No Signal, No Security: Dynamic Baseband Vulnerability Research
Daniel Klischies, David Hirsch
OffensiveCon 2025 · Day 1 · Main
Researchers at Ruhr University Bochum developed **BaseBridge**, a technique that transplants live cellular connection state from a physical smartphone into a baseband emulator, enabling coverage-guided fuzzing of MediaTek and Samsung baseband firmware without needing real cellular infrastructure. The campaign found eight vulnerabilities — five previously unknown, two confirmed remote code execution — including a stack buffer overflow triggered simply by sending an LTE network name of unusual length. ---
AI review
BaseBridge solves the hardest unsolved problem in baseband fuzzing — stateful LTE connection initialization — with a technique elegant enough that I am annoyed it took this long to exist. Coverage-guided memory mutation to auto-select transplant regions is genuinely clever work, and two confirmed RCEs from a 24-hour campaign tells you everything about how under-fuzzed this surface has been. This is the kind of talk that advances the field.