
The second operating system hiding in every mobile phone - thomholwerda
http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone
======
mey
There is actually a 3rd inside the SIM as well
[http://en.wikipedia.org/wiki/Subscriber_identity_module#Desi...](http://en.wikipedia.org/wiki/Subscriber_identity_module#Design)

This is what Java Card was developed to run on.

If you are interested in getting lower level access to your radio, you could
look at the defunct
[http://openmoko.com/freerunner.html](http://openmoko.com/freerunner.html)
project or the resurrection of the Freeruner,
[http://www.openphoenux.org/](http://www.openphoenux.org/)

~~~
ketralnis
There was a great Defcon talk about this called The Secret Life of SIM Cards
that I can recommend watching (they release the video for these some time
after the conference).

The talk itself was about a group that had an enormous camping trip (I hope
that phrasing doesn't diminunise it) called Toorcamp of a few thousand people
that thought it would be fun to also put together their own cell network for
just them. They bought and programmed SIM cards and hid puzzles in the
programs on them.

But the amount of programming that can be done on the SIM card alone without
involving the main processor at all was really quite fascinating and there's a
lot of detail in the talk if you can track it down. Here are the slides at
least [https://speakerdeck.com/codebutler/the-secret-life-of-sim-
ca...](https://speakerdeck.com/codebutler/the-secret-life-of-sim-cards)

~~~
btown
The project website is
[http://simhacks.github.io/](http://simhacks.github.io/) \- and it looks like
you can still purchase all the necessary equipment!

------
ChuckMcM
One of the side effects of software eating the world is that the world becomes
more exploitable. I expect that over time we may see the emergence of general
'software building codes' much like there are physical building codes, and
more importantly liability associated with failing to provably meet such
codes.

The current 'random person implements firmware that controls the this chip'
practice and the 'no warranty etc etc' disclaimers will, I predict, be
replaced by manufacturers who are willing to warrant their code.

~~~
frank_boyd
First of all, all that code must be open-sourced. It's so obvious that it
really hurts. Next, hardware needs to become "open-source", too.

~~~
informatimago
A country could enforce openess of the source code for imported software and
firmware.

\- If Toyota (or any car manufacturer) wants to import cars into my country,
then they better show us the sources of their firmware and software (and let
us re-compile it and re-install it, to make sure it corresponds to the
embedded code). And let the papers compare the code quality of Toyota vs. BMW.

\- If Microsoft (or any software vendor) wants to import software into my
country, then they better show us the sources of their systems and
applications (and let us re-compile it and re-install it, to make sure it
corresponds to the binary code, and doesn't contain backdoors to the NSA (or
the MSI, or the MI5 or whatever).

\- and so on.

And actually, citizens can do the same at their level, not letting enter their
house any device or software whose code is not open source or even libre
software (so they can recompile it and reinstall it on their hardware).

But a country has more weight than a few citizen that would be qualified of
lunatics, and has more resources to analyse and validate the software and
firmware.

~~~
phaer
> And actually, citizens can do the same at their level, not letting enter
> their house any device or software whose code is not open source or even
> libre software (so they can recompile it and reinstall it on their
> hardware).

I tried that, but at the moment it means you can't even own a cellphone, etc

~~~
JonFish85
Or a new stove, microwave, alarm clock, gas meter, coffee-maker, smart
thermostat, ... Limiting yourself to only open-source SW (nevermind HW) is
severely crippling, I'd imagine!

------
headgasket
... The voice came from an oblong metal plaque like a dulled mirror ... The
instrument (the telescreen, it was called) could be dimmed, but there was no
way of shutting it off completely. (1.1.3)

Oceanians live in a constant state of being monitored by the Party, through
the use of advanced, invasive technology.

It was terribly dangerous to let your thoughts wander when you were in any
public place or within range of a telescreen. The smallest thing could give
you away. A nervous tic, an unconscious look of anxiety, a habit of muttering
to yourself – anything that carried with it the suggestion of abnormality, of
having something to hide. In any case, to wear an improper expression on your
face (to look incredulous when a victory was announced, for example) was
itself a punishable offense. There was even a word for it in Newspeak:
facecrime, it was called. (1.5.65)

Is the the google input box a door to the world or a window into your mind?

