Conversation

Daniel Micay
@DanielMicay
Remember this thread? twitter.com/DanielMicay/st This exploit chain is a great example of what I was talking about there: defcon.org/html/defcon-27 blade.tencent.com/en/advisories/ Compare this to
@laginimaineb
's early research exploiting Broadcom Wi-Fi where the firmware had full control.
Quote Tweet
Daniel Micay
@DanielMicay
How does GrapheneOS defend against attacks on the cellular baseband, Wi-Fi baseband or other firmware / hardware? reddit.com/r/GrapheneOS/c By carefully choosing hardware targets since the OS is only part of what matters. OS mostly just needs to avoid screwing up IOMMU isolation.
Show this thread
1
26
Daniel Micay
@DanielMicay
They needed an exploit to compromise the Wi-Fi firmware, followed by a privilege escalation exploit to gain full control over the modem ("WLAN firmware is integrated into the Modem subsystem as an isolated userspace process") and then a kernel exploit to get control of the OS.
1
2
Shawn C
@citypw
Replying to
@DanielMicay
and
@laginimaineb
if SoftMAC( RING0 defense issue) not in case but FullMAC only being considered, the long exp chains should be like: Pwned SoC kernel( ThreadX or other RTOSes?)--> infoleak via DMA( identify kernsymbols)--> hijack the function by overwriting the code--> boom!
1
1
Show replies