The Second Operating System Hiding In Every Mobile Phone 352
Jah-Wren Ryel writes "Every smartphone or other device with mobile communications capability (e.g. 3G or LTE) actually runs not one, but two operating systems. Aside from the operating system that we as end-users see (Android, iOS, PalmOS), it also runs a small operating system that manages everything related to radio. So, we have a complete operating system, running on an ARM processor, without any exploit mitigation (or only very little of it), which automatically trusts every instruction, piece of code, or data it receives from the base station you're connected to. What could possibly go wrong?"
Firmware (Score:5, Informative)
In the real world, this is called Firmware.
Re: (Score:3)
In the real world, this is called Firmware.
Firmware used to be low-level controllers that only handled a small number of instructions related to a specific task; Like a hard drive. All it needed to do was process requests for data and a few other basic operations, and so it was relatively simple. Firmware today though doesn't really meet that definition -- due to the lower costs of FPGAs and similar, these controllers are now trivially reprogrammable and because the original designers didn't consider the hardware to be an attack vector, it has full
Re:Firmware (Score:5, Funny)
Yeah kind of makes all of those hand waving sci-fi hacking tools look plausible.
A secure computer is a computer without power, network and Qualcomm baseband chips.
Re:Firmware (Score:4, Funny)
Soo many times I've wished computers ran on magic.
I wish computers ran on magic because then when someone whose expertise way outside of what I do requests an explanation and struggles with the details but is insistent upon knowing them, I could say ", because magic" then they would accept that and say "I see."
Re: (Score:2)
"Any sufficient level of technology is indistinguishable from magic" - Author C. Clarke
It is magic, to most people.
Re: (Score:2)
But firmware gets copied to ram.
What? One of the last MCUs I worked with didn't have any RAM whatsoever, just saying. Of the numerous others which had RAM, none would 'copy code there' in x86-fashion.
Re: (Score:2)
You're talking about mighty slow processors, even by embedded standards (where you don't have $50 and 10W to run the GUI for some stupid game). Flash access is slow. I know execution direct from Flash access is used for same basic 8-bit, and maybe low-end 16-bit parts, but I can't remember the last time I used something that didn't start by copying the Flash code to RAM. In fact, serial Flash is quite common for storing code.
Re: (Score:2)
sure it gets if it's a single chip, single core arm core system... of smartphones I dunno if there's been any of those since symbians(on which you could do it, saved nokia a bundle).
not so sure where they got the "trusts everything from the network", I guess to make the article more jizzy.
maybe next week an article about exploitable dac(in theory).
Re: (Score:3, Informative)
It's not "stored in firmware". The described OS *is* a firmware.
Conspiracy (Score:4, Funny)
Every thinks a virus will cause the Zombie Apocalypse, when in truth it will be a broadcast of "Never gonna let you down" on infinite loop. Rick is Chinese...didn't you know? The same people who make these 'Cell' phones. Cell.....terrorist cells! OMG it all makes sense now.
Re: (Score:2)
Every thinks a virus will cause the Zombie Apocalypse, when in truth it will be a broadcast of "Never gonna let you down" on infinite loop.
Which is actually worse.
Re: (Score:2)
Every thinks a virus will cause the Zombie Apocalypse
You're out of date. We've moved on to the idea that it will be a fungus from the Cordyceps [wikipedia.org] genus.
Re:Conspiracy (Score:4, Funny)
His real name is Rick Shaw.
Old silent SIM firmware (Score:4, Interesting)
The SIM firmware runs silently and in the background and by some reports, even when the phone is switched off, it continues to slowly ping cell towers, making your phone trackable unless you remove the battery.
Re: (Score:2, Interesting)
Surely a well designed chip can use the power of the radiowaves already in the air, negating the need for a battery...
Re:Old silent SIM firmware (Score:4, Informative)
Surely a well designed chip can use the power of the radiowaves already in the air, negating the need for a battery...
That is exactly how RFID works. However, RFID fields are much stronger and the receiver is much closer.
The phone could probably use the power of the radiowaves in the air to do very low power things like perhaps change an e-ink display slightly. There is no way that there is enough energy to actually transmit a signal hundreds of meters.