How many fingers do you see?

~~~
bigiain
But we've _always_ been at war with Eastasia…

~~~
JetSpiegel
Eurasia has been bombing us since we were little boys!

------
britta
Baseband hacking is how people made software-based carrier unlocks for iPhone
2G, 3G, 3GS, and 4 (GSM). Those exploits are somewhat documented here:
[http://theiphonewiki.com/wiki/Baseband_Device#Exploits](http://theiphonewiki.com/wiki/Baseband_Device#Exploits)

~~~
mmastrac
This is also how we did it for some of the unrEVOked roots for HTC devices
back in the day as well (mainly the "forever" tool).

------
InTheSwiss
I am assuming that the RTOS has direct and full unrestricted access to the
hardware such as the camera and microphone? If so then I would also assume
that an over the air attack to silently suck data from the camera and
microphone would be pretty easy for those with access to the RTOS (such as
governments)?

I know there has been software to do just this in the past on some Nokia
devices but I would assume (I am doing that a lot in this post!) it is just as
possible in pretty much every mobile phone?

Anyone with knowledge of this care to comment on my assumptions?

~~~
sillysaurus2
_I would also assume that an over the air attack to silently suck data from
the camera and microphone would be pretty easy for those with access to the
RTOS (such as governments)?_

This is correct. The rule of thumb is this: If you need to avoid being
tracked, do not under any circumstances carry a cell phone unless you have
removed the battery. Even if it's powered off, it can still be activated to
remotely track you as long as the battery is in it. This tactic was used in
catching the recent serial killer Luka.
[http://en.wikipedia.org/wiki/Luka_Magnotta](http://en.wikipedia.org/wiki/Luka_Magnotta)

From the article: _" His cell phone signal was traced to a hotel in Bagnolet,
but he had left by the time police arrived.[55]"_

You can bet that, since he was on the run, his cell phone was off.

There are other examples besides Luka. Circumstantial evidence is very strong
that law enforcement can track you if you've powered off your phone but
haven't removed the battery.

(I feel so strange posting this comment, since those who would benefit from
this advice are probably of dubious character.)

EDIT: I edited my comment before Guvante's reply. But it looks like some
people aren't really convinced. So here's another comment, from tlb 113 days
ago:
[https://news.ycombinator.com/item?id=6087399](https://news.ycombinator.com/item?id=6087399)

 _" There is reason to believe phones have been remotely hacked by law
enforcement using carrier credentials to leave the cellular radio running and
registering with the cell network even after the off button has been pushed
and the phone appears to be off. Starting point for further reading:
[http://www.brighthub.com/electronics/gps/articles/51103.aspx](http://www.brighthub.com/electronics/gps/articles/51103.aspx)
"_

tlb = Trevor Blackwell, one of the best electronics hackers in the world. You
may know him as the creator of the first robot that walks like a human.
[http://paulgraham.com/anybots.html](http://paulgraham.com/anybots.html)

Now I've presented circumstantial evidence and an appeal to authority, so of
course feel free to doubt me. But don't be surprised to discover you've been
tracked when carrying a powered-off cellphone with a battery in it.

~~~
imissmyjuno
it is also an important piece of advice that could save someone's life for
instance. there's nothing dubious about demanding privacy. now I just wish my
nexus 4 had a removable battery..

~~~
MichaelGG
Does removing the SIM prevent the common ways of tracing, or do they simply go
off your IMEI?

~~~
sillysaurus2
The SIM isn't necessary to connect to a tower, meaning your GPS position will
be reported unless you remove the battery.

~~~
kamjam
If you remove the SIM you are usually still able to make emergency calls (911,
999, 112), which means it can still connect to cell towers.

------
rcfox
Coming from a background of developing audio hardware drivers for the
Blackberry (I worked on the last generation and current generation before
getting bored and leaving a year ago), I can tell you that even if the
baseband were able to turn on auto-answering, (I have no idea if that's
possible, by the way) it wouldn't know how to configure the microphone and
speakers to allow for recording or playback unless it convinced the
application processor to help.

