This is what Java Card was developed to run on.
If you are interested in getting lower level access to your radio, you could look at the defunct http://openmoko.com/freerunner.html project or the resurrection of the Freeruner, http://www.openphoenux.org/
The talk itself was about a group that had an enormous camping trip (I hope that phrasing doesn't diminunise it) called Toorcamp of a few thousand people that thought it would be fun to also put together their own cell network for just them. They bought and programmed SIM cards and hid puzzles in the programs on them.
But the amount of programming that can be done on the SIM card alone without involving the main processor at all was really quite fascinating and there's a lot of detail in the talk if you can track it down. Here are the slides at least https://speakerdeck.com/codebutler/the-secret-life-of-sim-ca...
Also, all ATM cards which are smartcards (i.e. almost all of them in countries such as France, Norway) can also hold several applications. The banks just doesn't allow it. In theory you could, even with today's technology, buy a blank card (say, with a David Bowie picture if that's your thing) and have the bank, visa, mastercard, grocery loyalty programme, library card, frequent flyer applications etc on it. Just carry one card! But no, everyone wants to own the card have their logo in it. Sigh.
So you can "root" it and control the OS all you want, your carrier still owns you and your phone, what with (potentially) DMA level access to your CPU.
neo900 is interesting, but it is not any more open in this regard than any other handset.
The current 'random person implements firmware that controls the this chip' practice and the 'no warranty etc etc' disclaimers will, I predict, be replaced by manufacturers who are willing to warrant their code.
And there is simply NO COMPARISON in complexity to software. In physical building, you over engineer and get redundancy. You also know that almost everyone builds plumb and level, rectangular rooms, with easy span and shear calculations. You also know that wood follows a predictable strength pattern. So you put in enough nails of the right length, to enough wood of the right thickness, and you're good. How much intelligence do you think you need to follow a building code? Building materials and techniques change GLACIALLY compared to software. (A good thing!)
Whereas in software, one single bit flip will just fuck you up.
Real issue here is why such codes don't exist for for this particular problem.
There have always been fully deterministic CPUs around for that purpose. The simpler the system, the better; just hook a Forth chip to a memory without caches and you're set.
I believe that the GreenArrays people, setting aside the $450 dev board, also had some notes on making cheap breadboards with their chips or something like that. I don't have a link handy, though. ;/
I've been the guy who drives around in a truck with a lot of mobile scanning equipment to try and figure out where the rogue device is. There is no magic button like in the movies, where they can immediately triangulate the source of the interference to within a 5 cubic metre box. You basically have to rely on simple physics and boots on the ground. The device you're hunting for isn't playing nicely, so any assumptions you could normally make based on things like which base stations it's in contact with won't necessarily be valid. Things are a bit smarter in modern networks than they were back when I worked in the field, but physics is still physics.
In short, there is a legitimate justification, born of experience, for every telecommunications regulatory authority in the known universe requiring this stuff to be certified before you can legally use it. This is also why in some jurisdictions agents acting for telecommunications regulators have certain legal rights to access private property.
Of course this only affects the radio equipment. I see no reason it should be necessary or possible for such software to have any control over other integrated peripherals such as cameras, speakers, microphones or local storage. And the primary concern is people who could modify the code and break the network, not preventing any legitimate audit to prove that devices are only doing what they say they're doing.
Nobody is asking for some sort of hacker radio anarchy, here. They're asking to see the source code for machines they own, machines that reside in their pockets, machines that are responsible for storing and communicating their most sensitive personal data.
Verizon has the right to transmit on spectrum allocated to it using consumer devices as its agents. It employs engineers and QA processes to make sure that any device transmitting on its spectrum plays well with others before it is allowed to leave RF-isolated testing facilities.
The public does not and should not have the right to transmit on Verizon's spectrum, even using devices they own which are legally and technically capable, except according to Verizon's carefully vetted programming. If they were able to run their own radio firmware, you'd have the situation described in the parent.