Re: (Score:2)
The phone could probably use the power of the radiowaves in the air to do very low power things like perhaps change an e-ink display slightly.
Wouldn't it be better to power it from ambient light (which was enough to power my calculator 20 years ago, and if there is no light there's no need to change the e-ink display ;) ) or motion?
Shake it to wake it!
Re: (Score:3)
Shake it to wake it!
It would be especially interesting with women who keep their cell in their bras (a not uncommon practice).
Re: (Score:2)
The phone could probably use the power of the radiowaves in the air to do very low power things like perhaps change an e-ink display slightly.
Wouldn't it be better to power it from ambient light (which was enough to power my calculator 20 years ago, and if there is no light there's no need to change the e-ink display ;) ) or motion?
Shake it to wake it!
How much ambient power did your cheap solar calculator generate when it was stuffed inside your pocket?
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
For over a hundred years, people have been using the power of radio waves to generate enough electricity to operate a radio [wikipedia.org] with earphones.
Uhuh, a radio *receiver*. The energy required to send back to the basestation is going to be in the same region as the original signal at source, not once it's been spread out and dissipated, coupled with the losses in electrical inductance are huge... and where are you going to get that from? You can't just get magic energy.
Re: (Score:3)
Re: (Score:2)
If you're really worried about that, wouldn't a good workaround be to carry a faraday cage with you? For example, an opaque anti-static bag would be helpful (at least according to some random blog post I just read).
Re: (Score:3)
You do realize that unless the cell phone knows where you are it's impossible for you to receive a call.
Or do you expect every cell tower to send out every call request to everyone in the world?
If you don't want to be tracked by your cell carrier, don't carry a cell phone.
Re:Old silent SIM firmware (Score:5, Informative)
What is possible however is that when your device cellular radio is on and the baseband is enabled, then the SIM can directly use the baseband to communicate with the network using what is called the SIM Toolkit (STK). This can be done with or without the user being informed. The STK also many features like transforming the numbers you dialed (to seamlessly add a routing prefix, or redirect), filter calls (block or accept), get and report a location, etc. The specs are public, look for 3GPP TS 31.048 and ETSI 102.223 (using USAT and CAT instead of STK, but it's all the same under different names).
Re: (Score:3)
even when the phone is switched off, it continues to slowly ping cell towers
Got a source for that? According to Samsung and Nokia, they have no idea how that would be possible*. I'm not saying they aren't "under oath to lie about it", but if you're going to pimp that legend, at least enlighten us as to the source of your infallible research on the topic.
[*] http://arstechnica.com/security/2013/11/samsung-nokia-say-they-dont-know-how-to-track-a-powered-down-phone/ [arstechnica.com]
Re: (Score:3)
This is 100% bullshit.
I have an old E62 here that was Charged 2 years ago and then put in the drawer off. I just turned it on and it's still charged, in fact 80% charged. if the radio was turning on for ANY reason it would not have that much battery left.
Let's check another... Old unused iphone 3S here IT also still has 80% charge after sitting for a year unused and off.
and yes they BOTH have a sim card in them. AT&T loves sending out new sim cards every time you get a phone.
But let's go further
Re: (Score:2, Informative)
Or, you could buy something other than an iPhone.
Re: (Score:2)
Re: (Score:3)
What is a *shielded* faraday cage? I thought faraday cage was *the shield* :-)
Re: (Score:3)
That is why it is getting increasingly tough to find a phone with a replaceable battery.
Or, you could buy something other than an iPhone.
Or a Nexus 4. Or a Nexus 5. Or an HTC One / One X+. Or a Sony Xperia Z1. Or an LG G2. Or a Nokia Lumia 1020.
The AC is correct. A surprising number of high-end smartphones, including Google's own flagship units, have followed Apple by using non-replaceable batteries.
Re: (Score:2)
That is why it is getting increasingly tough to find a phone with a replaceable battery.
Or people just like the aesthetics of a phone without a battery cover.
But by all means, tinfoil on.
Re: (Score:3)
Yes, but with a replaceable battery, you can carry a spare.