If you are concerned about your Blackberry spying on you, there's a special
"security plug" that you can insert into the headphone jack which will short
all of the pins to ground, disabling the microphone. I assume other phones
support this as well.

~~~
cnvogel
Re: the security plug, I'll believe you that it might work for your line of
devices, but in the schematics for the relatively few phones I've looked at
there was always active selection on the phone pins.

Think about it: you put normal headphones in the jack (no microphones, only
tip, ring, sleeve): it will already short the mic input

~~~
gbl08ma
If I put normal headphones in my phone's 3.5 mm jack, it recognizes that they
don't have a mic and doesn't mute the built-in mic. So there are definitely
some devices where this won't work.

------
agumonkey
Nowadays processors are so tiny and cheap, they're everywhere.

# batteries

IIRC most battery charging circuits also have a dedicated real time ~OS
running.
[http://www.youtube.com/watch?v=dlSBQ5b6Pdw‎](http://www.youtube.com/watch?v=dlSBQ5b6Pdw‎)

# hard drives

Also recently someone did run linux in its hard drive controller (which is a
set of arm cores, ~v9 and m3)

HaD intro : [http://hackaday.com/2013/08/02/sprite_tm-ohm2013-talk-
hackin...](http://hackaday.com/2013/08/02/sprite_tm-ohm2013-talk-hacking-hard-
drive-controller-chips/)

Direct link :
[http://spritesmods.com/?art=hddhack](http://spritesmods.com/?art=hddhack)

------
jared314
There is also a second OS hiding in your computer right now! (There might even
be a third, or forth, depending on your hardware configuration and
manufacturer.)

Proprietary BIOS software has suffered the same issues for the last twenty+
years.

~~~
foobarian
Good thing all these embedded computers in my computer don't have antennas
attached with buggy baseband that blindly decodes and trusts messages coming
thereon. :-)

~~~
rst
Right, it's not like wifi adapters have independent processors of their own
with closed-source, potentially buggy firmware that does DMA into main
processor memory. :-)

It's also worth thinking about netboot (which comes in several flavors), in
which the main processor's potentially buggy BIOS may be independently
decoding and processing packets coming over physical wires.

~~~
yuhong
And on USB, don't forget SMM code emulating PS/2 input devices by parsing USB
HID packets. I think part of the reason why real mode exploits was never very
common was that the address DOS allocated memory depended on for example what
TSRs you were running.

~~~
rst
Remember that story a few months ago about how some government agency had
replaced all its keyboards and mice in response to a malware infestation? A
lot of folks (including some here) took this as Yet Another Show of Government
Cluelessness. I found myself wondering instead if there was a world in which
folks advised by government security experts (i.e., you-know-who) would have a
good reason to do something like this and not say why.

There is. It's a world in which their opponents had a zero-day against the
Windows USB driver, and a way into the government's supply chain. And in which
you-know-who wants to play the same game themselves against opponents
elsewhere.

~~~
wiml
They don't need a way into the government's supply chain if the keyboards and
mice have processors whose firmware is updatable over USB. Which is not
exactly rare. PoC: [http://it.slashdot.org/story/09/08/01/1658258/apple-
keyboard...](http://it.slashdot.org/story/09/08/01/1658258/apple-keyboard-
firmware-hack-demonstrated)

------
Procrastes
"That complexity is exactly one of the reasons why it's not easy to write your
own baseband implementation. The list of standards that describe just GSM is
unimaginably long - and that's only GSM. Now you need to add UMTS, HSDPA, and
so on, and so forth. And, of course, everything is covered by a ridiculously
complex set of patents. To top it all off, communication authorities require
baseband software to be certified."

This _is_ HN.

I don't think implementing a replacement is all that daunting given enough
time and money. I wonder if there's a business model that will pay for it?

