26C3 - 26C3 1.15

26th Chaos Communication Congress
Here be dragons

Collin Mulliner
Day Day 2 - 2009-12-28
Room Saal3
Start time 18:30
Duration 01:00
ID 3507
Event type Lecture
Track Hacking
Language used for presentation English

Fuzzing the Phone in your Phone

In this talk we show how to find vulnerabilities in smart phones. Not in the browser or mail client or any software you could find on a desktop, but rather in the phone specific software. We present techniques which allow a researcher to inject SMS messages into iPhone, Android, and Windows Mobile devices.

This method does not use the carrier and so is free (and invisible to the carrier). We show how to use the Sulley fuzzing framework to generate fuzzed SMS messages for the smart phones as well as ways to monitor the software under stress. Finally, we present the results of this fuzzing and discuss their impact on smart phones and cellular security.