Cellular radios necessarily cannot be open source. The source could be released for inspection and audit, but it cannot be possible or permissible for you to run modified source on "your" radios.
Dude, that's exactly what he asked for.
Parent claimed that modifying the source wouldn't hurt anything since your phone can't transmit in ways you're not licensed to, but this is incorrect.
- If Toyota (or any car manufacturer) wants to import cars into my country, then they better show us the sources of their firmware and software (and let us re-compile it and re-install it, to make sure it corresponds to the embedded code). And let the papers compare the code quality of Toyota vs. BMW.
- If Microsoft (or any software vendor) wants to import software into my country, then they better show us the sources of their systems and applications (and let us re-compile it and re-install it, to make sure it corresponds to the binary code, and doesn't contain backdoors to the NSA (or the MSI, or the MI5 or whatever).
- and so on.
And actually, citizens can do the same at their level, not letting enter their house any device or software whose code is not open source or even libre software (so they can recompile it and reinstall it on their hardware).
But a country has more weight than a few citizen that would be qualified of lunatics, and has more resources to analyse and validate the software and firmware.
This helped propel a lot of the world's best ancient thinkers, including Euclid, Archimedes and Eratosthenes.
I tried that, but at the moment it means you can't even own a cellphone, etc
hardware manufacturers should be less concerned about what their firmware reveals about their IP and more concerned with what not revealing their firmware source code reveals about their security.
the fact that you can get DMA by compromising _any_ device on the bus is a problem too. imo, none of these peripherals should have unmitigated DMA.
But yes, this only applies if the competition must also open their kimonos. That seems practical for industries where regulation is required or provides reasonable benefits to society (automotive, voting machines, medical, etc).
Making the source code visible would probably be sensible in this case though, so I think the idea is a good one even if you need to be careful with the terminology.
Consumers want the latest.
Companies want the most stable.
After some particularly huge disasters I've had to deal with coming onto new projects and with general consumer electronics, I'd go for the latter every time both as a consumer and company these days. Time is valuable and losing it to a feature packed unreliable mess is a big risk to that time.
For a company with a large workforce, the probability of something breaking is higher - many different machines being used in different ways, and the cost of a botched upgrade can run into millions, with people losing their jobs, and legal action being taken.
For consumers, the risk is typically lower and less costly if it goes wrong. If a Facebook upgrade causes the app to crash repeatedly, it means I can't post for a while, so I'll just upgrade and hope for the best. But if a personal finance or medical app goes wrong the consequences could be extremely serious, so stability is more important.
Oh, and applying pretty much any "software building codes" to the web app industry would probably kill startup culture entirely.
Not necessarily. To use the analogy with the building industry, there are different requirements depending on what the building will be used for. Startups holding or processing financial information might have one set of regulations, whereas those hosting cat pictures might be less rigorous.
To continue the (somewhat stretched) building analogy my house falling down doesn't affect yours, but someone stealing my access codes from my poorly secured building potentially could affect the security of yours.
You should run that prediction by some of your friends in the legal department and see what they think.
Oceanians live in a constant state of being monitored by the Party, through the use of advanced, invasive technology.
It was terribly dangerous to let your thoughts wander when you were in any public place or within range of a telescreen. The smallest thing could give you away. A nervous tic, an unconscious look of anxiety, a habit of muttering to yourself – anything that carried with it the suggestion of abnormality, of having something to hide. In any case, to wear an improper expression on your face (to look incredulous when a victory was announced, for example) was itself a punishable offense. There was even a word for it in Newspeak: facecrime, it was called. (1.5.65)
Is the the google input box a door to the world or a window into your mind?
How many fingers do you see?
I know there has been software to do just this in the past on some Nokia devices but I would assume (I am doing that a lot in this post!) it is just as possible in pretty much every mobile phone?
Anyone with knowledge of this care to comment on my assumptions?