~~~
gonzo
I got a chance to look inside Fabrice Bellard's LTE eNodeb code.
[http://www.bellard.org/lte/](http://www.bellard.org/lte/)

It runs on an i7.

~~~
nly
FFS, does that guy ever sleep?

~~~
girvo
I doubt it. I seriously cannot fathom his skill. I mean that, I truly cannot
comprehend being that good.

------
spc476
Quite possibly a third or fourth OS as well ...
[http://boston.conman.org/2013/01/22.2](http://boston.conman.org/2013/01/22.2)

------
buo
For an example of an open-source GSM implementation that would allow one to
build a base station, see
[http://en.wikipedia.org/wiki/OpenBTS](http://en.wikipedia.org/wiki/OpenBTS) .
There are lots of videos about it on youtube where you can see it in action.

------
niels_olson
For all the "NSA's probably in on this", remember this also leaves openings
for China, Russia, and possibly others to get in on this.

~~~
alandarev
Making it moreove fair.

------
fayyazkl
Often the RTOS is not exactly free, but not entirely closed either. A while
back, i used to work on Nucleus RTOS by Mentor Graphics with a pretty
impressive global foot print
[http://en.wikipedia.org/wiki/Nucleus_RTOS](http://en.wikipedia.org/wiki/Nucleus_RTOS).
It used to be sold as an api (with source code given to customers) who
developed applications based upon it. I have written portions (IPsec/IKE,
SNMP, Ipv6) of its networking stack and at least all of its customers have
access to source code. It is pretty well written with very decent coding
conventions and can be compared to any good well known open source project
(VLC, even Linux kernel). Then there are others such as Wind River's VxWorks
among the more popular ones. Though i am not very sure of its licensing model,
but it is pretty well recognized and established in the embedded world. Just
that these are not as well known in the over all software community but rather
more restricted towards those in the embedded industry.

~~~
girvo
I always wanted to play with Nucleos! What's it like?

I'm a fan of QNX personally though I only got to play with it a tiny bit. Some
awesome ideas in it.

~~~
fayyazkl
Nucleus pretty much comprises of a very small foot print. With Architecture
specific assembly isolated from like 95% of the code neatly. Rest is Ansi C.
It contains tasks which are sort of equivalent of kernel level threads in
POSIX but implementation logic is quite different i.e. RTOS constraints are
handled by classifying interrupts at two levels. In terms of constraints,
there is no dynamic loading i.e. you have to build a single binary. But at the
same time it was pretty fascinating with os, networking stack, drivers all
contained in a separate folder building up one project. Lately they have added
power management, Android like UI and even some hyper-visor support. Most
importantly, it is small and consistent enough for a programmer willing to
learn through the entire stack. Helps with much better visualization from
hardware to application. A couple of former colleagues (one of which
incidentally now works with QNX and hence compared both) highlights both i.e.
strengths vs weaknesses of each. But it didn't feel like one was superior to
another. However, Nucleus severely lacks any certifications (and ability) to
get into HARD real time industry such as aviation.

------
hngiszmo
I would donate for somebody setting up a server that streams audio (and video,
…) from all phones in reach. With bitcoin this could even be pulled off
anonymously. I would hope for such a server streaming data from financial
districts, one at a time would finally lead to something to change about this.
Donations would help buy antennas and rent space in financial districts.

------
sehugg
_While we can sort-of assume that the base stations in cell towers operated by
large carriers are "safe"_

Um.

------
_stephan
"Lastly, the baseband processor is usually the master processor, whereas the
application processor (which runs the mobile operating system) is the slave."

Can maybe somebody explain what this means exactly? Could the baseband
processor/OS be used as an attack vector to exploit the main mobile OS? Could
the OS protect itself from this?

~~~
andyzweb
The baseband processor may have unrestricted access to the entire address
space of the device or to address space which the application processor (and
the operating system it's running) implicitly trusts.

~~~
_ak
AFAIK, access to the baseband and vice versa is through a network inside the
phone. Physically, these two computers are separated, and communicate only
through a well-defined network interface. No poking in other computer's
memory.

------
mindslight
I think we'd all be better off and get to a user-centric mobile experience a
lot sooner by isolating the network communication in a dedicated device.

I'm toying with the idea that next time I have to upgrade my mobile (hopefully
not soon), a better way to go is something like mifi + netbook + smart watch
(+ maybe some compact chorded keyboard).

