David Hirsch

Since January 2026, I have been a PhD candidate at the Hasso Plattner Institute, working in Prof. Dr.-Ing. Jiska Classen’s research group Cybersecurity - Mobile and Wireless.

My research focuses on fuzzing and vulnerability discovery in low-level systems software, with the goal of making everyday devices more secure. I work primarily on browser engines and cellular baseband firmware, and currently investigate hardware-assisted fuzzing primitives. My work has been published at IEEE S&P and presented at OffensiveCon, and I have received bug bounties from Google and MediaTek for vulnerabilities reported through their disclosure programs.

Before joining HPI, I spent four years working in IT forensics, most recently as technical lead. I earned my M.Sc. in Applied IT Security from Ruhr University Bochum in 2025, and my B.Sc. in Electrical and Information Engineering from Hamburg University of Applied Sciences in 2021. During my Bachelor’s degree, I participated in a cooperative studies program at Lufthansa Technik AG.

A detailed CV is available upon request.

news

Jan 15, 2026	Joined the Mobile and Wireless Security group at Hasso Plattner Institute as a PhD candidate under the supervision of Prof. Dr.-Ing. Jiska Classen.
Nov 14, 2025	Three V8 sandbox bypasses reported via the Google Chrome VRP: #427662337, #430498032, #433800618.
May 15, 2025	BaseBridge was published at IEEE S&P 2025.
May 13, 2025	Daniel and I will give a talk at OffensiveCon 2025 — No Signal, No Security: Dynamic Baseband Vulnerability Research.
Jan 06, 2025	CVE-2024-20149, CVE-2024-20150, and CVE-2024-20154 published in the MediaTek January 2025 Product Security Bulletin.

publications

S&P ’25
BaseBridge: Bridging the Gap Between Over-the-Air and Emulation Testing for Cellular Baseband Firmware

Daniel Klischies, Dyon Goos, David Hirsch, and 3 more authors

In 2025 IEEE Symposium on Security and Privacy (SP), May 2025

Abs DOI Bib HTML PDF

Current approaches for emulating cellular basebands inherently fall short in comparison to over-the-air testing due to their limited support for the complex peripherals involved in a modern baseband, such as DSPs, SIM cards and RF frontends. Improving such support is a daunting task, requiring deep reverse-engineering which is extremely time consuming - resulting in slow progress. Consequently, techniques such as fuzzing are only able to find relatively shallow bugs, since they are unable to reach the states required for the majority of the baseband to function. To fill this gap, we propose Basebridge, which enables far more comprehensive simulation of baseband behavior by restoring relevant state from memory dumps of real devices. Our prototype implementation supports baseband firmware from two major vendors (MediaTek and Samsung), and - in contrast to current state-of-the-art emulators - correctly responds to 97% of tested RRC and NAS messages while improving coverage by an average factor of 2.41 (Samsung) and 5.54 (MediaTek). Basebridge also passes several LTE conformance tests. Our empirical evaluation demonstrates that this enhanced fidelity enables faster discovery of a wider range of bugs thanks to the scalability of emulation; our fuzzing campaign shows that coverage improves by a factor of 2.3-5x overall, and by a factor of 9.0-22.5x for functionality targeted by our approach. Basebridge unveiled 5 new vulnerabilities, which we have disclosed to affected vendors.
@inproceedings{11023426, author = {Klischies, Daniel and Goos, Dyon and Hirsch, David and Milburn, Alyssa and Muench, Marius and Moonsamy, Veelasha}, booktitle = {2025 IEEE Symposium on Security and Privacy (SP)}, title = {{BaseBridge}: Bridging the Gap Between Over-the-Air and Emulation Testing for Cellular Baseband Firmware}, year = {2025}, pages = {1101--1119}, keywords = {Baseband; Wireless networks; Scalability; Emulation; Computer bugs; Prototypes; Fuzzing; Security; Microprogramming; Testing; LTE; rehosting; cellular security}, doi = {10.1109/SP61157.2025.00142}, issn = {2375-1207}, month = may, publisher = {IEEE}, }