This is correct. The rule of thumb is this: If you need to avoid being tracked, do not under any circumstances carry a cell phone unless you have removed the battery. Even if it's powered off, it can still be activated to remotely track you as long as the battery is in it. This tactic was used in catching the recent serial killer Luka. http://en.wikipedia.org/wiki/Luka_Magnotta
From the article: "His cell phone signal was traced to a hotel in Bagnolet, but he had left by the time police arrived."
You can bet that, since he was on the run, his cell phone was off.
There are other examples besides Luka. Circumstantial evidence is very strong that law enforcement can track you if you've powered off your phone but haven't removed the battery.
(I feel so strange posting this comment, since those who would benefit from this advice are probably of dubious character.)
EDIT: I edited my comment before Guvante's reply. But it looks like some people aren't really convinced. So here's another comment, from tlb 113 days ago: https://news.ycombinator.com/item?id=6087399
"There is reason to believe phones have been remotely hacked by law enforcement using carrier credentials to leave the cellular radio running and registering with the cell network even after the off button has been pushed and the phone appears to be off. Starting point for further reading: http://www.brighthub.com/electronics/gps/articles/51103.aspx "
tlb = Trevor Blackwell, one of the best electronics hackers in the world. You may know him as the creator of the first robot that walks like a human. http://paulgraham.com/anybots.html
Now I've presented circumstantial evidence and an appeal to authority, so of course feel free to doubt me. But don't be surprised to discover you've been tracked when carrying a powered-off cellphone with a battery in it.
You then follow this with
> But if he was on the run, why was he carrying a cell phone? Answer: because he was stupid.
Your postulation that this is sufficient proof to say that they can track you with your phone off is suspect.
Given the fact that US law enforcement and security agencies are (now) indisputably known to be in the zero-day hacking business, the burden of proof is on those of us who've always claimed these stories were exaggerated.
Personally, I no longer feel confident about calling bullshit on much of anything. With the US government's infinite budget and unaccountable influence over device manufacturers and telcos, no hack is impossible.
Can a phone be tracked while off - or can you install malware that prevents your phone from turning off while misleading the user to believe that it worked?
The latter is a lot easier to believe and what you talk about. The discussion above/the post you answered is about the former.
If all the operations are carried on by the same kind of contractors, we can sleep tight for few years.
When confronted with my government's incompetence, I never know whether to be pissed off or relieved.
It's tough to say. They say their mission is vital, but then their mission is literally to lie for a living.
Funny thing is, it doesn't seem to matter where healthcare systems are carried out they always run over time and over budget and end up in a big mess!
I don't think there's too much social harm done in pointing this out. It seems to be so well known that it's referenced (visually or even verbally) in movies and TV shows like Breaking Bad, where the criminals take the batteries out of their phones as an extra precaution against being tracked.
And I join the crowd who think that is impossible. I bet someone would notice weird patterns if the baseband kept working despite of device off. (Speakers catching 2G, battery drain, interference with other devices, etc.)
Given the types of people that would have to have access / knowledge of this though. For example people that suspect their partner of infidelity and is on the police liaison team of a carrier say...
I agree it's very unlikely, someone would have noticed it by now.
Though, not receiving any information back, draws the tracking practice significantly more difficult.
You could argue that "off" is the same thing, for instance, many Qualcomm devices boot with the BP first and and can do a lot before the AP is even taken out of halt, without initializing the LCD display, backlight, etc.
* Push the airplane mode button.
* Have the FAA place the phone in a faraday cage for testing the phone.
* Don't remotely activate the phone at this point (which you wouldn't be able to anyway, the phone is in a faraday cage )
* "Forget" to tell the FAA about the cellular equivalent of "wake on lan" we built into this phone.
Would removing the SIM be at all helpful for avoiding tracking if you couldn't ditch a phone with an integrated battery?