I don't know what the deal is with thin -- beyond a certain point it just doesn't matter and in fact, makes the phone harder to hold really. But I don't think people will be happy till phones are as thin as a razor -- who cares about the gashes and gushes of blood so long as the phone is thin thin thin!
Re:Old silent SIM firmware (Score:4, Insightful)
Re:Old silent SIM firmware (Score:4, Insightful)
Re: (Score:2)
MCUs run firmware (Score:3)
Re:MCUs run firmware (Score:4, Insightful)
Yeah, I'm surprised anyone thinks this is news. It's been like this since the days of the grayscale Nokia phones. A phone that is turned of can still be located by the cell towers and it can in some cases be remotely turned on and used as a listening device. Back then security experts advised to remove the battery before you discussed secrets in a corporate or government setting, in order to avoid falling victim to espionage.
I guess it's just not very practical to follow that advice. Some government agencies and some corporations have probably installed jammers or shielding around certain meeting rooms in order to keep top meetings secure.
Re: (Score:2)
Yeah, I'm surprised anyone thinks this is news. It's been like this since the days of the grayscale Nokia phones. A phone that is turned of can still be located by the cell towers and it can in some cases be remotely turned on and used as a listening device. Back then security experts advised to remove the battery before you discussed secrets in a corporate or government setting, in order to avoid falling victim to espionage.
I guess it's just not very practical to follow that advice. Some government agencies and some corporations have probably installed jammers or shielding around certain meeting rooms in order to keep top meetings secure.
Probably because some very popular phones make it impossible to remove the batteries.
Re: (Score:2)
Probably because some very popular phones make it impossible to remove the batteries.
Luckily, they still fit in a mylar bag.
Re: (Score:3)
Some government agencies and some corporations have probably installed jammers or shielding around certain meeting rooms in order to keep top meetings secure.
In labs where classified government work is done (not necessarily very high level classification either) you're often required to put your cell in a box or something outside the lab before you enter. You don't have to turn it off, which makes it fun to figure out whose cell is ringing when you have a whole basket of them.
Re: (Score:2)
Who is answering their phone when it is in a box outside the lab?
1. Someone who has stepped outside for a moment.
2. Someone who hears the phone while they're inside the labs and is expecting an important call. You can step outside.
3. Someone who has been asked to answer Bob's phone if it rings, because he's expecting an important call.
Ringtones.
Is it the practice in your organization to ensure that all ring tones are unique and that assignment is coordinated? Ring tones work for a small number of people who are carrying their phones.
Over-the-air Security Protocols (Score:2)
It doesn't matter if the RTOS and other firmware are secure if you don't have good security in the over-the-air protocols. That's the vector that would be used to get to this, assuming you have decent security on the host processor (or whatever you want to call the thing that runs stupid games). Some time ago I worked on 3G and LTE phy layer stuff, but don't recollect much about the higher layer protocols. Anyone know what sort of security they have?
Re:Over-the-air Security Protocols (Score:4, Informative)
The big thing is that the encryption is between the device and cell (base station). The assumption is that the cell is secure, and behind the operator network is secured by other means. So it's important to protect the cell (eNB in LTE) against compromises. A fake cell won't work as in LTE the authentication is mutual: the UE won't work with any cell, except for an emergency call.
For more details have a look at the 3GPP 33.401 spec [3gpp.org], for example the latest R9 version [etsi.org].
Excessive Peer Review is Anti-Capitalist (Score:2, Interesting)
From the original article, the author (Thom, whom I recognize for his efforts) introduces the topic of peer-reviewing every minutia of the devices we use; he laments about the absence of peer-review in proprietary and closed-source. As an open-source advocate, such a viewpoint is naturally expected and his flashing a light on the subject is always appreciated. [But how does he know? Wouldn't technology companies use security consultants to conduct security audits?]
However, applying the same lines of argu
Re: (Score:2)
TL;DR -- Peer-review everything means trusting nothing, disclosure of everything, and loss of privacy...
Your TL;DR needs a TL;DR.
Re: (Score:3)
Re: (Score:2)
Your argument fails because you conflate the need to trust a tool with the need to trust a person. I need to be able to trust my tools because I'm using them, but I do not need to trust you because I'm not using you.
