Forgot your password?
typodupeerror
Cellphones Operating Systems

The Second Operating System Hiding In Every Mobile Phone 352

Posted by Soulskill
from the spoiler:-it's-windows-ME dept.
Jah-Wren Ryel writes "Every smartphone or other device with mobile communications capability (e.g. 3G or LTE) actually runs not one, but two operating systems. Aside from the operating system that we as end-users see (Android, iOS, PalmOS), it also runs a small operating system that manages everything related to radio. So, we have a complete operating system, running on an ARM processor, without any exploit mitigation (or only very little of it), which automatically trusts every instruction, piece of code, or data it receives from the base station you're connected to. What could possibly go wrong?"
This discussion has been archived. No new comments can be posted.

The Second Operating System Hiding In Every Mobile Phone

Comments Filter:
  • Firmware (Score:5, Informative)

    by Anonymous Coward on Wednesday November 13, 2013 @09:18AM (#45411603)

    In the real world, this is called Firmware.

    • In the real world, this is called Firmware.

      Firmware used to be low-level controllers that only handled a small number of instructions related to a specific task; Like a hard drive. All it needed to do was process requests for data and a few other basic operations, and so it was relatively simple. Firmware today though doesn't really meet that definition -- due to the lower costs of FPGAs and similar, these controllers are now trivially reprogrammable and because the original designers didn't consider the hardware to be an attack vector, it has full

  • Conspiracy (Score:4, Funny)

    by BreakBad (2955249) on Wednesday November 13, 2013 @09:20AM (#45411621)

    Every thinks a virus will cause the Zombie Apocalypse, when in truth it will be a broadcast of "Never gonna let you down" on infinite loop. Rick is Chinese...didn't you know? The same people who make these 'Cell' phones. Cell.....terrorist cells! OMG it all makes sense now.

  • by pieterh (196118) on Wednesday November 13, 2013 @09:24AM (#45411643) Homepage

    The SIM firmware runs silently and in the background and by some reports, even when the phone is switched off, it continues to slowly ping cell towers, making your phone trackable unless you remove the battery.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Surely a well designed chip can use the power of the radiowaves already in the air, negating the need for a battery...

      • by dotancohen (1015143) on Wednesday November 13, 2013 @09:40AM (#45411747) Homepage

        Surely a well designed chip can use the power of the radiowaves already in the air, negating the need for a battery...

        That is exactly how RFID works. However, RFID fields are much stronger and the receiver is much closer.

        The phone could probably use the power of the radiowaves in the air to do very low power things like perhaps change an e-ink display slightly. There is no way that there is enough energy to actually transmit a signal hundreds of meters.

        • The phone could probably use the power of the radiowaves in the air to do very low power things like perhaps change an e-ink display slightly.

          Wouldn't it be better to power it from ambient light (which was enough to power my calculator 20 years ago, and if there is no light there's no need to change the e-ink display ;) ) or motion?

          Shake it to wake it!

          • Shake it to wake it!

            It would be especially interesting with women who keep their cell in their bras (a not uncommon practice).

          • by Shadowmist (57488)

            The phone could probably use the power of the radiowaves in the air to do very low power things like perhaps change an e-ink display slightly.

            Wouldn't it be better to power it from ambient light (which was enough to power my calculator 20 years ago, and if there is no light there's no need to change the e-ink display ;) ) or motion?

            Shake it to wake it!

            How much ambient power did your cheap solar calculator generate when it was stuffed inside your pocket?

      • by fisted (2295862)
        Surely not, as there isn't much energy to harvest in the first place. You'd need way more to create a signal strong enough to to be picked up by the tower, so either you have your tower very close, or your idea is moot.
        • by F.Ultra (1673484)
          But if it's power enough to record audio and video it would probably be good enough for surveillance, upload can be done later when the user turns the phone on.
        • by Sique (173459)
          There is enough energy to harvest. I remember when in the 1960ies, the electronic magazines were full of radios "with local radio tower power". We still have FM radio, right?
      • by Gramie2 (411713)
        For over a hundred years, people have been using the power of radio waves to generate enough electricity to operate a radio [wikipedia.org] with earphones.
        • For over a hundred years, people have been using the power of radio waves to generate enough electricity to operate a radio [wikipedia.org] with earphones.

          Uhuh, a radio *receiver*. The energy required to send back to the basestation is going to be in the same region as the original signal at source, not once it's been spread out and dissipated, coupled with the losses in electrical inductance are huge... and where are you going to get that from? You can't just get magic energy.

    • by ruir (2709173)
      Low tech solution, leave phone at home?
    • If you're really worried about that, wouldn't a good workaround be to carry a faraday cage with you? For example, an opaque anti-static bag would be helpful (at least according to some random blog post I just read).

    • You do realize that unless the cell phone knows where you are it's impossible for you to receive a call.

      Or do you expect every cell tower to send out every call request to everyone in the world?

      If you don't want to be tracked by your cell carrier, don't carry a cell phone.

