Baseband vulnerability could mean undetectable, unblockable attacks on mobile phones


#1

Originally published at: http://boingboing.net/2016/07/20/baseband-vulnerability-could-m.html


#2

Reason enough to race to connect ever more everyday objects, and mission-critical systems, to the public 'net.
Where do I sign up? Oh, that’s right. I’ve already been signed up.


#3

Well, the world didn’t come to an end with that USB firmware exploit. Or so it seems.


#4

You’re right (though there’s a bunch of stuff probably going on that none of us will know about until it breaches), but there’s a difference between a physical-access attack and a wireless-access attack.


#5

This is not how it works.

There are 3 separate OS on most smart phones:

  1. The Smart Phone UI OS (iOS, Android, WebOS, Mobile Windows, Whatever)
  2. The Baseband OS
  3. The SIM OS

The baseband OS controls the cellular radio hardware only, and runs on its own processor. The Smart Phone OS, such as iOS or Android runs on a completely separate processor and the system has very limited checked communication with the baseband os, the apps do not have access to nor trust the baseband, they rather relay specific instructions to the smart phone os which relays them to the baseband os. The smart os does not implicitly trust the baseband os, that is incorrect, and misinformed about the relationship, the smart os runs on “the metal” just as much as the sim os and the baseband os, and they are mostly isolated with very limited cross communication.

This would actually lead to a fairly secure model, EXCEPT, most phone manufactures share the internal memory between the 2 OS to save a tiny amount on hardware costs, which is where any potential cross OS vulnerabilities originate. This is why you see reference to the HEAP overflows, they are what one would use for a cross OS attack vector, but are not easy to execute. Not all phone share memory between the os. (the sim os does not share this memory and is a self contained SoC unlike the baseband SoC.)

This doesn’t have to be a speculative statement. There are quite a few baseband vulnerabilities that are know and are regularly sold in security forums on the dark web. Yes the baseband os in most modern smartphones has multiple known unpatched vulnerabilities, and yes hacking them is undetectable and untraceable. While they do allow scary things like listening in on calls, collecting metadata, reading sms, etc, they very very very rarely can be escalated into a trust attack on the Smart OS itself. There are a few noted exceptions, like the baseband bug that was used in the iOS jailbreak solution, but that required active user participation to implement.

This isn’t anything new, new baseband vulnerabilities are discovered quite regularly and used by everyone from hackers to the NSA.


#6

Hey, @ActionAbe. Remember when you posted about this several years ago? :smiley:


#7

This topic was automatically closed after 5 days. New replies are no longer allowed.