In this paper we detail a workflow devised to identify and verify cryptographic implementations within baseband firmware. The approach combines constant-guided function discovery, semantic comparison against 3GPP specifications, parameter bound extraction, and library fingerprinting. We apply the method to three commercial firmware images from Samsung (Shannon) and MediaTek devices, finding and validating vendor implementations of KASUMI, SNOW-3G, AES, and 4G/5G integrity and confidentiality algorithms. Our analysis reveals security-relevant issues, including incorrect S-Box indexing in KASUMI and a firmware update failure caused by a malformed signature field. We further extract a 1792-bit RSA limit in Shannon and identify an outdated OpenSSL 1.0.2c bundle in MediaTek, implying exposure to unpatched CVEs. Results demonstrate that structured cryptographic verification in baseband firmware is not only feasible but essential for supply-chain transparency and long-term security audits.
A Static Workflow for Cryptography Verification in 4G/5G Basebands / L. Lucca, S.D.C. (CEUR WORKSHOP PROCEEDINGS). - In: ITASEC & SERICS 2026 / [a cura di] D. Maiorca, P. Samarati. - [s.l] : Sun SITE Central Europe (CEUR), 2026. - pp. 1-14 (( Proceedings of the Joint National Conference on Cybersecurity : February, 9th - 13th Cagliari 2026.
A Static Workflow for Cryptography Verification in 4G/5G Basebands
A. Visconti
Ultimo
2026
Abstract
In this paper we detail a workflow devised to identify and verify cryptographic implementations within baseband firmware. The approach combines constant-guided function discovery, semantic comparison against 3GPP specifications, parameter bound extraction, and library fingerprinting. We apply the method to three commercial firmware images from Samsung (Shannon) and MediaTek devices, finding and validating vendor implementations of KASUMI, SNOW-3G, AES, and 4G/5G integrity and confidentiality algorithms. Our analysis reveals security-relevant issues, including incorrect S-Box indexing in KASUMI and a firmware update failure caused by a malformed signature field. We further extract a 1792-bit RSA limit in Shannon and identify an outdated OpenSSL 1.0.2c bundle in MediaTek, implying exposure to unpatched CVEs. Results demonstrate that structured cryptographic verification in baseband firmware is not only feasible but essential for supply-chain transparency and long-term security audits.| File | Dimensione | Formato | |
|---|---|---|---|
|
paper47.pdf
accesso aperto
Tipologia:
Publisher's version/PDF
Licenza:
Creative commons
Dimensione
1.84 MB
Formato
Adobe PDF
|
1.84 MB | Adobe PDF | Visualizza/Apri |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.