And there may be a legitimate reason why you may want to have a device. For instance, to run maps at a certain location. Or having data on the device you need once you arrive at a destination.
So if we were using these numbers to block messages then I'd absolutely expect government agencies to use them to monitor or track phones.
Then if in court you can try to argue that for a tin foil hat like you, the actual tin foil cell phone protection isn't an indication of anything. And much less suspicious.
Not sure how it could be fully applied if in the police interrogation room having been apprehended in a dark alleyway with two large bin bags full of steaming skunk weed, freshly purchased off a Vietnamese gentleman insistent on counting every note of that £20000 just handed to him. Maybe that is just an edge case though.
Perhaps a better idea (and market opportunity) could be a 'walkers rucksack' that has a pocket for your cellphone. This pocket could be lined specifically to act as a Faraday Cage, explicitly so that you can have easy access to your phone for maps etc., yet be fairly certain that your day strolling in the hills will not be interrupted by the office, the wife and other cold callers. Such a bag could be plausibly denied in a way that plain old tin foil could not be.
The high data rate required for imaging module means that it doesn't run on a shared bus. There's a number of standards, some proprietary and others loosely defined, but they all use direct connections to the image processor (which is in many cases part of the SoC).
Probably not going to access this one, because microphone wouldn't be on any sort of bus. They'll have a direct connection to a ADC, which would have a direct connection to an audio signal processor in the SoC.
This depends on the implementation. If they use I2C, there's a good chance they'll be on a shared bus on which the baseband processor is also located. However, accessing that data requires details about the specific sensor. If a particular model of phone is being targeted, this isn't too hard. For example, I know the iPhone 4 uses the LIS331DLH Accelerometer. I can find the datasheet for that part, and then write a simple driver to access it's data.
If they use SPI, which isn't a bus-based protocol, there's little chance of accessing the information directly. SPI devices can be daisy chained or separately selected to put more than one on a single port, but in such a configuration there's only ever one master (which would be the CPU).
Essentially, most of the pins on the SoC are re-programmable to have different functions or connect to different logical blocks within the SoC.
Along these lines there's also bit-banging SPI or I2C, which should work fine for infrequent updates from an accel or compass (and now things like pedometers being added to devices.)
As for microphone, if it's being read by the audio DSP, it's certainly accessible from the baseband, at least on Qualcomm . If nothing else you can load a DSP module that allows access to the raw PCM (or vocoder) data.
Same is probably true for the camera, which is usually on an HSIF or similar bus connected to the DSP.
It is important to note that all smartphone chips are optimized first for low cost and low power usage.
To actually isolate the baseband processor+GPS+Cell radio+Mic+Speaker would require a second high-speed bus.
Most cell phone processor designs put both the baseband and application processor in the same package both for cost and power saving reasons. Since both processors are typically ARM cores they will easily interface to the same bus for memory and peripherals. Only having one external bus means fewer external components, which is typically the strongest factor relative to the total power and cost.
There is also the legacy element. The article notes that most of the BB code is at least a decade old by now. Unless that code got a major rewrite, it would not run on a new, isolated architecture.
Specific processor block diagrams:
Samsung - https://memorylink.samsung.com/ecomobile/mem/ecomobile/appli...
Qualcomm (page 4) - https://developer.qualcomm.com/download/qusnapdragons4whitep...
The baseband is still considered the master CPU during boot - at least on the CDMA Nexus. So although there are some corner cases in terms of architecture, the security model is still completely broken. Send a payload to the baseband over the air, compromise it, and the entire phone is yours.
You're thinking small ... the baseband processor (typically) has DMA access to the processor itself. Never mind pedestrian stuff like peripherals...
Further, since carriers interface with the baseband processor for OTA updates, that means your carrier has (essentially) DMA access to your phones cpu. I wish people appreciated just how deeply (as deep as deep gets, basically) your carrier can control the device in your hand - even if you have "rooted" it.