Now, if you're talking about a slave, then I agree it's a problem if the slave has privacy. But despite it being quite perfectly capitalist, it's been well established that slavery is a bad idea.
What can go wrong? (Score:2)
Re: (Score:2)
Assuming the embedded developers are skilled and can craft excellent low level software in ASM and C then very little.
Hell of an assumption, and yes, I've written low-level embedded code for stuff like this. I don't know how realistic this attack vector is (I worked on MAC/Phy stuff, and don't know the security arrangements of the higher layers), but it's incorrect to assume that otherwise good quality code is secure. Even top-notch coders make mistakes in things that are designed to be highly secure (e.g. SSH), and the sort of stuff being discussed is often designed with little thought to security. Whether it's realistica
Why stop there? (Score:2, Funny)
Why stop there? Every cell phone also runs on an operating system called QM (quantum mechanics). Hack that and you can make the phone do all sorts of really cool things.
Re: (Score:2)
but if someone devices an exploit for QM, the phone will be compromised and not... at the same time
Comment removed (Score:5, Informative)
Re: (Score:2)
Spectrum is a shared medium, and the worst jammer is a buggy device. Because of this there are strict certification requirements before being legally allowed to put a device over the air. And going through all the associated tests cost a lot of money: it's a lot of time with expensive testing hardware and in the field (after passing the "safe for network" part). It's ex
Everything has software (Score:5, Informative)
By this logic, even your computer has multiple operating systems. The chipset on your motherboard is not pure hardware - there are small cores in there running embedded software that you never see. I am not talking about BIOS, which is another type of firmware, that is visible to the user.
EVERYTHING these days has software. Shipping a software patch is cheaper than a recall. This goes back to the old joke - the mechanical engineer thinks it is an electrical problem, the electrical engineer thinks it is a mechanical problem, but they both agree that it should be fixed in software.
This story reminds me of the Simpsons episode where Kent Brockman breaks a story about the government training people to kill on an industrial scale. "They call it the 'Army', but I have a better name - Killbot Factory".
Re: (Score:3)
By this logic, even your computer has multiple operating systems. The chipset on your motherboard is not pure hardware - there are small cores in there running embedded software that you never see.
But unlike a cell phone, not every embedded processor is directly connected to a public network.
"What could possibly go wrong?" (Score:2)
What could possibly go wrong?
Oh that's easy.
People who have no effin idea what the hell they are talking about, but feel compelled to spew their opinion and ask stupid questions. You can find them all over the internets and the workplace.
makes little sense (Score:2)
I don't know what that's supposed to mean. AFAIK, the wireless modem is just a device from the point of view of Android or iOS. In addition (depending on the phone), it may also have a direct path to the microphone and speaker in order to make "old fashioned" phone calls. Other than that, in what way is it supposed to interact with cameras, memory, or storag
wtf-am-i-reading.jpg (Score:4, Informative)
This is called "firmware", dipshit.
Non-story, move along.
Re: (Score:2, Insightful)
What.
Re:Risk Mitigation (Score:4, Insightful)
What.
I'm pretty sure this is all hypothetical. Or at least the "guests" part.
Re: (Score:2)
I don't think they're talking about security from the government, because you're right. They can get into the base stations because the carriers are in bed with them. Private efforts might be another story. It does seem like a roundabout and unlikely vector to get to anything useful though, like the data on your cell phone. Possible (though not necessarily likely) reasons for private parties to monitor some of your over-the-air stuff? Put a spoof base station near Wall Street and listen in. That info would
Re: (Score:2)
yes, im sure you can install a cell tower on any building in NYC and no one will notice. not even the building management
Re: (Score:2)
Put it in an office, and leave the antenna behind the curtains. Base stations aren't that big or power hungry these days. I'm not saying this is likely, but it is possible.
Re: (Score:2)
Plus it can cook your lunch before 10AM!
Re: (Score:2)
The problem is if the firmware can be hacked over-the-air to turn on the microphone and camera at will. Is this possible? I have always assumed not. However, if the firmware is plagued with security holes, it becomes rather more likely that it is possible.
Google, of course, makes this extremely difficult to do through Android. They do not control the underlying firmware, however.
