The Second Operating System Hiding In Every Mobile Phone

Jah-Wren Ryel writes "Every smartphone or other device with mobile communications capability (e.g. 3G or LTE) actually runs not one, but two operating systems. Aside from the operating system that we as end-users see (Android, iOS, PalmOS), it also runs a small operating system that manages everything related to radio. So, we have a complete operating system, running on an ARM processor, without any exploit mitigation (or only very little of it), which automatically trusts every instruction, piece of code, or data it receives from the base station you're connected to. What could possibly go wrong?"

Firmware

[Anonymous Coward]

In the real world, this is called Firmware.

Re:Old silent SIM firmware

[dotancohen]

Surely a well designed chip can use the power of the radiowaves already in the air, negating the need for a battery...

That is exactly how RFID works. However, RFID fields are much stronger and the receiver is much closer.

The phone could probably use the power of the radiowaves in the air to do very low power things like perhaps change an e-ink display slightly. There is no way that there is enough energy to actually transmit a signal hundreds of meters.

All the other OS, too.

[DrYak]

The situation isn't that much different as a desktop user connecting to the internet over a xDSL/Cable/whatever modem without first overwriting its firmware with a secure one (at least, with a modem, the user is the one uploading the firmware, and as most are Linux based, its easy to have a more or less secure firmware. Unlike the GSM/GPRS/LTE chip which is handled by the service provider, thought there exist ISP-remote-administered modems).

And with TFA's phone example, there's the OS running inside all the verious relay (different machine inside the cell tower, router, service provider's main router/server, tons of other routers along the optical fiber road [including a few NSA listening stations, the moment this road crosses the north American continent], a group of mail server receiving, storing and retrieving mail, then again a long chain of server and router [and another NSA listening station and/or FSB's or MSS's or ONYX's or ...] up to the recipient's servire provider, the the users' home routeur [with the xDSL and the Wifi firmware as additional steps inside, not necessarily opensource, although some chip makers are helping a lot], and finally the recipient's tablet [+/- an additional closed firmware on that chip too).

All this step could corrupt (unintentionally) or tamper (on purprose) or listen [hello NSA], on anything that is sent it the clear.

Sending things on the internet is as secure as sending a post card, especially back when much more of the processing was handled manually. Except that the current equivalent of my exemple's post-offices employee are much less moral. And except that the post office happens to have a weirdguy who's obessive-compulsive about xeroxing every single post-card he handle and store it into a binder "just in case he needs to embarass publicly someone in the future, and also to unmask communist conspiracies" whose name is either Ned S. Andale, or Feodor Stefanov Bakunine. Also except that there are at least 3 such guys in 99 out of 100 post offices.

Again the only way to trust your data is to practice end-to-end encryption. Encrypt it on you phone before sending it away. Decrypt then only on the receiving tablet.

An untrusted phone firmware is nothing new, and isn't much different than the trust into the OS running into another server along the transmission chain.
With one small difference: when you remove the battery of a phone everything is shut off your android running on your big octa-core big.little ARM CPU, but also the proprietary real-time system running inside the small ARM core inside the radio chip (that in practice functions as if owned by the phone company whose SIM is inserted).
Whereas, you can't just walk out and pull the cable of the NSA/FSB/whatever listening station in the middle of somewhere in the USA.

Re:Firmware

[dos1]

It's not "stored in firmware". The described OS *is* a firmware.

Re:Old silent SIM firmware

[DeathToBill]

Or, you could buy something other than an iPhone.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Everything has software

[saider]

By this logic, even your computer has multiple operating systems. The chipset on your motherboard is not pure hardware - there are small cores in there running embedded software that you never see. I am not talking about BIOS, which is another type of firmware, that is visible to the user.

EVERYTHING these days has software. Shipping a software patch is cheaper than a recall. This goes back to the old joke - the mechanical engineer thinks it is an electrical problem, the electrical engineer thinks it is a mechanical problem, but they both agree that it should be fixed in software.

This story reminds me of the Simpsons episode where Kent Brockman breaks a story about the government training people to kill on an industrial scale. "They call it the 'Army', but I have a better name - Killbot Factory".

Doesn't match the architecture.

[DrYak]

I do not fully trust the author because as far as I understand the baseband processor is supposed to control only the radio and nothing else. That means wifi, gsm and bluetooth.

Usually, wifi is handled by another chip, with its own different firmware. This might have started changing now with more consolidation sought by system integrators.
Frequently GPS is also handled by the radio sub-system.
(That's why you have feature phone with GSM + Bluetooth but no Wifi, that's also why Wifi only tablets also lack GPS [early iPads, for exemple]. )
In some rare occurrences, this chip can also communicate with SD cards (it has a SPI interconnect).
(That's very frequent in USB 3G/4G modems. It's basically a standard radio chip, with the bluetooth and GPS function turned off and packaged inside an USB stick, with a SD card reader as a bonus. But instead of talking to a main system ARM runing Android, it talks over an USB chip to a whole computer/laptop running Linux or Windows. Note that recent exploit mentioned on /. found way around the firmware limitation, and forcefully turned the Bluetooth on, creating a possible extra entry point and thus extending the attack surface)

I don't understand why the baseband would have to deal with anything else, and why it would be the master processor and not just a blackbox "device" that the main OS sees and communicates with, in a properly isolated fashion.