~~~
rsync
Exactly.

If you want a mobile phone that you control, you need to buy something like a
samsung galaxy player (contains no baseband processor, contains no mobile
phone infrastructure) and then attach a USB modem to it (or carry a MIFI or
whatever).

There's one problem, however, and that is all of the fancy noise cancellation
and voice smoothing are actually done on the baseband proc, and userland
implementations of this for VOIP apps are typically pretty crummy.

Me, I am sticking with my MOTO FONE / F3 for now.

~~~
alexwright
I'd be (pleasantly) surprised if devices like the Galaxy Player didn't still
have binary blobs for the Wifi/BT and video hardware. Even NICs for otherwise
fairly open PC/ATX machines all still have the proprietary blob firmware
drivers.

------
meson2k
MSM6280 is 7 years old. The author has no clue how advanced these RTOS have
become now and the kind of effort that goes into security at a system level
e.g. xpu, smmu etc.

------
Jagat
Even BIOS can be considered as a second OS hiding in your PC.

------
noselasd
Though about GSM, if you want to learn more:

* [http://osmocom.org](http://osmocom.org)

* [http://www.youtube.com/watch?v=xOp_wtsHAe8](http://www.youtube.com/watch?v=xOp_wtsHAe8)

* [http://www.youtube.com/watch?v=_0LCgxe24Po](http://www.youtube.com/watch?v=_0LCgxe24Po)

* [http://www.youtube.com/watch?v=9cBJV3yTaQo](http://www.youtube.com/watch?v=9cBJV3yTaQo)

* [http://www.youtube.com/watch?v=9cBJV3yTaQo](http://www.youtube.com/watch?v=9cBJV3yTaQo)

Your phone has GSM, even if you're only on 3G or 4G networks though (unless
it's a pure CDMA phone) - and the concepts are anyway quite similar in 3G/4G
networks an phones.

------
_ak
I talked to a friend of mine who is an engineer at Qualcomm, and he said the
article is exaggerated and out-dated. Current basebands don't use REX OS
anymore, and they put mitigation mechanisms in place, so this piece seems like
FUD.

~~~
pjc50
I happened to be reverse engineering some firmware the other day, which has
"AMSS" _all over it_ ; this was in new Sierra Wireless devices built on
Qualcomm ARM926EJS baseband. It might not be in the latest and greatest, but
it's still out there all over the place.

------
coldskull
as someone who closely works on qualcomm baseband processors, i can say that
security is one of the top priorities of qualcomm. There are whole bunches of
teams dedicated to sec/vuln analysis. Not saying that the issues mentioned in
the article did not occur...but I believe that those probably occured in older
chips (a few generations older)

 __ _standard disclaimer_ __Views above are personal and do not reflect views
of Qualcomm

------
devx
No wonder not only NSA, but also FBI and probably other agencies exploit these
like crazy by using fake towers or other methods.

~~~
Guvante
Who says they need fake towers? I would bet that they can get direct access
with the right court order.

~~~
devx
[http://www.tomsguide.com/us/FBI-wiretap-stingray-cell-
phone-...](http://www.tomsguide.com/us/FBI-wiretap-stingray-cell-phone-
towers,news-13124.html)

------
jjoe
It shouldn't come as a surprise that you're not "offline" unless you take the
battery out of your phone and wait a good minute or so. And there's no
wireless power source "force feeding" your phone...

This is well known to anyone who's done DSP optimization work for any of the
wireless carriers.

~~~
im3w1l
Wait, are you saying it is possible to force feed a phone _in theory_ , or _in
practice right now_?

------
informatimago
Waiting for the next Snowden.

In the meantime, you can use your smartphone inside a Faraday cage. Wrapping
it in aluminium should help.