Re: (Score:2)
I couldn't care less whether I can "trust" the cell tower. What I care about is ensuring that the code running on the radio's processor can't eavesdrop on the code that's running on the phone's main processor (or any of the other devices attached to it).
Re: (Score:2)
Physical security of your cell is important too, lest the Mossad put a bomb in it.
Re: (Score:2)
While true, I am rather less concerned about that.
Although, now that you mention it, I wonder if the firmware could be hacked so as to cause a fault in the battery and cause it to catch fire or explode?
Re: (Score:2)
Good point. Some lithium battery chemistry's seem to eliminate the need for separate explosives.
Re: (Score:2)
Sorry, I know you were playing on my seeming paranoia, I apologize for spreading it... :/
Re: (Score:2)
Re: (Score:2)
I already do. For one, most strangers are honest, law-abiding people.
Re: (Score:2)
Considering the way the law is interpreted these days, honest is the far more important criterion.
And what makes you think (Score:2)
that any of those strangers are "random". :)
Re: (Score:2)
No, but I provide aluminum foil if anyone wants to make their own.
I am think to frame this as an etiquette issue. We take our shoes off at the door to avoid tracking dirt and the occasional dogshit through the house. Similarly, we leave our cellphones at the door so as to more fully engage with each other in the tranquility of a peaceful home ... and leave the spy shit at the door.
Re: (Score:2)
It does apply to everything electronic, but not everything has camera AND microphone AND gps AND permanent attachment to the Internet. The only other electronics I would be concerned about would be tablets and possibly laptops (might end up with charging stations for those, too).
Can you think of anything else that should be isolated? WiFi-enabled LED lights and WiFi access points are potential contenders, but I am choosing not to worry about those until actual evidence of their exploitation pops up.
Re: (Score:2)
AND permanent attachment to the Internet
Not so much, there is always Airplane Mode
Re: (Score:2)
All the other OS, too. (Score:5, Informative)
The situation isn't that much different as a desktop user connecting to the internet over a xDSL/Cable/whatever modem without first overwriting its firmware with a secure one (at least, with a modem, the user is the one uploading the firmware, and as most are Linux based, its easy to have a more or less secure firmware. Unlike the GSM/GPRS/LTE chip which is handled by the service provider, thought there exist ISP-remote-administered modems).
And with TFA's phone example, there's the OS running inside all the verious relay (different machine inside the cell tower, router, service provider's main router/server, tons of other routers along the optical fiber road [including a few NSA listening stations, the moment this road crosses the north American continent], a group of mail server receiving, storing and retrieving mail, then again a long chain of server and router [and another NSA listening station and/or FSB's or MSS's or ONYX's or ...] up to the recipient's servire provider, the the users' home routeur [with the xDSL and the Wifi firmware as additional steps inside, not necessarily opensource, although some chip makers are helping a lot], and finally the recipient's tablet [+/- an additional closed firmware on that chip too).
All this step could corrupt (unintentionally) or tamper (on purprose) or listen [hello NSA], on anything that is sent it the clear.
Sending things on the internet is as secure as sending a post card, especially back when much more of the processing was handled manually. Except that the current equivalent of my exemple's post-offices employee are much less moral. And except that the post office happens to have a weirdguy who's obessive-compulsive about xeroxing every single post-card he handle and store it into a binder "just in case he needs to embarass publicly someone in the future, and also to unmask communist conspiracies" whose name is either Ned S. Andale, or Feodor Stefanov Bakunine. Also except that there are at least 3 such guys in 99 out of 100 post offices.
Again the only way to trust your data is to practice end-to-end encryption. Encrypt it on you phone before sending it away. Decrypt then only on the receiving tablet.
An untrusted phone firmware is nothing new, and isn't much different than the trust into the OS running into another server along the transmission chain.
With one small difference: when you remove the battery of a phone everything is shut off your android running on your big octa-core big.little ARM CPU, but also the proprietary real-time system running inside the small ARM core inside the radio chip (that in practice functions as if owned by the phone company whose SIM is inserted).
Whereas, you can't just walk out and pull the cable of the NSA/FSB/whatever listening station in the middle of somewhere in the USA.
