An interesting article that covers a topic I’ve considered before. I thought about it for two seconds and went “Nah, I’m sure they’ve got that covered.”
It has to do with this:
I’ve always known this, and I’m sure most of you do too, but we never really talk about it. Every smartphone or other device with mobile communications capability (e.g. 3G or LTE) actually runs not one, but two operating systems. Aside from the operating system that we as end-users see (Android, iOS, PalmOS), it also runs a small operating system that manages everything related to radio. Since this functionality is highly timing-dependent, a real-time operating system is required.
Naturally, no one has really given a thought to the security of this system:
there is barely any exploit mitigation, so exploits are free to run amok. What makes it even worse, is that every baseband processor inherently trusts whatever data it receives from a base station (e.g. in a cell tower). Nothing is checked, everything is automatically trusted. Lastly, the baseband processor is usually the master processor, whereas the application processor (which runs the mobile operating system) is the slave.
So I guess that no, no they don’t have it covered.
Some phones, mostly relatively early ones, ran both the user-facing OS and the baseband OS on the same chip(using some sort of virtualization-like hardware partitioning, along with some DSP or similar elements to handle some of the RF stuff that would have been computationally intractable as SDR). Essentially all modern devices do not.
What is not clear to me is exactly what power the baseband enjoys over the ‘primary’ OS and its hardware, memory space, etc. It definitely appears to be the case that anybody with access to a cell tower, and a few competent geeks, owns your baseband in all kinds of nasty ways, could brick it, etc. and very probably enjoys nontrivial power over many of the more legacy and ‘dumbphone’ tasks (like, oh, phone calls and SMS) which are substantially within the purview of the baseband. However, I didn’t get a clear sense of whether the baseband can do much (aside from simply maliciously failing to pass it along) to something like an SSLed TCP/IP communication between an application on the phone’s ‘primary’ OS side, and a remote server. Nor is it clear if the baseband can do things like DMA against the host OS’s memory space.
My only real chance to observe has been in looking at a Qualcomm Gobi EV-DO-HSPA mini-PCIe card: Obviously, this isn’t a smartphone part; but smartphones aren’t nearly as chatty as PCs about their peripherals. Notably, it only uses the USB portion of the mini-PCIe connector (so no PCIe DMA-related tricks) and it shows up as one or more USBtty or USBACM devices, almost like an old-school copper modem on a serial port. Unless the driver or listener program is vulnerable, about the worst it can do to the host is hammer it with garbage. I don’t know if cellphone basebands are more tightly integrated, or if cellphone OSes (since they are designed to use the baseband as more than a mere wireless-broadband dongle) do many more stupid things automatically on request from the baseband module over some quasi-serial interface.
