There are so many vulnerabilities in the baseband that it's not even funny. Even the QCOM secure boot process is full of holes. If a government agency wanted to drop a persistent baseband 'rootkit' on your device with full access to userspace, they could (unless you're using one of the few phones with separate userspace and baseband processors).
The DIAG commands are particularly fun. You can read and write memory on most phones. Some have locked it down to certain areas, but this varies wildly depending on manufacturer.
If you absolutely needed the utility of a smartphone, but also somehow needed to be secure from these attack vectors, I wonder how much it helps to remove the SIM and disconnect the 3G/LTE antenna keeping only WiFi and Bluetooth radios on the smartphone, then carrying a separate LTE/WiFi bridge which is considered an untrusted device.
At least you isolate your microphone, video camera, GPS, and all that personal data. You still give off location but perhaps to a lesser extent.
In some ways forcing a bridge-only mode; it can also extend the life of the mobile. The trade off is mostly just a battery drain and overall hassle of the 2nd device I guess.
Are you saying these are remotely exploitable, as in over-the-air?
It seems only the complexity of the protocols involved are what stops the majority of attackers, and perhaps the illegality of broadcasting on licensed spectrum (although illegality never really stopped anyone...)
I looked at the 3GPP specs before and the amount of complexity in them is overwhelming.
Yes. See my previous post:
And having separate baseband and userspace processors doesn't protect you, because the baseband processor is usually the master, and the app processor is a slave. In fact, the paper in my previous post exploits an iPhone 4 and HTC dream -- both of which have separate baseband and app processors.
Here's a quote from the first link in my previous post:
The insecurity of baseband software is not by error; it's by design. The standards that govern how these baseband processors and radios work were designed in the '80s, ending up with a complicated codebase written in the '90s - complete with a '90s attitude towards security. For instance, there is barely any exploit mitigation, so exploits are free to run amok. What makes it even worse, is that every baseband processor inherently trusts whatever data it receives from a base station (e.g. in a cell tower). Nothing is checked, everything is automatically trusted.
For the Mediatek platforms I don't think this is true - the AP is the one that boots up first and loads firmware into the baseband, and at least for the MT6589/6582 the AP can enable protection so that the baseband processor(s) can't access anything outside of the configured ranges. You can look at https://github.com/varunchitre15/MT6589_kernel_source/blob/m... which is the code that initialises the baseband modems by loading their firmware (there are two CPUs in the baseband since this is a dual-SIM SoC), and see the enable_mem_access_protection function at line 863. The table there also shows that properly set up, MD0 and MD1 can only access their respective areas and the small amount of shared memory they use to communicate with the AP.
I haven't looked at them in detail but I'm guessing Qualcomm and Infineon's systems are very different from this?
I'm not worried.
Keep in mind that given my skills at the time, I was looking for the "easy" wins like boundary-checks and logic errors rather than what I would consider more advanced ones like double-free, use-after-free etc.
Given what I've seen of the QCOM assembly that faces userspace, I would say the likelihood that there are low-hanging fruit vulnerabilities in the protocol-facing side of the radio code is near 100%.
To answer your question, yes, "the complexity of the protocols" is what is stopping the majority of attackers IMO.
I have complete control over my phone (baseband and userspace), including a nifty tool sanctioned by MediaTek to insert arbitrary AT commands in my processor at will.
I also have the ability to toggle something on the range of 75 GPIO pins. I'm not entirely sure what they do, so I don't play with them. But aside that, I have complete control over every part of the hardware.
It sounds like you don't really have access to that and can e.g. change the protocol messages being exchanged by the BTS/NodeB or the mobile switching center.
Would you further provide the name of the mediatek tool ?
I didn't like the samsung-esque install of their base, so I recompiled to what I liked.
Baseband processor is separate core that runs its own, realtime OS, that handles radio communication. These OS are not opensource.
The application processor talks to baseband via RIL (rild in Android), which is basically a form of IPC via shared memory.
To recapitulate: In your phone, there is another CPU, with closed-source OS full of bugs, connected via air to network and it has full access to RAM of your application processor.
I hope that it's obvious, that it does not matter, what OS runs on the application CPU.
Such as which ones? Or is this something I quick google could bring up?
There is also a project called Neo900 which aims to do small upgrades to N900 and fence in baseband even more. You will be in control of application CPU and able to monitor baseband activities.
GSM Arena doesn't appear to have this information. You might have to go through iFixit teardowns. It's also possible this isn't something happening today -- I've been out of this arena for some time.
What you want to look for is something like this, where you see both a CPU and a processor like the MDM6600:
I've been unsuccessfully looking for a wifi-only phone, ideally a relatively modern one which comes with an unlocked bootloader and can easily run Cyanogenmod.
Actually that’s one of the reasons I’m excited for smartwatches. Headset + BT-only watch + phablet + Internet AP over Wi-Fi/Bluetooth + VoIP over VPN seems like the most elegant solution to the backdoor baseband and general security and privacy issue right now.
Google’s project Ara would be the most elegant, of course. I hope this is the future, but I don’t know.
I wonder how easy it is to identify the cellular antenna vs. the ones for wifi/Bluetooth/NFC/inductive charging, but definitely something to look into.
a wifi-only phone
If you're looking for "Android phone without the phone", you'd be better off looking for an Android tablet.
It's both fascinating and frightening.
It'd be interesting if reverse engineering of the baseband could find those capabilities and see what's really possible and how it works.
33.106, 33.107, and 33.108 on http://www.3gpp.org/DynaReport/status-report.htm also make for some... interesting reading.
According to a note in this presentation, Ralf-Philipp Weinmann has noted exploits on broadband processors from both.