2025-12-06 –, Track 2
LTE modems are found in many embedded devices, basically anything that needs on-the-go communications. Did you know that many LTE modems are actually running a full-blown operating system, specifically, Linux? As a result, there are a number of opportunities for hacking these modems, and potentially the rest of the device it is embedded in. This talk will cover some of the things to be aware of if you are designing or hacking devices with these embedded modems.
This talk will cover LTE modems from one of the largest vendors, Quectel. Examples will use the EC20 module, but the techniques are generally applicable, even if some minor details may change.
- Introduction to the mobile embedded device space, discussing typical design decisions. LTE modem as primary processor, or LTE modem as secondary processor, with a microcontroller or similar driving it. Discussion about some of the impacts this has on the security of the device, as well as practicalities about testing the modem. This talk does not cover attacks against the microcontroller.
- Brief discussion of bootstrapping embedded devices. How do you get the firmware onto a device that has no firmware? Relevance to hacking the device, because if you can write firmware to the device, you can also often read firmware from the device as well. Discussion of Qualcomm Emergency Download (EDL) mode. Discussion about how to force devices into bootstrap mode.
- Access to USB test pads for extended access. This can be used to access EDL, as well as USB endpoints enumerated by the device when running normally. Discussion of how to enable Android Debug Bridge. Digression about the use of USB VBUS, vs external power to the module. Additional digression discussing providing power to the LTE module.
- Discussion about the benefits/features of Android Debug Bridge, and how they can be useful when exploring the Operating System of the LTE module.
- Discussion about getting your own compiled utilities onto the module, and running them successfully.
- Exploration of some of the processes running in the LTE module, and what information they can provide.
- Discussion about the available network interfaces of the LTE module, and understanding their configuration, and ways that their configuration can be locked down or opened up.
Key takeaways: LTE modems are complex and powerful devices, but they can be difficult to secure. There are a number of ways to interact with them which can expose data stored within the module, or transiting through the module. Some methods are easier than others to disable, providing opportunities for attackers. Compromise of the module can reveal secrets common to all instances of the device, as well as providing accesss to private networks.
Rogan Dawes is a senior researcher at SensePost and has been hacking since 1998, which, coincidentally, is also the time he settled on a final wardrobe. He used the time he saved on choosing outfits to live up to his colleague’s frequent joke that he has an offline copy of the Internet in his head. Rogan spent many years building web application assessment tools, and is credited as having built one of the first and most widely used intercepting proxies; WebScarab. In recent years, Rogan has turned his attentions towards hardware hacking; and these days many suspect him to be at least part cyborg. A good conversation starter is to ask him where he keeps his JTAG header.