Vulnerability Disclosures

Qualcomm Modem - Crash in LTE RRC SM DLM counter

Qualcomm Modem - LTE RRC crash in RS eMIMO

Qualcomm Modem - Validate 5G RRC SIB type before processing OTA

Qualcomm Modem - Handle gracefully when first time 5G RRC SIB1 read is attempted but OSIs are received

Qualcomm Modem - Crash when processing 5G RRC SIB2

MediaTek Modem - MCCH Double Free

  • Identifiers
  • Impact: Denial of service (DoS).
  • Affected: MediaTek Modem.
  • Resolution: January 19, 2021 - Reported through Samsung's program, but not patched until reported to MediaTek directly. Awarded $200 💵 !
  • Found via: FirmWire (AFL++).
  • Reported by: Team FirmWire.

Samsung “Shannon” Modem - Stack buffer overflow when processing LTE RRCConnectionReconfiguration message

  • Identifiers
  • Impact: Remote Code Execution (RCE).
  • Affected: Samsung "Shannon" Modem.
  • Resolution: January 19, 2021 - Reported to Samsung's program and patched. Awarded $22,530 💵 !
  • Found via: FirmWire (AFL++).
  • Reported by: Team FirmWire.

Samsung “Shannon” Modem - Heap-based buffer overflow when processing LTE RRC RRCConnectionReconfiguration message

  • Identifiers
  • Impact: Potential Remote Code Execution (RCE).
  • Affected: Samsung "Shannon" Modem.
  • Resolution: January 19, 2021 - Reported to Samsung's program and patched. Awarded $22,530 💵 !
  • Found via: FirmWire (AFL++).
  • Reported by: Team FirmWire.

Samsung “Shannon” Modem - Stack buffer overflow when decoding CC SETUP packet

  • Identifiers
  • Impact: Remote Code Execution (RCE).
  • Affected: Samsung "Shannon" Modem.
  • Resolution: September 11, 2020 - Reported to Samsung's program and patched. Awarded $37,500 💵 !
  • Found via: FirmWire (AFL++).
  • Reported by: Team FirmWire.
  Demo

Linux Kernel - Buffer overflow during parsing of HID report in Linux’s GTCO driver

  Patch / Writeup

Counter Strike: Global Offensive - BSP ZIP Buffer Overflow

  • Impact: Remote Code Execution (RCE).
  • Affected: Counter Strike: Global Offensive.
  • Resolution: July 19, 2018 - Collaboratively disclosed and fixed by Valve. Awarded $12,500 💵 !
  • Found via: Fuzzing using CERT BFF.
  • Reported by: Me working with Chippy (https://path.net).
  Hackerone   Writeup

LG Electronics smartphones exposing AT command interfaces via USB - USB AT Command Vulnerability

  • Identifiers
    • LVE-SMP-180001
  • Impact: Proximate code execution via USB.
  • Affected: LG Electronics smartphones exposing AT command interfaces via USB.
  • Resolution: July 1, 2018 - Disclosed to and fixed by LG.
  • Found via: Large scale static and dynamic analysis.
  • Reported by: Me working for the Florida Instutute for Cyber-security Research (FICS).
  Vulnerabilty Announcement   Demo   AT Command Database

Valve’s GoldSrc Engine (CS 1.6, CS:CZ) - Counter Strike BSP Map Buffer Overflow

  • Impact: Remote Code Execution (RCE).
  • Affected: Valve's GoldSrc Engine (CS 1.6, CS:CZ).
  • Resolution: July 10, 2017 - Disclosed and fixed by Valve. Before Hackerone program, so no bounty sadly.
  • Found via: Fuzzing / Static analysis.
  • Reported by: Myself.
  Writeup   Demo

Industry Experience

                                  
2022 - Present

  •                                                                                               
  •                                           

Qualcomm Product Security, Senior Security Engineer
San Diego, CA – July 2020 - 2022

  • Improved fuzzing speed of our modem’s 5G and LTE RRC stacks by 100x, leading to multiple vulnerabilities
  • Created a web service with Next.js to automatically generate and visualize fuzzer code coverage reports
  • Led design and risk review of new features to make security recommendations to developers
  • Performed extensive code review of MAC/RLC modem code and triaged external modem incident response tickets