The article hints at a way to democratize access to this capability by using the RIL commands to turn on auto-answer and turn off any indication it's happening.
It made perfect sense once I read that the speaker and mic were wired straight to the baseband, and the state of the dialer application had zilch to do with what was going on in the baseband.
I have not looked at this part of Android source code in depth in a while, but from a quick look it still looks very edifying about how this part of a smartphone works.
(Sadly, it's not used in all production devices.)
If you are concerned about your Blackberry spying on you, there's a special "security plug" that you can insert into the headphone jack which will short all of the pins to ground, disabling the microphone. I assume other phones support this as well.
Think about it: you put normal headphones in the jack (no microphones, only tip, ring, sleeve): it will already short the mic input
You might also need access to the PMIC to turn on the amplifiers, but most designs I've seen have access ports from both BP and AP. (This was on Motorola devices, Q and the EZX phones.)
where can I get one?
antsar's correct though. It's simple to make one yourself. The nice thing about the security plug is that it's small; it doesn't look like your headphones' cable snapped off. :)
It is a complex trust situation. In this case, you can reduce the number of agents you have to trust by using the security plug. This is good for security.
The handset manufacturer could still be spying on you, but if the security plug actually works as advertised it would disable all attacks that would listen in on your mic. These attacks could be deliberate by any of the companies that have code in your handset, or it could be via an accidental weakness in any of this code that is exploited by a third party. This last kind of attack is what the linked article talks about, and a security plug would actually reduce the severity of such an attack.
If you trust the wiring, of course ;-]
IIRC most battery charging circuits also have a dedicated real time ~OS running. http://www.youtube.com/watch?v=dlSBQ5b6Pdw
# hard drives
Also recently someone did run linux in its hard drive controller (which is a set of arm cores, ~v9 and m3)
HaD intro : http://hackaday.com/2013/08/02/sprite_tm-ohm2013-talk-hackin...
Direct link : http://spritesmods.com/?art=hddhack
Proprietary BIOS software has suffered the same issues for the last twenty+ years.
It's also worth thinking about netboot (which comes in several flavors), in which the main processor's potentially buggy BIOS may be independently decoding and processing packets coming over physical wires.
There is. It's a world in which their opponents had a zero-day against the Windows USB driver, and a way into the government's supply chain. And in which you-know-who wants to play the same game themselves against opponents elsewhere.
ls -Sl /lib/firmware | head
-rw-r--r-- 1 root root 1845305 Apr 10 2013 phanfw.bin
-rw-r--r-- 1 root root 1531932 Nov 8 2012 i6050-fw-usb-1.5.sbcf
-rw-r--r-- 1 root root 1334532 Nov 8 2012 i2400m-fw-usb-1.5.sbcf
-rw-r--r-- 1 root root 1251036 Nov 8 2012 i2400m-fw-usb-1.4.sbcf
-rw-r--r-- 1 root root 707392 Nov 8 2012 iwlwifi-2030-6.ucode
-rw-r--r-- 1 root root 701228 Nov 8 2012 iwlwifi-135-6.ucode
-rw-r--r-- 1 root root 695876 Nov 8 2012 iwlwifi-2000-6.ucode
-rw-r--r-- 1 root root 689680 Nov 8 2012 iwlwifi-105-6.ucode
-rw-r--r-- 1 root root 679436 Nov 8 2012 iwlwifi-6000g2b-6.ucode
https://github.com/torvalds/linux/search?q=i6050 (Intel WiMAX)
https://github.com/torvalds/linux/search?q=i2400m (Intel WiMAX)
https://github.com/torvalds/linux/search?q=iwlwifi (Intel WiFi)
This is HN.
I don't think implementing a replacement is all that daunting given enough time and money. I wonder if there's a business model that will pay for it?
It runs on an i7.
And what is the point of building a more secure implementation, if all these tools must (by law and by standard) have backdoors for local authorities anyway?
