This topic is close to my heart. I spent a few years immersed in the Qualcomm basebands as part of the unrevoked project and personal research. I stared at the ARM code for what must be hundreds of hours.
There are so many vulnerabilities in the baseband that it's not even funny. Even the QCOM secure boot process is full of holes. If a government agency wanted to drop a persistent baseband 'rootkit' on your device with full access to userspace, they could (unless you're using one of the few phones with separate userspace and baseband processors).
The DIAG commands are particularly fun. You can read and write memory on most phones. Some have locked it down to certain areas, but this varies wildly depending on manufacturer.
Law enforcement must be pushing pretty hard to get this capability available to them under a warrant, right? I assume this isn't currently a typical investigatory technique. If there anything holding back someone packaging an exploit?
If you absolutely needed the utility of a smartphone, but also somehow needed to be secure from these attack vectors, I wonder how much it helps to remove the SIM and disconnect the 3G/LTE antenna keeping only WiFi and Bluetooth radios on the smartphone, then carrying a separate LTE/WiFi bridge which is considered an untrusted device.
At least you isolate your microphone, video camera, GPS, and all that personal data. You still give off location but perhaps to a lesser extent.
In some ways forcing a bridge-only mode; it can also extend the life of the mobile. The trade off is mostly just a battery drain and overall hassle of the 2nd device I guess.
There are so many vulnerabilities in the baseband that it's not even funny
Are you saying these are remotely exploitable, as in over-the-air?
It seems only the complexity of the protocols involved are what stops the majority of attackers, and perhaps the illegality of broadcasting on licensed spectrum (although illegality never really stopped anyone...)
I looked at the 3GPP specs before and the amount of complexity in them is overwhelming.
I have complete control over my phone (baseband and userspace), including a nifty tool sanctioned by MediaTek to insert arbitrary AT commands in my processor at will.
I also have the ability to toggle something on the range of 75 GPIO pins. I'm not entirely sure what they do, so I don't play with them. But aside that, I have complete control over every part of the hardware.
Unfortunately this is almost guaranteed to bring a legal attack from Qualcomm, with or without actual grounds. I've never encountered a more litigious company in my (long) involvement in electronics, or the tech sector in general. Whether Qualcomm employs more engineers or more lawyers is an open research topic.
Are there any opensource baseband phones out there? Does opensource baseband actually exist? So many people think that they have a phone with opensource software but so many components, especially the baseband can give so much control over the phone.
Osmocom is working on Open Source implementations of both basebands and cell towers, along with various other cell network components: see http://osmocom.org/ for the project and http://bb.osmocom.org/ for the baseband in particular.
Related question: does anyone know of any no-baseband devices?
I've been unsuccessfully looking for a wifi-only phone, ideally a relatively modern one which comes with an unlocked bootloader and can easily run Cyanogenmod.
So the usual view is that the capabilities we hear of the NSA having (keeping phone on even when it appears to be off, using GPS etc to locate the phone, transmitting microphone in the background, etc) is enabled in the baseband, when it receives coded requests from the network.
It'd be interesting if reverse engineering of the baseband could find those capabilities and see what's really possible and how it works.
[+] [-] mmastrac|11 years ago|reply
There are so many vulnerabilities in the baseband that it's not even funny. Even the QCOM secure boot process is full of holes. If a government agency wanted to drop a persistent baseband 'rootkit' on your device with full access to userspace, they could (unless you're using one of the few phones with separate userspace and baseband processors).
The DIAG commands are particularly fun. You can read and write memory on most phones. Some have locked it down to certain areas, but this varies wildly depending on manufacturer.
[+] [-] zaroth|11 years ago|reply
If you absolutely needed the utility of a smartphone, but also somehow needed to be secure from these attack vectors, I wonder how much it helps to remove the SIM and disconnect the 3G/LTE antenna keeping only WiFi and Bluetooth radios on the smartphone, then carrying a separate LTE/WiFi bridge which is considered an untrusted device.
At least you isolate your microphone, video camera, GPS, and all that personal data. You still give off location but perhaps to a lesser extent.
In some ways forcing a bridge-only mode; it can also extend the life of the mobile. The trade off is mostly just a battery drain and overall hassle of the 2nd device I guess.
[+] [-] userbinator|11 years ago|reply
Are you saying these are remotely exploitable, as in over-the-air?
It seems only the complexity of the protocols involved are what stops the majority of attackers, and perhaps the illegality of broadcasting on licensed spectrum (although illegality never really stopped anyone...)
I looked at the 3GPP specs before and the amount of complexity in them is overwhelming.
[+] [-] kefka|11 years ago|reply
I have complete control over my phone (baseband and userspace), including a nifty tool sanctioned by MediaTek to insert arbitrary AT commands in my processor at will.
I also have the ability to toggle something on the range of 75 GPIO pins. I'm not entirely sure what they do, so I don't play with them. But aside that, I have complete control over every part of the hardware.
[+] [-] DavidWanjiru|11 years ago|reply
Such as which ones? Or is this something I quick google could bring up?
[+] [-] CamperBob2|11 years ago|reply
[+] [-] therealmarv|11 years ago|reply
[+] [-] JoshTriplett|11 years ago|reply
[+] [-] dpifke|11 years ago|reply
I've been unsuccessfully looking for a wifi-only phone, ideally a relatively modern one which comes with an unlocked bootloader and can easily run Cyanogenmod.
[+] [-] jcr|11 years ago|reply
http://www.youtube.com/watch?v=e1lYU0VMCoY
It's both fascinating and frightening.
[+] [-] jordanthoms|11 years ago|reply
It'd be interesting if reverse engineering of the baseband could find those capabilities and see what's really possible and how it works.
[+] [-] userbinator|11 years ago|reply
http://www.3gpp.org/DynaReport/41033.htm
http://www.3gpp.org/DynaReport/42033.htm
http://www.3gpp.org/DynaReport/43033.htm
33.106, 33.107, and 33.108 on http://www.3gpp.org/DynaReport/status-report.htm also make for some... interesting reading.
[+] [-] pronoiac|11 years ago|reply
According to a note in this presentation, Ralf-Philipp Weinmann has noted exploits on broadband processors from both.