    • by YoopDaDum (1998474) on Wednesday November 13, 2013 @11:51AM (#45413091)
      No. The SIM is powered from the baseband, and when the baseband is off the SIM has no power supply and can't do anything. Plus the SIM can only communicate with cell towers through the baseband, never on its own. The SIM cannot wake-up the baseband on its own, enabling the radio subsystem can only be done from the host processor. So what you described is not possible.

      What is possible however is that when your device cellular radio is on and the baseband is enabled, then the SIM can directly use the baseband to communicate with the network using what is called the SIM Toolkit (STK). This can be done with or without the user being informed. The STK also many features like transforming the numbers you dialed (to seamlessly add a routing prefix, or redirect), filter calls (block or accept), get and report a location, etc. The specs are public, look for 3GPP TS 31.048 and ETSI 102.223 (using USAT and CAT instead of STK, but it's all the same under different names).
    • by sl4shd0rk (755837)

      even when the phone is switched off, it continues to slowly ping cell towers

      Got a source for that? According to Samsung and Nokia, they have no idea how that would be possible*. I'm not saying they aren't "under oath to lie about it", but if you're going to pimp that legend, at least enlighten us as to the source of your infallible research on the topic.

      [*] http://arstechnica.com/security/2013/11/samsung-nokia-say-they-dont-know-how-to-track-a-powered-down-phone/ [arstechnica.com]

    • by Lumpy (12016)

      This is 100% bullshit.

      I have an old E62 here that was Charged 2 years ago and then put in the drawer off. I just turned it on and it's still charged, in fact 80% charged. if the radio was turning on for ANY reason it would not have that much battery left.

      Let's check another... Old unused iphone 3S here IT also still has 80% charge after sitting for a year unused and off.

      and yes they BOTH have a sim card in them. AT&T loves sending out new sim cards every time you get a phone.

      But let's go further

  • by fisted (2295862) on Wednesday November 13, 2013 @09:33AM (#45411687)
    News at 11.
    • by rasmusbr (2186518) on Wednesday November 13, 2013 @09:43AM (#45411775)

      Yeah, I'm surprised anyone thinks this is news. It's been like this since the days of the grayscale Nokia phones. A phone that is turned of can still be located by the cell towers and it can in some cases be remotely turned on and used as a listening device. Back then security experts advised to remove the battery before you discussed secrets in a corporate or government setting, in order to avoid falling victim to espionage.

      I guess it's just not very practical to follow that advice. Some government agencies and some corporations have probably installed jammers or shielding around certain meeting rooms in order to keep top meetings secure.

      • by Dcnjoe60 (682885)

        Yeah, I'm surprised anyone thinks this is news. It's been like this since the days of the grayscale Nokia phones. A phone that is turned of can still be located by the cell towers and it can in some cases be remotely turned on and used as a listening device. Back then security experts advised to remove the battery before you discussed secrets in a corporate or government setting, in order to avoid falling victim to espionage.

        I guess it's just not very practical to follow that advice. Some government agencies and some corporations have probably installed jammers or shielding around certain meeting rooms in order to keep top meetings secure.

        Probably because some very popular phones make it impossible to remove the batteries.

        • by drinkypoo (153816)

          Probably because some very popular phones make it impossible to remove the batteries.

          Luckily, they still fit in a mylar bag.

      • Some government agencies and some corporations have probably installed jammers or shielding around certain meeting rooms in order to keep top meetings secure.

        In labs where classified government work is done (not necessarily very high level classification either) you're often required to put your cell in a box or something outside the lab before you enter. You don't have to turn it off, which makes it fun to figure out whose cell is ringing when you have a whole basket of them.

  • It doesn't matter if the RTOS and other firmware are secure if you don't have good security in the over-the-air protocols. That's the vector that would be used to get to this, assuming you have decent security on the host processor (or whatever you want to call the thing that runs stupid games). Some time ago I worked on 3G and LTE phy layer stuff, but don't recollect much about the higher layer protocols. Anyone know what sort of security they have?

    • by YoopDaDum (1998474) on Wednesday November 13, 2013 @12:03PM (#45413239)
      Hi there. I'm not following 3G closely but in LTE the encryption schemes are secure. You have two options, both 128 bits: SNOW 3G (inherited from 3G as you can guess ;) and an AES scheme. Both secure as of today. In R10 or R11 a Chinese scheme called ZUC has been added too, also 128 bits. The operator decides on which scheme is used, and the device must support both SNOW 3G and AES today.

      The big thing is that the encryption is between the device and cell (base station). The assumption is that the cell is secure, and behind the operator network is secured by other means. So it's important to protect the cell (eNB in LTE) against compromises. A fake cell won't work as in LTE the authentication is mutual: the UE won't work with any cell, except for an emergency call.

      For more details have a look at the 3GPP 33.401 spec [3gpp.org], for example the latest R9 version [etsi.org].
  • From the original article, the author (Thom, whom I recognize for his efforts) introduces the topic of peer-reviewing every minutia of the devices we use; he laments about the absence of peer-review in proprietary and closed-source. As an open-source advocate, such a viewpoint is naturally expected and his flashing a light on the subject is always appreciated. [But how does he know? Wouldn't technology companies use security consultants to conduct security audits?]