Re: (Score:3)
Xerox (Score:2)
Yup, that's why I said my "post-card example with manual handling" doesn't do justice to current reality.
You need to add a bunch of lunatics with a strange fetish for Xerox machine to make it more similar to today's situation.
And according to you source, there *are* actual copy-machine-fetishist in post offices.
Re:All the other OS, too. (Score:5, Interesting)
I think you misread what the author is saying. The problem is not the fact that communications originating from your phone are potentially insecure (the situation you're trying to compare with the DSL modem and the myriad routers). The problem is that, the author alleges, the smartphones are primarily controlled by the baseband processor firmware; according to the author this piece of code is the governor of everything that happens on your phone. That means, with the appropriate base station changes, anyone can access your phone while sitting in your pocket, can activate the cam, the microphone, can access the contents of it's memory card, etc.
I do not fully trust the author because as far as I understand the baseband processor is supposed to control only the radio and nothing else. That means wifi, gsm and bluetooth. I don't understand why the baseband would have to deal with anything else, and why it would be the master processor and not just a blackbox "device" that the main OS sees and communicates with, in a properly isolated fashion. But then again I'm not knowledgeable enough to be certain about any of this.
If the article is correct then this is one of the scariest things I've read in a long time.
Re:All the other OS, too. (Score:4, Funny)
That means, with the appropriate base station changes, anyone can access your phone while sitting in your pocket
My pockets are not large enough for anybody to sit in there. Not much of a danger here.
can activate the cam
That's a good idea. That way he'll see where I'm carrying him in my pocket.
Doesn't match the architecture. (Score:5, Informative)
I do not fully trust the author because as far as I understand the baseband processor is supposed to control only the radio and nothing else. That means wifi, gsm and bluetooth.
Usually, wifi is handled by another chip, with its own different firmware. This might have started changing now with more consolidation sought by system integrators. /. found way around the firmware limitation, and forcefully turned the Bluetooth on, creating a possible extra entry point and thus extending the attack surface)
Frequently GPS is also handled by the radio sub-system.
(That's why you have feature phone with GSM + Bluetooth but no Wifi, that's also why Wifi only tablets also lack GPS [early iPads, for exemple]. )
In some rare occurrences, this chip can also communicate with SD cards (it has a SPI interconnect).
(That's very frequent in USB 3G/4G modems. It's basically a standard radio chip, with the bluetooth and GPS function turned off and packaged inside an USB stick, with a SD card reader as a bonus. But instead of talking to a main system ARM runing Android, it talks over an USB chip to a whole computer/laptop running Linux or Windows. Note that recent exploit mentioned on
I don't understand why the baseband would have to deal with anything else, and why it would be the master processor and not just a blackbox "device" that the main OS sees and communicates with, in a properly isolated fashion.
Yup. For all the designs I've seen (and some smart phones have 100% fully open designs, such as the various OpenMoko boards), the radio chip is just a blackbox device talking over some limited channel to the main SoC (in OpenMoko GTA02/03 it's something imitating a serial interface. There's not much difference between an old PC talking to an anolog modem over serial and a openmoko talking to the radio chip).
Then usually the main SoC talks to the other peripherals: RAM is directly soldered to the CPU in a Package-over-Package fashion, so it's completely innaccessible. Camera, sound chip, memory card, charger controller are also connected to the SoC on other channels (SPI, I2C, etc.)
But then again I'm not knowledgeable enough to be certain about any of this.
When thinking hard there would be a few broken design were this could happen.
Note that such designs are to be considered broken. Having so little isolation toward the chip that is constantly talking to the outside and downloading updates is a serious security and stability issue.
And stability *IS* an issue: I've had problems with old phone (not supported anymore by constructor) having bad updates on their modem and having problems.
(Once I need to call my service provider and then, after a long debuging session and several tentative upgrade [over the air], I ended-up changing SIM).
Possible such bat design:
- Fully integrated chips: where one single chip is repsonsible for everything on the phone.
That's the situation with QualComm's Snapdragon. Okay, the phone maker will spare an extra chip and room on the PCB.