Google, Android Platform Security Intern
Mountain View, CA – Summer 2019

  • Audited the entire USB stack of the Android platform and recommended hardening changes to the platform security team
  • Created a fuzzer using libFuzzer for Android’s MTP server and discovered a buffer overflow and a denial of service
  • Found, reproduced, and patched a denial of service USB bug in the Linux kernel with the help of Syzkaller fuzzing

Facebook, Security Foundation Intern
Menlo Park, CA – Summer 2014

  • Extended internal 2FA PHP frontend to enable auditing and management of employee Yubikey tokens
  • Crafted Python job to stream employee Duo 2FA API statistics to an internal log ingester and visualizer
  • Improved C Duo Linux PAM module to become IPv6-ready and improve network timing fault tolerance
  • Performed site-wide zmap/nmap scanning to assess SSH version distribution
  • Built a Debian SSH package, with custom patches, to update entire 100, 000+ machine fleet using Chef

Raytheon SI, Intern
Melbourne, FL – Summer 2013

  • Engineered a multi-threaded socket protocol and logger in C on a Linux ARM development board for target remote control
  • Created custom wire harnesses to interface with target hardware platform and ARM development board
  • Reverse engineered and extracted BGA flash memory firmware through chip-off technique
  • Wrote a Python proof-of-concept exploit to demonstrate an undisclosed router command injection vulnerability

Industry Conference Talks

Note: only registered speakers are listed. More authors may have contributed to materials.

  1. G. Hernandez, D. Maier, and M. Muench. FirmWire: Taking Baseband Security Analysis to the Next Level. CanSecWest, 2022.
  2. G. Hernandez and M. Muench. Reversing & Emulating Samsung’s Shannon Baseband. Hardwear.io Netherlands, 2020.
  3. G. Hernandez and M. Muench. Emulating Samsung’s Shannon Baseband for Security Testing. Black Hat USA, 2020.
  4. G. Hernandez. BigMAC: Fine-Grained Policy Analysis of Android Firmware. SRC TECHCON, 2019.
  5. G. Hernandez, D. Buentello, and Y. Jin. Smart Nest Thermostat: A Smart Spy in your Home. Black Hat USA, 2014.

Academic Research Experience

University of Florida, Research Assistant with FICS
Gainesville, FL – Fall 2015 - August 2020

  • Advisor: Dr. Kevin R. B. Butler
  • Area: Systems security
  • Thesis: Leveraging domain knowledge to support and scale automated analysis of embedded firmware beyond that of purely manual or physical approaches.
  • Studied and improve the methodologies around cellular baseband security testing
  • Performed large-scale analysis of Android firmware to explore hidden USB interfaces and device security policies
  • Analyzed USB firmware using symbolic execution to automatically reason about device functionality
  • Employed Intel SGX to balance Secure Function Evaluation (SFE) security with performance

University of Central Florida, Undergraduate Research Assistant
Orlando, FL – Summer 2013 - 2014

  • Advisor: Dr. Yier Jin
  • Area: Internet of Things security
  • Discovered a USB entry point into Google’s Nest Thermostat allowing full-root access
  • Published findings at Black Hat USA 2014 entitled “Smart Nest Thermostat: A Smart Spy in your Home”

University of Central Florida, EXCEL Undergraduate Research
Orlando, FL – Spring 2013

  • Advisor: Dr. Mingjie Lin
  • Area: FPGAs
  • Learned Verilog through working with a HDL Huffman decoder

Publications & Academic Work

Note: for a distilled version of my work see the top-level research page.

