Oh sure they can. All you need is the capability to escalate from a remote buffer overflow in the baseband processor (e.g. in its networking stack) into a flashrom r/w capability.
Then you just reprogram the bb firmware to never switch off the baseband and to automatically start it upon insertion of a battery, and you're done. If you're good, intercept PIN usage so that you'll even be online without the user inputting the PIN.
Also, I don't buy the "the NSA doesn't have an 0day exploit yet for the new processor that comes with the phone" argument. BB firmware is usually built "take the shit from the previous version/family, put some more shit on it to support the newest feature, done". So once you have an 0day for any version of a BB chip/family, you most likely can also use it against later or derived ones.
In addition to this very-real technical issue, there is also another thing those of us used to dealing with technical topics need to keep in mind: Snowden is not talking (specifically) to us.
Snowden, along with Greenwald/etc, are trying to explain the complex brave new world of encryption, data mining, network sniffing, exploits such as MitM, and such to a non-technical audience that makes up most of the world. Worse - it's a crash-course trying to cram what should have been a public discussion gradually happening over the last couple decades into a few short newspaper articles, interviews, and pages torn out of .ppt files.
It is a truly rare thing to see someone even attempt such a herculean task. So it's perfectly understandable if he fudges some of the minor technical details - especially when the target audience won't understand them.
He was obviously trying to get people to understand that just because you clicked some software-controlled button and saw the backlight+screen turn off ("phone==OFF" to a lot of people), the NSA could still be using it. He could have instead used that time to trying explain what stuff like soft-power, firmware, and baseband mean, but all that would have done is make people tune out and ignore the real message.
Most people don't need a lesson in embedded systems, radio, and internetworking. What they do need to understand that there's a massive power-play going on that could become something particularly nasty if left alone, and they need to understand that some of the products and services they've been sold might really be working for someone else.
(1) Watch the licensing process. Want to release a phone in Europe/US? You need to have the electronics licensed first.
(2) Want to release a phone in large numbers via a major carrier's retail operation? Watch their carrier pre-approval process (in the US this is months long).
"According to Ryan Gallagher at Slate, the NSA, along with other agencies, are able to something most would feel to be improbable, if not impossible: track the location of cell phones even if they're turned off.
On Monday, the Washington Post published a story focusing on how massively the NSA has grown since the 9/11 attacks. Buried within it, there was a small but striking detail: By September 2004, the NSA had developed a technique that was dubbed “The Find” by special operations officers. The technique, the Post reports, was used in Iraq and “enabled the agency to find cellphones even when they were turned off.” This helped identify “thousands of new targets, including members of a burgeoning al-Qaeda-sponsored insurgency in Iraq,” according to members of the special operations unit interviewed by the Post."
And possibly capture data...
"The FBI's use, in which cell phones' microphones were remotely activated to record conversations (even with the phones turned off), probably had some bearing on Snowden's request that journalists power down their phones and place them in the fridge. "
I offer as much proof for my statement as this blog post does. Snowden had access to basically every NSA program, if you are going to disagree with them you'd better at least speak from authority, or better, offer specific proof.
For as long as I can remember[0] the DoD and all DoD contractors have required those with cellular phones to leave them outside of secured areas. Phones have not been and continue to not be permitted inside secured areas for any reason, even if they are powered down.
It might just be that the DoD is paranoid, but I'm not so sure about that.
[0] That is, since long before smartphones and phones with local audio recording ability were commercially available.
I was under the impression the most common architecture for mobile devices is to support DMA (direct memory access) from the baseband to main memory. This would obviate the "finding an OS exploit" step described, as operating systems do not attempt to be secure against attackers with full memory access. Can anyone with knowledge of these phones' architectures clue us in on the specifics of the situation?
Here's a link I had buried in my bookmarks from last November, that discussed this issue.
If accurate, it suggests the problem is not just bad code quality in the baseband processor being remotely exploitable. This article suggests it's basically a monoculture because everybody just buys the same "hardware part" because actually implementing it on your own is (very) hard. Once you add in all the FCC compliance issues, it's practically impossible.
Oh, and it suggests you may not need to bother with flashing the firmware as mschuster91 suggested. It trusts the cell-tower implicitly. Nevermind fancy stuff like "passwords" - just tell the phone to auto-answer because it accepts Hayes modem commands directly.
Yea well maybe they can't remotely turn on a Nokia P30 or whatever but most people these days use iPhones or other smart devices that almost certainly have many zero-day bugs available to the NSA.
The most interesting detail from this article is the part where he says exactly all the things you would expect an NSA shill to say on a blog, if, hypothetically, an NSA shill kept a blog.
Then you just reprogram the bb firmware to never switch off the baseband and to automatically start it upon insertion of a battery, and you're done. If you're good, intercept PIN usage so that you'll even be online without the user inputting the PIN.
Also, I don't buy the "the NSA doesn't have an 0day exploit yet for the new processor that comes with the phone" argument. BB firmware is usually built "take the shit from the previous version/family, put some more shit on it to support the newest feature, done". So once you have an 0day for any version of a BB chip/family, you most likely can also use it against later or derived ones.