    However, applying the same lines of argu

    • TL;DR -- Peer-review everything means trusting nothing, disclosure of everything, and loss of privacy...

      Your TL;DR needs a TL;DR.

    • by Punko (784684)
      Sorry Sunshine, you're mixing apples and oranges. He's advocating peer-review for technologies to be widely used and trusted by people. He's advocating privacy and anonymity for people. You are trying to say that asking that the tools we use to privately communicate should be trusted, because the corporate bodies that make them deserve to be trusted. People have the right for private communication, with the exception of pre-authorized, court sponsored, evidence gathering. People are allowed to be anony
    • Your argument fails because you conflate the need to trust a tool with the need to trust a person. I need to be able to trust my tools because I'm using them, but I do not need to trust you because I'm not using you.

      Now, if you're talking about a slave, then I agree it's a problem if the slave has privacy. But despite it being quite perfectly capitalist, it's been well established that slavery is a bad idea.

  • Assuming the embedded developers are skilled and can craft excellent low level software in ASM and C then very little. If we assume they threw some co-op's on the job with some cocky young programmers and they used Object Oriented languages then a hell of a lot. However I feel pretty confident that the code is pretty low level because having done radio programming, you generally need to work at the architecture level and not abstracted by 10 levels. Of course the other option is that it's all VHDL / Veri
    • Assuming the embedded developers are skilled and can craft excellent low level software in ASM and C then very little.

      Hell of an assumption, and yes, I've written low-level embedded code for stuff like this. I don't know how realistic this attack vector is (I worked on MAC/Phy stuff, and don't know the security arrangements of the higher layers), but it's incorrect to assume that otherwise good quality code is secure. Even top-notch coders make mistakes in things that are designed to be highly secure (e.g. SSH), and the sort of stuff being discussed is often designed with little thought to security. Whether it's realistica

  • Why stop there? Every cell phone also runs on an operating system called QM (quantum mechanics). Hack that and you can make the phone do all sorts of really cool things.

  • by benjfowler (239527) on Wednesday November 13, 2013 @10:09AM (#45411993)

    Baseband hacking article: "Baseband Hacking: A New Frontier for Smartphone Break-Ins"

    http://readwrite.com/2011/01/18/baseband_hacking_a_new_frontier_for_smartphone_break_ins#awesm=~on54yB5zHMVt93 [readwrite.com]

    Apparently, the firmware in baseband processors don't get updated a lot because of certification requirements, vendor laziness, etc, and certain well-funded attackers have swags of exploits for phones that can crack phones from over-the-air through the baseband processor itself.

    • "Certification requirements" is the key thing here, and it's a lot of work for vendors (can't really be lazy and succeed in this space ;).

      Spectrum is a shared medium, and the worst jammer is a buggy device. Because of this there are strict certification requirements before being legally allowed to put a device over the air. And going through all the associated tests cost a lot of money: it's a lot of time with expensive testing hardware and in the field (after passing the "safe for network" part). It's ex
  • by saider (177166) on Wednesday November 13, 2013 @10:10AM (#45411995)

    By this logic, even your computer has multiple operating systems. The chipset on your motherboard is not pure hardware - there are small cores in there running embedded software that you never see. I am not talking about BIOS, which is another type of firmware, that is visible to the user.

    EVERYTHING these days has software. Shipping a software patch is cheaper than a recall. This goes back to the old joke - the mechanical engineer thinks it is an electrical problem, the electrical engineer thinks it is a mechanical problem, but they both agree that it should be fixed in software.

    This story reminds me of the Simpsons episode where Kent Brockman breaks a story about the government training people to kill on an industrial scale. "They call it the 'Army', but I have a better name - Killbot Factory".

    • By this logic, even your computer has multiple operating systems. The chipset on your motherboard is not pure hardware - there are small cores in there running embedded software that you never see.

      But unlike a cell phone, not every embedded processor is directly connected to a public network.

  • What could possibly go wrong?

    Oh that's easy.

    People who have no effin idea what the hell they are talking about, but feel compelled to spew their opinion and ask stupid questions. You can find them all over the internets and the workplace.

  • Lastly, the baseband processor is usually the master processor, whereas the application processor (which runs the mobile operating system) is the slave.

    I don't know what that's supposed to mean. AFAIK, the wireless modem is just a device from the point of view of Android or iOS. In addition (depending on the phone), it may also have a direct path to the microphone and speaker in order to make "old fashioned" phone calls. Other than that, in what way is it supposed to interact with cameras, memory, or storag

  • wtf-am-i-reading.jpg (Score:4, Informative)

    by FuzzNugget (2840687) on Wednesday November 13, 2013 @02:13PM (#45414909)

    This is called "firmware", dipshit.

    Non-story, move along.

Life. Don't talk to me about life. - Marvin the Paranoid Anroid

Working...