
The NSA can't remotely turn on all phones - dpeck
http://blog.erratasec.com/2014/05/no-you-cant-remotely-turn-on-phones.html
======
mschuster91
Oh sure they can. All you need is the capability to escalate from a remote
buffer overflow in the baseband processor (e.g. in its networking stack) into
a flashrom r/w capability.

Then you just reprogram the bb firmware to never switch off the baseband and
to automatically start it upon insertion of a battery, and you're done. If
you're good, intercept PIN usage so that you'll even be online without the
user inputting the PIN.

Also, I don't buy the "the NSA doesn't have an 0day exploit yet for the new
processor that comes with the phone" argument. BB firmware is usually built
"take the shit from the previous version/family, put some more shit on it to
support the newest feature, done". So once you have an 0day for any version of
a BB chip/family, you most likely can also use it against later or derived
ones.

~~~
hindsightbias
Yep.

The way you do this is by influencing standards. You buy the people who write
the specs for chips and/or firmware that are common to smart phones.

Removing batteries a problem? Don't let them remove them or have two
batteries!

All someone has to do it look at the parts list of all these various smart
phones and look for the common parts. That's where you'll find the exploit.

~~~
contingencies
Two strong mechanisms for staying ahead here.

(1) Watch the licensing process. Want to release a phone in Europe/US? You
need to have the electronics licensed first.

(2) Want to release a phone in large numbers via a major carrier's retail
operation? Watch their carrier pre-approval process (in the US this is months
long).

------
drawkbox
They can at least track location while the phone is 'powered off'.
[https://www.techdirt.com/articles/20130723/12395923907/even-...](https://www.techdirt.com/articles/20130723/12395923907/even-
powering-down-cell-phone-cant-keep-nsa-tracking-its-location.shtml)

"According to Ryan Gallagher at Slate, the NSA, along with other agencies, are
able to something most would feel to be improbable, if not impossible: track
the location of cell phones even if they're turned off. On Monday, the
Washington Post published a story focusing on how massively the NSA has grown
since the 9/11 attacks. Buried within it, there was a small but striking
detail: By September 2004, the NSA had developed a technique that was dubbed
“The Find” by special operations officers. The technique, the Post reports,
was used in Iraq and “enabled the agency to find cellphones even when they
were turned off.” This helped identify “thousands of new targets, including
members of a burgeoning al-Qaeda-sponsored insurgency in Iraq,” according to
members of the special operations unit interviewed by the Post."

And possibly capture data...

"The FBI's use, in which cell phones' microphones were remotely activated to
record conversations (even with the phones turned off), probably had some
bearing on Snowden's request that journalists power down their phones and
place them in the fridge. "

------
3pt14159
Sure you can.

I offer as much proof for my statement as this blog post does. Snowden had
access to basically every NSA program, if you are going to disagree with them
you'd better at least speak from authority, or better, offer specific proof.

------
simoncion
For as long as I can remember[0] the DoD and all DoD contractors have required
those with cellular phones to leave them outside of secured areas. Phones have
not been and continue to not be permitted inside secured areas for any reason,
even if they are powered down.

It might just be that the DoD is paranoid, but I'm not so sure about that.

[0] That is, since long before smartphones and phones with local audio
recording ability were commercially available.

------
gue5t
I was under the impression the most common architecture for mobile devices is
to support DMA (direct memory access) from the baseband to main memory. This
would obviate the "finding an OS exploit" step described, as operating systems
do not attempt to be secure against attackers with full memory access. Can
anyone with knowledge of these phones' architectures clue us in on the
specifics of the situation?

------
pdkl95
[http://www.osnews.com/story/27416/The_second_operating_syste...](http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone)

Here's a link I had buried in my bookmarks from last November, that discussed
this issue.

If accurate, it suggests the problem is not just bad code quality in the
baseband processor being remotely exploitable. This article suggests it's
basically a _monoculture_ because everybody just buys the same "hardware part"
because actually implementing it on your own is (very) hard. Once you add in
all the FCC compliance issues, it's practically impossible.

Oh, and it suggests you may not need to bother with flashing the firmware as
mschuster91 suggested. It trusts the cell-tower implicitly. Nevermind fancy
stuff like "passwords" \- just tell the phone to auto-answer because it
accepts Hayes modem commands directly.

------
letstryagain
Yea well maybe they can't remotely turn on a Nokia P30 or whatever but most
people these days use iPhones or other smart devices that almost certainly
have many zero-day bugs available to the NSA.

------
hordac
The most interesting detail from this article is the part where he says
exactly all the things you would expect an NSA shill to say on a blog, if,
hypothetically, an NSA shill kept a blog.

------
sjtrny
I'm confused. Does "off/on" refer to sleep state, whether the phone is powered
on/off or does it mean making a call?