Yup. For all the designs I've seen (and some smart phones have 100% fully open designs, such as the various OpenMoko boards), the radio chip is just a blackbox device talking over some limited channel to the main SoC (in OpenMoko GTA02/03 it's something imitating a serial interface. There's not much difference between an old PC talking to an anolog modem over serial and a openmoko talking to the radio chip).

Then usually the main SoC talks to the other peripherals: RAM is directly soldered to the CPU in a Package-over-Package fashion, so it's completely innaccessible. Camera, sound chip, memory card, charger controller are also connected to the SoC on other channels (SPI, I2C, etc.)

But then again I'm not knowledgeable enough to be certain about any of this.

When thinking hard there would be a few broken design were this could happen.
Note that such designs are to be considered broken. Having so little isolation toward the chip that is constantly talking to the outside and downloading updates is a serious security and stability issue.

And stability *IS* an issue: I've had problems with old phone (not supported anymore by constructor) having bad updates on their modem and having problems.
(Once I need to call my service provider and then, after a long debuging session and several tentative upgrade [over the air], I ended-up changing SIM).

Possible such bat design:

- Fully integrated chips: where one single chip is repsonsible for everything on the phone.
That's the situation with QualComm's Snapdragon. Okay, the phone maker will spare an extra chip and room on the PCB.
But that's pure nightmare fuel regarding security and stability.
(When a HP Pre 3's modem crashes, the whole phone freezes and crashes. There are entire forum threads about this).

- Everything on the same bus: several common interconnect in smartphone (like SPI) can talk to several chips on the same bus.
If the SoC (of course), the Camera, audio codec AND the radio are all on the same bus, the radio chip could pull some shit and disturb the bus (to act as if it was a master and turn on the camera, then listen on the bus to eavesdrop audio and video packet which where destined to the main SoC).
That's an awful design, both from a security point of view (the modem should be considered untrusted) and quality (a crashed radio could crash other component, also they have all to share the very limited bandwith on the bus: SPI has only 100Mbit/s, for instance).
The modem should b

Re:All the other OS, too.

[Anonymous Coward]

I've seen this before, but I've never actually looked at any phones' schematic to prove it's true.

Take a look at Replicant [replicant.us], a fork of Cyanogenmod for people who are religious about software freedom. Replicant aims to have absolutely no proprietary software, but so far, none of their supported phones achieve that. They all have a statement along the lines "Modem firmware is non-free and there is no free alternative" and another saying "The modem controls CPU memory (read/write)".

The closest thing to a free phone is one of the OpenMoko phones. They still use a proprietary modem, but it communicates over SPI, and the main CPU is the master.

Re:Old silent SIM firmware

[YoopDaDum]

No. The SIM is powered from the baseband, and when the baseband is off the SIM has no power supply and can't do anything. Plus the SIM can only communicate with cell towers through the baseband, never on its own. The SIM cannot wake-up the baseband on its own, enabling the radio subsystem can only be done from the host processor. So what you described is not possible.

What is possible however is that when your device cellular radio is on and the baseband is enabled, then the SIM can directly use the baseband to communicate with the network using what is called the SIM Toolkit (STK). This can be done with or without the user being informed. The STK also many features like transforming the numbers you dialed (to seamlessly add a routing prefix, or redirect), filter calls (block or accept), get and report a location, etc. The specs are public, look for 3GPP TS 31.048 and ETSI 102.223 (using USAT and CAT instead of STK, but it's all the same under different names).

Re:Over-the-air Security Protocols

[YoopDaDum]

Hi there. I'm not following 3G closely but in LTE the encryption schemes are secure. You have two options, both 128 bits: SNOW 3G (inherited from 3G as you can guess ;) and an AES scheme. Both secure as of today. In R10 or R11 a Chinese scheme called ZUC has been added too, also 128 bits. The operator decides on which scheme is used, and the device must support both SNOW 3G and AES today.

The big thing is that the encryption is between the device and cell (base station). The assumption is that the cell is secure, and behind the operator network is secured by other means. So it's important to protect the cell (eNB in LTE) against compromises. A fake cell won't work as in LTE the authentication is mutual: the UE won't work with any cell, except for an emergency call.

For more details have a look at the 3GPP 33.401 spec [3gpp.org], for example the latest R9 version [etsi.org].

wtf-am-i-reading.jpg

[FuzzNugget]

This is called "firmware", dipshit.

Non-story, move along.