~~~
jlgreco
> _you can use your smartphone inside a Faraday cage._

Or, more accurately stated, "you can't".

~~~
informatimago
You can't phone, but you can use the smart, the computer inside the smartphone
:-)

------
pslam
The _second_ operating system hiding in every mobile phone? Really?

There's a ridiculous number of operating systems hiding in every mobile phone.
What do you think runs on the GPU? What about bluetooth, wifi and GPS? What
about all those sensors? The camera interface? The video acceleration? The SIM
card? The NAND flash?

Try harder.

~~~
slashclee
The GPU, bluetooth, wifi, and GPS chips are not running their own _operating
system kernels_. They have firmware microcode that gets loaded when their
drivers are loaded, but they aren't running a completely separate dedicated
realtime OS.

~~~
pslam
What do you think is in that "microcode"? Most of what I mentioned is usually
running on an ARM of some sort. I count that code as an OS, because it's a
pretty narrow definition otherwise.

~~~
slashclee
Default register initialization values and functions to encode/decode and
transmit/receive packets of data do not equal an operating system in my book.
Maybe you draw the line at a different level of the stack than I do.

I'm totally willing to be admit that I might be wrong about this, but I wasn't
under the impression that Broadcom and Atheros and Intel were using ARM CPUs
in their wifi/bluetooth/GPS chipsets.

~~~
pslam
The missing piece here is that WiFi/Bluetooth/GPS chipsets _ARE_ usually using
ARM CPUs internally. GPUs generally run a funky DSP-like core but there's
still some kind of OS scheduling tasks and running code to interact with the
main CPUs.

The cost of laying down a fully-fledged CPU has reduced to the point where
it's simpler and less risky to use an off-the-shelf ARM core (or similar),
instead of a big bunch of hard logic combined with coefficient. And most of
those CPUs have some sort of runtime, which is an OS, depending on where you
draw the line on that.

~~~
tmzt
Or MIPS or other isas, but still fairly powerful CPUs.

------
melvinmt
> This is such low-level, complex software that I would guess very few people
> in the world actually understand everything that's going on here.

I would not be surprised if the NSA would employ quite a few of them.

------
gwu78
Maybe the future is in making calls over the Internet, not a private cellular
network?

Or maybe the future is in open source software defined radio?

I never tried it, but I heard OpenMoko could run BSD.

In any event, I hope the future is one where I can read, modify and compile
the source for my handheld's bootloader and operating system, as I currently
can do with my laptop's bootloader and operating system.

------
atlantic
I wonder if there is any relation between this set of vulnerabilities and the
Datong system used by the UK authorities to mimic/replace mobile phone base
stations. [http://www.wired.com/threatlevel/2011/10/datong-
surveillance...](http://www.wired.com/threatlevel/2011/10/datong-
surveillance/)

------
lgeek
And then there's also TrustZone[0] so don't be surprised if there's an
additional hypervisor or RTOS running on the main application processor.

[0]
[http://www.arm.com/products/processors/technologies/trustzon...](http://www.arm.com/products/processors/technologies/trustzone/index.php)

------
chris_mahan
After reading all the comments, I'm beginning to think the Butlerian Jihad may
not be such a bad thing after all...

~~~
igravious
I had to Google this. Here's a Wiki P link:

[https://en.wikipedia.org/wiki/Butlerian_Jihad](https://en.wikipedia.org/wiki/Butlerian_Jihad)

It's from Frank Herbert's Dune :( Sad because I read this series (all six, I
kid you not!! 1,2,6 are good 3,4,5 not so good) 25 years ago nearly and I had
forgotten this specific detail. Time is indeed a cruel mistress and thanks for
making me feel old :)

~~~
chris_mahan
Perhaps I remember thisparticular detail because I've read the six books six
times... And, hum, I feel old right along with you...

------
dreamfactory
So maybe a relevant question as we move away from desktop computing is whether
your mobile device can be identified through online activity, such as
commenting, searching, email etc. This would be useful for locating
dissidents.

------
ricw
This is all a bit over the top. Yes, the baseband may be compromisable, that
doesn't mean that the operating system is. Your photos, data etc should be
safe as long as there aren't further exploits (which of course exist).