Academic Conferences

  1. G. Hernandez, M. Muench, D. Maier, A. Milburn, S. Park, T. Scharnowski, T. Tucker, P. Traynor, and K. Butler. FirmWire: Transparent Dynamic Analysis for Cellular Baseband Firmware. Network and Distributed Systems Security Symposium (NDSS), 2022.
  2. F. Fowze, D. Tian, G. Hernandez, K. Butler, and T. Yavuz. ProXray: Protocol Model Learning and Guided Firmware Analysis. International Conference on Software Engineering (ICSE), 2020.
  3. G. Hernandez, D. Tian, A. Yadav, B. Williams, and K. Butler. BigMAC: Fine-Grained Policy Analysis of Android Firmware. USENIX Security, 2020.
  4. N. Scaife, J. Bowers, C. Peeters, G. Hernandez, I. N. Sherman, P. Traynor, and L. Anthony. Kiss from a Rogue: Evaluating Detectability of Pay-at-the-pump Card Skimmers. IEEE S&P, 2019.
  5. D. Tian, G. Hernandez, J. Choi, V. Frost, P. Johnson, and K. Butler. LBM: A Security Framework for Peripherals within the Linux Kernel. IEEE S&P, 2019.
  6. D. Tian, J. Choi, G. Hernandez, P. Traynor, and K. Butler. A Practical Intel SGX Setting for Linux Containers in the Cloud. ACM CODASPY, 2019.
  7. D. Tian, G. Hernandez, J. Choi, V. Frost, C. Ruales, K. Butler, P. Traynor, H. Vijayakumar, L. Harrison, A. Rahmati, and M. Grace. ATtention Spanned: Comprehensive Vulnerability Analysis of AT Commands Within the Android Ecosystem. USENIX Security, 2018.
  8. G. Hernandez, F. Fowze, D. Tian, T. Yavuz, and K. Butler. FirmUSB: Vetting USB Device Firmware using Domain Informed Symbolic Execution. ACM CCS, 2017.
  9. S. Etigowni, D. Tian, G. Hernandez, S. Zonouz, and K. Butler. CPAC: Securing Critical Infrastructure with Cyber-Physical Access Control. ACSAC, 2016.

Journals

  1. T. Yavuz, F. Fowze, G. Hernandez, K. Y. Bai, K. Butler, and D. Tian. ENCIDER: Detecting Timing and Cache Side Channels in SGX Enclaves and Cryptographic APIs. IEEE Transactions on Dependable and Secure Computing, 2022.
  2. F. Fowze, D. Tian, G. Hernandez, K. Butler, and T. Yavuz. ProXray: Protocol Model Learning and Guided Firmware Analysis. IEEE Transactions on Software Engineering (TSE), 2019. (Also selected to appear at International Conference on Software Engineering (ICSE), 2020.)
  3. A. Bates, D. Tian, G. Hernandez, T. Moyer, K. Butler, and T. Jaeger. Taming the Costs of Trustworthy Provenance through Policy. Transactions on Internet Technology (TOIT), 2016.

Posters

  1. G. Hernandez and K. Butler. Basebads: Automated Security Analysis of Baseband Firmware. ACM Security & Privacy in Wireless and Mobile Networks (WiSec), 2019.
  2. G. Hernandez, K. Butler. Android Escalation Paths: Building Attack-Graphs from SEAndroid Policies. ACM Security & Privacy in Wireless and Mobile Networks (WiSec), 2018.
  3. — . ATtention Spanned: Comprehensive Vulnerability Analysis of AT Commands Within the Android Ecosystem. SEC Academic Conference, Apr. 2018. (Best Poster)
  4. G. Hernandez, D. Tian, J. Choi, V. Frost, C. Ruales, K. Butler, P. Traynor, H. Vijayakumar, L. Harrison, A. Rahmati, and M. Grace. ATtention Spanned: Comprehensive Vulnerability Analysis of AT Commands Within the Android Ecosystem. FICS Conference, Mar. 2018.
  5. G. Hernandez, F. Fowze, D. Tian, C. Metcalf, T. Yavuz, and K. Butler. FirmUSB: Vetting USB Device Firmware using Domain Informed Symbolic Execution. FICS Conference, Mar. 2017. (Best Poster)
  6. G. Hernandez, A. Bates, and K. Butler. SSL Certificate Verification Enhancements for the Server. FICS Conference, 2016.
  7. G. Hernandez and Y. Jin. Smart Nest Thermostat: A Smart Spy in your Home. UCF Showcase for Undergraduate Research, 2015.

Magazine Articles

  1. G. Hernandez, F. Fowze, D. Tian, T. Yavuz, P. Traynor, and K. Butler. Toward Automated Firmware Analysis in the IoT Era. IEEE Security & Privacy (S&P Magazine), 2019.

Workshops

  1. S. Deshmukh, H. Carter, G. Hernandez, P. Traynor, and K. Butler. Efficient and Secure Template Blinding for Biometric Authentication. Proceedings of the IEEE Workshop on Security and Privacy in the Cloud (SPC), 2016.

Academic Service

Program Chair Assistant

  • Network & Distributed System Security Symposium (NDSS) – 2017
    Assisted Ari Juels with recording HotCRP accept/reject decisions, limiting paper discussion time, and synchronizing dual-track PC meeting via custom spreadsheet.