The irony is that LTE invites a look at a minimal "layer 2 only" baseband and doing everything else in the higher-level OS, but, instead, baseband code just gets hairier.
I'm a fan of QNX personally though I only got to play with it a tiny bit. Some awesome ideas in it.
Can maybe somebody explain what this means exactly? Could the baseband processor/OS be used as an attack vector to exploit the main mobile OS? Could the OS protect itself from this?
Because the application processor is actually running in a virtual cell and not on bare metal, it doesn't have full access to the hardware and can't interfere with the radio cell - but the radio cell might still have access to everything.
I'm toying with the idea that next time I have to upgrade my mobile (hopefully not soon), a better way to go is something like mifi + netbook + smart watch (+ maybe some compact chorded keyboard).
If you want a mobile phone that you control, you need to buy something like a samsung galaxy player (contains no baseband processor, contains no mobile phone infrastructure) and then attach a USB modem to it (or carry a MIFI or whatever).
There's one problem, however, and that is all of the fancy noise cancellation and voice smoothing are actually done on the baseband proc, and userland implementations of this for VOIP apps are typically pretty crummy.
Me, I am sticking with my MOTO FONE / F3 for now.
If you were really paranoid, you might consider the possibility that it has a microphone or a speaker that can be treated like a microphone. (Though I don't know of any that actually have a beeping, vibrator or piezo output.)
Also, they may have some form of e911-compliant GPS receiver, though whether the RF is hooked up for it I wouldn't know.
Surreptitious microphones and other sensors are indeed still a problem, but they seem easy to audit/remove in the short term, and if this model catches on and they become a real threat, the physical audits just have to go deeper.
What you do gain is a processor that can be trusted by the user (in the same way we all trust Intel CPUs), with the Mifi only seeing encrypted communications. Also we've moved the demarc point solidly between two separate physical devices - upgrade your pocket computer without involving your cell provider, and replace your communications ability without affecting your user environment.
Trustable/trusted doesn't mean trustworthy in the sense of an individual citizen's expectation of privacy, it means that you have given the entity your private information, in trade for service and convenience.
The irony of old spy tradecraft is that we all possess hardware that could conceal in plain sight anything that previously had to be hidden completely, the existence of electronics or recording/transmitting ability (including film) would immediately indicate the role of the person as someone engaged in some kind of espionage. Now we can all carry sophisticated sensors and communication devices in most places, and all but cameras in many others.
What physical audit would tell you if the MEMS sensor in your device has been repurposed for audio pickup. (Assuming that the capability isn't already in the firmware, or that simple observation of the signal output (including power fluctuations) could reveal the same information to the microprocessor.
The only case I'm aware of where the courts have blocked this kind of surveillance involved an OnStar vehicle system using an analog cellphone which could only serve it's intended purpose or the government's, but not both simultaneously. This is not an issue with digital and IP-based systems, which can easily serve two masters.
Ah, you're use of "trust" again, Intel CPUs have features that actively work against you, such as with vPRO. I would agree that a non-cellular PDA and Mifi are superior to an integrated device from a privacy and personal autonomy perspective.
No, I'm just speaking from the perspective of system design, for what it would take to actually hide your location data - to put boundaries on the problem we're talking about.
> trusted ... means that you have given the entity your private information
Yes, which is why I used "trustable", which I'll admit isn't necessarily the best word either as I'm currently trusting my phone with call/text data, even knowing how broken it is. On the other hand, I personally don't have my phone setup to access my general files, because I simply don't feel that the thing in my pocket is actually my agent.
> physical audit would tell you if the MEMS sensor in your device has been repurposed for audio pickup
Well the point is that a Mifi (with untrusted baseband) shouldn't have these sensors.
> Intel CPUs have features that actively work against you, such as with vPRO.
And probably other ones ones that don't show up in marketing materials. Which is why I made an explicit parallel to trusting Intel CPUs to generally run the code we tell them, even if this isn't necessarily true. We have to define a boundary so that we can solve the problem we're talking about with a platonic ideal of a trustable CPU, while separately solving the problem of not having trustable CPUs.
