Posted on 11/13/2013 7:00:33 PM PST by markomalley
I've always known this, and I'm sure most of you do too, but we never really talk about it. Every smartphone or other device with mobile communications capability (e.g. 3G or LTE) actually runs not one, but two operating systems. Aside from the operating system that we as end-users see (Android, iOS, PalmOS), it also runs a small operating system that manages everything related to radio. Since this functionality is highly timing-dependent, a real-time operating system is required.
This operating system is stored in firmware, and runs on the baseband processor. As far as I know, this baseband RTOS is always entirely proprietary. For instance, the RTOS inside Qualcomm baseband processors (in this specific case, the MSM6280) is called AMSS, built upon their own proprietary REX kernel, and is made up of 69 concurrent tasks, handling everything from USB to GPS. It runs on an ARMv5 processor.
The problem here is clear: these baseband processors and the proprietary, closed software they run are poorly understood, as there's no proper peer review. This is actually kind of weird, considering just how important these little bits of software are to the functioning of a modern communication device. You may think these baseband RTOS' are safe and secure, but that's not exactly the case. You may have the most secure mobile operating system in the world, but you're still running a second operating system that is poorly understood, poorly documented, proprietary, and all you have to go on are Qualcomm's Infineon's, and others' blue eyes.
The insecurity of baseband software is not by error; it's by design. The standards that govern how these baseband processors and radios work were designed in the '80s, ending up with a complicated codebase written in the '90s - complete with a '90s attitude towards security. For instance, there is barely any exploit mitigation, so exploits are free to run amok. What makes it even worse, is that every baseband processor inherently trusts whatever data it receives from a base station (e.g. in a cell tower). Nothing is checked, everything is automatically trusted. Lastly, the baseband processor is usually the master processor, whereas the application processor (which runs the mobile operating system) is the slave.
So, we have a complete operating system, running on an ARM processor, without any exploit mitigation (or only very little of it), which automatically trusts every instruction, piece of code, or data it receives from the base station you're connected to. What could possibly go wrong?
With this in mind, security researcher Ralf-Philipp Weinmann of the University of Luxembourg set out to reverse engineer the baseband processor software of both Qualcomm and Infineon, and he easily spotted loads and loads of bugs, scattered all over the place, each and every one of which could lead to exploits - crashing the device, and even allowing the attacker to remotely execute code. Remember: all over the air. One of the exploits he found required nothing more but a 73 byte message to get remote code execution. Over the air.
You can do some crazy things with these exploits. For instance, you can turn on auto-answer, using the Hayes command set. This is a command language for modems designed in 1981, and it still works on modern baseband processors found in smartphones today (!). The auto-answer can be made silent and invisible, too.
While we can sort-of assume that the base stations in cell towers operated by large carriers are "safe", the fact of the matter is that base stations are becoming a lot cheaper, and are being sold on eBay - and there are even open source base station software packages. Such base stations can be used to target phones. Put a compromised base station in a crowded area - or even a financial district or some other sensitive area - and you can remotely turn on microphones, cameras, place rootkits, place calls/send SMS messages to expensive numbers, and so on. Yes, you can even brick phones permanently.
This is a pretty serious issue, but one that you rarely hear about. This is such low-level, complex software that I would guess very few people in the world actually understand everything that's going on here.
That complexity is exactly one of the reasons why it's not easy to write your own baseband implementation. The list of standards that describe just GSM is unimaginably long - and that's only GSM. Now you need to add UMTS, HSDPA, and so on, and so forth. And, of course, everything is covered by a ridiculously complex set of patents. To top it all off, communication authorities require baseband software to be certified.
Add all this up, and it's easy to see why every cellphone manufacturer just opts for an off-the-shelf baseband processor and associated software. This does mean that each and every feature and smartphone has a piece of software that always runs (when the device is on), but that is essentially a black box. Whenever someone does dive into baseband software, many bugs and issues are found, which raises the question just how long this rather dubious situation can continue.
It's kind of a sobering thought that mobile communications, the cornerstone of the modern world in both developed and developing regions, pivots around software that is of dubious quality, poorly understood, entirely proprietary, and wholly insecure by design.
What phone?
Can some translate this all to Stupid?
Cell phones don’t work here. I have had a couple of people break down near my house and have to use my land line phone because their cells would not work.
I have also gone to neighbors to report my phone out and they told me their phones did not work in this area.
I suppose there are satellite phones and guess they would work but don’t really know anything about them.
/johnny
That would be ... challenging, and probably require a lot of typing. Suffice to say that smart phones are pretty pictures on top of some really old, really crappy code that way too many people have had their fingers in, and it’s frankly a miracle that it still works. Every phone is like this.
This old code is as secure as running Windows 3.1 with no virus protection, we’re just lucky no one has decided to cause problems because they could break a lot of phones with relatively little effort.
I’m surprised no one has done it yet.
Each smartphone has two operating systems. The first is the modern, pretty one you see. The second is the old one that operates the radio system that communicates with the tower. It was written in the 80’s.
The radio system is not secure. These guys have figured out they can do things like have the phone silently turn on and transmit. Think what sounds you could pick up with that.
The radio operating system sucks and it needs to be updated.
I used to work at Motorola, where we built modems. I used to know most all of the Hayes command set by heart. Tested tens of thousands of modems.
ATDT15552368
Ping!
Well, they’re talking about the “phone side” of things, where the phone talks to the tower. Remember Captain Crunch? So named because he used a cereal box prize whistle to break into the “in band signaling” of the pre-80’s phone network. More primitive than that even was “switch hook dialing”. You could emulate dial pulses simply by “flashing” the switch hook. Very easy to do on a wall phone. I had a friend whose mother put a lock on the dial. Hah!
There’s always something!
Nut-job Conspiracy Theory Ping!
To get onto The Nut-job Conspiracy Theory Ping List you must threaten to report me to the Mods if I don't add you to the list...
I guess internet would be tough on a party-line phone
I’m surprised no one has done it yet.
I am wondering now if that is what happened to me about 5 years ago. Kept getting calls from some collection agency on my flip phone asking for a "Bob Jones" who apparently owed money to someone. I kept telling them I wasn't this Bob Jones guy but the calls continued almost everyday for about six months. One day they called and said if I didn't pay up right now my phone would be shut down. I laughed as I hung up on them. The next day my phone quit working. Verizon couldn't figure it out so they gave me a new phone with a different number and no problems since.
/johnny
I had almost forgotten about party lines.
Where we lived out in the country a party line was all that was available. Everyone had their own ring. Ours was two short and one long, I think.
Every call rang on every phone so if you wanted to listen in you were alerted, and you even knew who was being called.
I also remember one neighbor who had two teenage daughters and they would sometimes tie up the phone for hours.
867-5309
lol
Yeah... government is pretty much like that these days. Infomercial hype with a bite in the ass.
/johnny
yes it is
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.