’s a bunch of patents already public about that technology: beamforming at the eNodeB and beamforming at the UE. In the case of the UE, we also used beamforming to increase the capacity and throughput of the system… a bit of a utopian idea that, actually, now makes much more sense with carrier frequencies in the mmWave range and above and massive arrays of antennas in the context of 5G. I strongly recommend to read Prof. Rappaport’s work in this area for more details.

Anyhow, the paper is VERY interesting and presents some exciting area in this area.


Today Apple will give more details on its new wearable device. Here is where you can follow the presentation live:


Ps. I always post links to the live blogs and streams for Apple events because once it resulted in 30k hits on my blog in a day. It’s been way less ever since, but I still do it as an experiment…

Apple finally unveiled its new products, in the first presentation in a while that introduced more than one new product. I could spend lines and lines talking about the new iPhone 6 and iPhone 6 Plus and about the new Apple Watch, but other people has already done that. You might want to check out these:

Every time Apple releases new products I post the links to some live blogs in my blog. It used to be because I was very active on my blog, talking about new products and stuff and whatnot. Then I realized that it would bring a ton of visits to my blog. In 2012, with the release of the iPhone 5, I got 25k visits in one day. So now I always post links to the live blogs to see if I get the same result… even though I am way less active on my blog now. It worked very well until Apple started broadcasting the events over streaming. Or maybe that was not the reason. Anyhow, posting links to the live blogs gets me now about 100 hits, which is not much more than the daily average. Why am I explaining this? No idea.

As a result of the decline in hits when posting links to live blogs of Apple events, and in an effort to investigate how Google’s crawling and indexing works, I am going to include in this post the following sentences just for fun and experimentation: Instructions to root the iPhone 6. How to root an iPhone 6. iPhone 6 for free. iPhone 7 design leaked. Where to buy an iPhone 8. Water proof iPad.

You never know, maybe now I get tons of hits from people trying to root the iPhone 6 or people who want to find out where to buy an iPhone 8. For the latter I would ask Marty McFly. By the way, this reminds me of that Chaplin movie where you can see a lady using what looks like a cellphone in some footage from early last century. I had a post about it a long time ago.

Anyhow, the main reason why I started writing this post was to highlight the fact that Barcelona was, once again (recall the special mention, with video included, of the launch of Barcelona’s Apple store during the presentation of the iPhone 5), featured in an Apple presentation. In yesterday’s case, with a “mention” of the cool W Hotel in Barcelona.


Looking forward to what Apple will release on September 9th? Experts argue that a new iPhone will be unveiled. And perhaps also the highly anticipated iWatch. Follow live the event from either of these live blogs:

Also, Apple will be broadcasting the event via streaming. You can access it here: Apple live video



About me:

Born in Barcelona, moved to Los Angeles at age 24, ended in NYC, where I enjoy life, tweet about music and work as a geek in security for wireless networks.
All the opinions expressed in this blog are my own and are not related to my employer.
About me: http://www.ee.columbia.edu/~roger/

Blog Stats

  • 122,745 hits

Twitter feed

Enter your email address to follow this blog and receive notifications of new posts by email.