In this paper we detail a workflow devised to identify and verify cryptographic implementations within baseband firmware. The approach combines constant-guided function discovery, semantic comparison against 3GPP specifications, parameter bound extraction, and library fingerprinting. We apply the method to three commercial firmware images from Samsung (Shannon) and MediaTek devices, finding and validating vendor implementations of KASUMI, SNOW-3G, AES, and 4G/5G integrity and confidentiality algorithms. Our analysis reveals security-relevant issues, including incorrect S-Box indexing in KASUMI and a firmware update failure caused by a malformed signature field. We further extract a 1792-bit RSA limit in Shannon and identify an outdated OpenSSL 1.0.2c bundle in MediaTek, implying exposure to unpatched CVEs. Results demonstrate that structured cryptographic verification in baseband firmware is not only feasible but essential for supply-chain transparency and long-term security audits.

A Static Workflow for Cryptography Verification in 4G/5G Basebands / L. Lucca, S.D.C. (CEUR WORKSHOP PROCEEDINGS). - In: ITASEC & SERICS 2026 / [a cura di] D. Maiorca, P. Samarati. - [s.l] : Sun SITE Central Europe (CEUR), 2026. - pp. 1-14 (( Proceedings of the Joint National Conference on Cybersecurity : February, 9th - 13th Cagliari 2026.

A Static Workflow for Cryptography Verification in 4G/5G Basebands

A. Visconti
Ultimo
2026

Abstract

In this paper we detail a workflow devised to identify and verify cryptographic implementations within baseband firmware. The approach combines constant-guided function discovery, semantic comparison against 3GPP specifications, parameter bound extraction, and library fingerprinting. We apply the method to three commercial firmware images from Samsung (Shannon) and MediaTek devices, finding and validating vendor implementations of KASUMI, SNOW-3G, AES, and 4G/5G integrity and confidentiality algorithms. Our analysis reveals security-relevant issues, including incorrect S-Box indexing in KASUMI and a firmware update failure caused by a malformed signature field. We further extract a 1792-bit RSA limit in Shannon and identify an outdated OpenSSL 1.0.2c bundle in MediaTek, implying exposure to unpatched CVEs. Results demonstrate that structured cryptographic verification in baseband firmware is not only feasible but essential for supply-chain transparency and long-term security audits.
Settore INFO-01/A - Informatica
Settore IINF-05/A - Sistemi di elaborazione delle informazioni
   SEcurity and RIghts in the CyberSpace (SERICS)
   SERICS
   MINISTERO DELL'UNIVERSITA' E DELLA RICERCA
   codice identificativo PE00000014
2026
https://ceur-ws.org/Vol-4198/
Book Part (author)
File in questo prodotto:
File Dimensione Formato  
paper47.pdf

accesso aperto

Tipologia: Publisher's version/PDF
Licenza: Creative commons
Dimensione 1.84 MB
Formato Adobe PDF
1.84 MB Adobe PDF Visualizza/Apri
Pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/2434/1255757
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 0
  • ???jsp.display-item.citation.isi??? ND
  • OpenAlex ND
social impact