External Reviewer

  • IEEE Symposium on Security & Privacy (Oakland, S&P) - 2017
  • USENIX Security Symposium (USENIX Security) – 2017, 2018
  • ACM Conference on Computer and Communications Security (CCS) - 2016, 2017
  • ACM Asia Conference on Computer and Communications Security (AsiaCCS) - 2017, 2018
  • Annual Computer Security Applications Conference (ACSAC) – 2017
  • Network & Distributed System Security Symposium (NDSS) - 2017, 2018
  • USENIX Symposium on Operating Systems Design and Implementation (OSDI) - 2016
  • USENIX Workshop on Offensive Technologies Workshop on Offensive Technologies (WOOT) - 2016, 2017

Professional Services

  • System Administrator for the Florida Institute of Cyber Security (FICS). Responsible for user management, patching, hardening, and monitoring 9 business-critical servers. (2015 – present)
  • Helped develop, organize and run SwampCTF, a 48 hour international Capture the Flag competition, for the Student InfoSec Team (UFSIT). Built infrastructure using Ansible, Docker, AWS, and Netdata. Over 1,200 registered teams enjoyed our 28 hand-crafted cyber security challenges (March 2018).
  • Advising and training the University of Florida’s Collegiate Cyber Defense Team (UFCCDC) under UF’s Registered Student Organization (RSO) the Student InfoSec Team (UFSIT) (2016-2017). Reference: Dr. Joseph Wilson (jnw@cise.ufl.edu)

Honors & Awards

University Florida

  • Best poster: “ATtention Spanned: Comprehensive Vulnerability Analysis of AT Commands Within the Android Ecosystem.” (SEC Academic Conference, Apr. 2018)
  • CISE Graduate Scholarship (2017)
  • 3rd place at the Southeast Regional Collegiate Cyber Defense Competition (SECCDC) (2017)
  • Best poster: “FirmUSB: Vetting USB Device Firmware using Domain Informed Symbolic Execution.” (FICS Conference, Mar. 2017)
  • Harris Communication Fellowship (2015)
  • Appointed as Florida Institute of National Security (FINS) Fellow (2015)
  • Graduate School Fellowship Award (2015 - 2019)

University of Central Florida

  • ICubed (I3) Fellow - presented Nest security research to an Advanced Painting class, inspiring their work (2015)
  • Winner of the National Collegiate Cyber Defense Competition (NCCDC) out of 180 schools (April 2014)
  • 1st place at the Southeast Regional Collegiate Cyber Defense Competition (SECCDC) (2013 and 2014)
  • 2nd place at the UCONN CyberSEED Buffer Overflow competition (2014)
  • 6th place and 5th place at CSAW CTF finals (2013 and 2014 respectively)
  • UCF President’s Honor Role, 4.0 GPA (Fall 2011, Spring 2012, Fall 2012)
  • EXCEL Student - NSF STEM only education program with guaranteed Sophomore year research (2011 - 2013)
  • 1st place at UCF’s 25th annual High School Programming Tournament

Press

  1. “Smartphone security risk compared to ‘having a ghost user on your phone’ ”
    – University of Florida News (Quoted, August 22nd, 2018)
  2. “University Alabama Wins 2018 SEC Student Cyber Challenge Competition”
    – SECU News, Auburn, AL (Mentioned for poster competition, April 9th, 2018)
  3. “Students Place Third in Cyber Defense Competition”
    – Computer & Information Science & Engineering News, University of Florida (Quoted, April 10th, 2017)
  4. “CISE Students Win at 2017 FICS Research Conference on Cybersecurity”
    – Computer & Information Science & Engineering News, University of Florida (Quoted, April 3rd, 2017)
  5. “17 ways the Internet of Things can go horribly wrong”
    – ZDNet (Mentioned, March 21st, 2016)
  6. “UCF Cyber Defense Turns Smart Thermostat Into Potential Spy”
    – UCF Today (Mentioned, August 11th, 2014)
  7. “A used thermostat could hack your house”
    – CNN Money (Interviewed (video), August 7th, 2014)
  8. “Is your Watch or Thermostat a Spy? Cybersecurity Firms are on it” NPR
    – All Things Considered (Interviewed (voice), August 6th, 2014)
  9. “Nest Hackers Will Offer Tool To Keep The Google-Owned Company From Getting Users’ Data”
    – Forbes Tech (Interviewed, July 16th, 2014)
  10. “UCF wins Raytheon cyber defense contest”
    – Orlando Sentinel (Mentioned, April 28th, 2014)

Bonus

  • I’m a licensed amateur radio operator – KK4QIS