Oh wow! I played around with getting a sim900 firmware running against qemu and open source tower implementations for finding exploits.<p>But this goes way farther than I had even planned! Connecting it to fuzzing infrastructure is super duper neat. I was just using it as a reproducible target to manually get it into weird states.
this is focused on LTE. for telecommunications the most useful approach I have found to date was to fuzz using ASN.1[1][2]. Everything in telecoms is ASN.1 and vendors usually write their own parser generators.<p>[1] this is focused on X.509/TLS but the approach is the same <a href="https://blog.doyensec.com/2020/05/14/asn1fuzz.html" rel="nofollow">https://blog.doyensec.com/2020/05/14/asn1fuzz.html</a>
For those unfamiliar with the two most important terms covered in this paper, they are fuzzing [1] & baseband processor [2]:<p>[1] <a href="https://en.wikipedia.org/wiki/Fuzzing" rel="nofollow">https://en.wikipedia.org/wiki/Fuzzing</a><p>[2] <a href="https://en.wikipedia.org/wiki/Baseband_processor" rel="nofollow">https://en.wikipedia.org/wiki/Baseband_processor</a>