Furthermore, i have yet to hear of a slave high level operating system to the
baseband. iOS or android being initialised and commanded by a secondary
baseband OS would just be a bizarre setup. That of course does not mean that
the baseband doesn't pass commands to the high level OS. Though if the
interface is well shielded, exploiting it could be tough (correct me if I'm
wrong, but I don't think baseband exploits exist for iPhone 5/5s).

Now, I'm sure the NSA however have some interesting possibilities that Angela
Merkel would be all to keen to know about ;).

~~~
kelnos
_This is all a bit over the top. Yes, the baseband may be compromisable, that
doesn 't mean that the operating system is._

Incorrect. In most cases the baseband processor has complete, unfettered
access the application processor, which means it has complete, unfettered
access to the OS.

~~~
rsync
.. and by unfettered, we mean it has _DMA access_ to the application
processor. It's not a hook or an API call or some functions it can call - it
has low level bit for bit access to manipulate the CPU that your OS (like
android) runs on.

Further, your carrier (verizon, att, whatever) can push OTA updates and
commands straight to baseband via the radio, bypassing the CPU and OS (like
android) and manipulating the phone on a low level bit by bit basis.

Even the most well secured, rooted, reloaded phone has every piece of it
totally owned by the carrier, via the baseband processor.

Yes, that includes your photos.

~~~
ricw
DMA has security modes, implemented by pretty much every standard baseband
chip in use today (Qualcomm, Infineon, you name it). In the oldern days
baseband exploits were used to crack iPhones. As far as I'm aware of, this
hasn't happened in the last two generations of iPhones. So no, you do not have
unfettered access to all the data, only the "baseband" segment, unless you
manage to hack your security setting for the baseband. For which you first
have to hack the Primary OS. I hope you get the theme..

------
est
Cant wait Tegra 4i hacking allows unrestricted i500 SDR platform access :D

~~~
rsync
Would you please elaborate ?

------
hiley
Who makes the baseband software? Those who make it I guess are more inclined
to fix the bugs (because there are paying customers), at least in areas that
they can fix...

------
noyesno
The link to the ETSI 3GPP specs is a bit silly: it shows not only all the
related specs but also all the versions of those docs.

------
diminish
Ohh every phone of mine crashes in a 20 min subway travel since 10 years no
matter Android, Symbian.. It must be this RTOS.

------
itazula
What about TRON? [http://www.t-engine.org/](http://www.t-engine.org/)

------
maxk42
> By design

Of course -- all the telecoms have been in bed with the NSA for decades.
That's how you play ball in the US.

------
Maven911
St microelectronics is a firm who provides radio chipsets for apparently 80%
of all phones out there

------
ivanhoe
It's one of those rare cases (like BIOS too) where obscurity actually means
more security...

~~~
annnnd
The problem is that __ONLY __obscurity shields users from exploits - and it 's
not much of a shield (it never is).

So yes, it is "more" security. And no, it doesn't help much. Arguably it makes
matters worse because the code can't be checked by independent security
researchers (whitebox testing).

~~~
ivanhoe
I agree, I was just ironic...

------
dola
And then there is also the one on the SIM doing all the encryption and
authentication stuff...

------
memracom
Does anyone know if the Firefox OS replaces these proprietary RTOSes?

~~~
ollybee
No it does not, nor does replicant or any other alternate phone OS.

------
wfunction
The NSA has probably already figured this out.

------
general_failure
I was expecting this OS to be the browser. The browser really is another OS
these days especially with all the new HTML5 specs (firefox OS being the
proponent of such things).

The way HTML5 is progressing it might even beat the API of the OS it seems!
For example, the OS itself might have no contacts API but the browser has
HTML5 API to access them!

~~~
dokem
I don't think you understand what an operating system is.

~~~
reubenmorais
While the reasons stated by the gp might not be the best ones to justify his
assertion, browsers are an environment for running arbitrary untrusted code,
and have a lot of similarities with operating systems (like job control,
memory management, hardware access, etc).