Your phone has GSM, even if you're only on 3G or 4G networks though (unless it's a pure CDMA phone) - and the concepts are anyway quite similar in 3G/4G networks an phones.
Views above are personal and do not reflect views of Qualcomm
This is well known to anyone who's done DSP optimization work for any of the wireless carriers.
In the meantime, you can use your smartphone inside a Faraday cage. Wrapping it in aluminium should help.
Or, more accurately stated, "you can't".
The pinnacle of democracy: waiting for someone else to do it.
Pro tip: Refrigerator doesn't work, but cocktail shaker apparently does. (http://makezine.com/2013/06/26/edward-snowden-can-a-refriger...)
Maybe if you are really in that sort of situation you should just do both, just in case.
I think it depends on the model. I tested a couple of phones, including a blackberry, inside my fridge a few years before Snowden did his thing. We put them in and then tried to call them and none of them rang. But the fridge was one of those trendy stainless steel models. Perhaps a more ordinary fridge would have less effect on signal strength.
The only really safe assumption to work from is that all Turing-capable devices are evil.
There's a ridiculous number of operating systems hiding in every mobile phone. What do you think runs on the GPU? What about bluetooth, wifi and GPS? What about all those sensors? The camera interface? The video acceleration? The SIM card? The NAND flash?
I'm totally willing to be admit that I might be wrong about this, but I wasn't under the impression that Broadcom and Atheros and Intel were using ARM CPUs in their wifi/bluetooth/GPS chipsets.
The cost of laying down a fully-fledged CPU has reduced to the point where it's simpler and less risky to use an off-the-shelf ARM core (or similar), instead of a big bunch of hard logic combined with coefficient. And most of those CPUs have some sort of runtime, which is an OS, depending on where you draw the line on that.
Can someone say what this is used for:
$ grep GOOGLE /usr/src/linux/.config
# CONFIG_GOOGLE_FIRMWARE is not set
This is not like net interface blob, this is like google firmware and we all know what that means >:-)
I would not be surprised if the NSA would employ quite a few of them.
Or maybe the future is in open source software defined radio?
I never tried it, but I heard OpenMoko could run BSD.
In any event, I hope the future is one where I can read, modify and compile the source for my handheld's bootloader and operating system, as I currently can do with my laptop's bootloader and operating system.
It's from Frank Herbert's Dune :( Sad because I read this series (all six, I kid you not!! 1,2,6 are good 3,4,5 not so good) 25 years ago nearly and I had forgotten this specific detail. Time is indeed a cruel mistress and thanks for making me feel old :)
Furthermore, i have yet to hear of a slave high level operating system to the baseband. iOS or android being initialised and commanded by a secondary baseband OS would just be a bizarre setup. That of course does not mean that the baseband doesn't pass commands to the high level OS. Though if the interface is well shielded, exploiting it could be tough (correct me if I'm wrong, but I don't think baseband exploits exist for iPhone 5/5s).
Now, I'm sure the NSA however have some interesting possibilities that Angela Merkel would be all to keen to know about ;).
Incorrect. In most cases the baseband processor has complete, unfettered access the application processor, which means it has complete, unfettered access to the OS.
Further, your carrier (verizon, att, whatever) can push OTA updates and commands straight to baseband via the radio, bypassing the CPU and OS (like android) and manipulating the phone on a low level bit by bit basis.
Even the most well secured, rooted, reloaded phone has every piece of it totally owned by the carrier, via the baseband processor.
Yes, that includes your photos.
I don't think baseband exploits exist for iPhone 5/5s
True, but that just means that people haven't broken into the baseband yet, not that if the had done that it would be impossible to break into the application processor.
Of course -- all the telecoms have been in bed with the NSA for decades. That's how you play ball in the US.