But that's pure nightmare fuel regarding security and stability.
(When a HP Pre 3's modem crashes, the whole phone freezes and crashes. There are entire forum threads about this).
- Everything on the same bus: several common interconnect in smartphone (like SPI) can talk to several chips on the same bus.
If the SoC (of course), the Camera, audio codec AND the radio are all on the same bus, the radio chip could pull some shit and disturb the bus (to act as if it was a master and turn on the camera, then listen on the bus to eavesdrop audio and video packet which where destined to the main SoC).
That's an awful design, both from a security point of view (the modem should be considered untrusted) and quality (a crashed radio could crash other component, also they have all to share the very limited bandwith on the bus: SPI has only 100Mbit/s, for instance).
The modem should b
Re: (Score:2, Informative)
I've seen this before, but I've never actually looked at any phones' schematic to prove it's true.
Take a look at Replicant [replicant.us], a fork of Cyanogenmod for people who are religious about software freedom. Replicant aims to have absolutely no proprietary software, but so far, none of their supported phones achieve that. They all have a statement along the lines "Modem firmware is non-free and there is no free alternative" and another saying "The modem controls CPU memory (read/write)".
The closest thing to a free p
Re: (Score:3)
" I don't understand why the baseband would have to deal with anything else, and why it would be the master processor and not just a blackbox "device" that the main OS sees and communicates with, in a properly isolated fashion."
Because it is simpler/faster/easier/cheaper to simply give the baseband DMA, and once that is done any notion that the ARM chip is truly a 'master processor' is gone with the wind.
It's not, it's the games and graphics coprocessor. It does not have control of the system and could not
Re:All the other OS, too. (Score:5, Interesting)
When the baseband is in a separate die, connected with some interface like SDIO for QCOM, HSI, USB HSIC,
I believe the article is a bit sensationalistic and miss the real danger: a compromised base station. That's what the source articles quoted talk about. If you can compromise a cell you can spy traffic without any attack on the UE (encryption is only between device and cell). A fake cell is an issue with 2G but since then authentication is mutual: in LTE a device do authenticate the cell too, and won't work with a fake one. But that doesn't protect against a compromised cell. This is a risk with small and femto cells mostly, as macro cells are easier to protect. The only interest as see in compromising the BB is to use it as a vector to attack the host processor (which has been done), where you have access to much more interesting stuff. This requires a security exploit on the host side too. On its own the BB isn't really very interesting as an attack target.
While I'm at it, there are others not very serious claims here. The fact that one can redirect calls to voice mail with an AT command has nothing to do with baseband security. An baseband support a control interface, and even usually two: 1) a modern but proprietary interface and 2) the standard but old fashioned AT interface. You can do a lot with these commands, no need to compromise the BB. But normally such access is limited to trusted applications, so if anyone can access this it's a host security issue, not a baseband issue.
The baseband doesn't contain one RTOS but usually several instances. There's at least one RISC core (typically ARM), possibly more. At least one DSP, possibly more. With likely more than one OS: having an instance running linux is common, with other(s) on RTOS or even bare bone schedulers (depending on the complexity of the task at hand and timing constraints). That can vary a lot depending on each BB design, but as a rule of thumb for a modern LTE capable BB expect two RISC cores and two DSPs (YMMV).
The mutual authentication I've talked about already. Here the practical issue is that when the next gen is out there's not much interest in doing big upgrades to previous generations. So the lack of network authentication in 2G will stay with us until 2G is phased out, which is still a few years away in most places (big Japan networks have already killed 2G however).
Re: (Score:3)
It's not a separate operating system. ... It is not part of the main ARM processor
"It is not part of the main ARM processor" means it's a separate processor, which is correct, and it does run a separate OS (RTOS really).
It is the definitions for the SDR ASIC in the phone.
If it's SDR, then it must be running on a processor. In practice, it's a mix of hardware and software implementation. For example, despreading CDMA signals is easy to do in hardware, and a complete waste of a processor's power in software. There are probably also one or more DSP's buried in there somewhere. Despite some extensions for light-duty stuff, ARM is not a good c
Re: (Score:2)
BZZT WRONG. I have seen the Nexus 4 hardware and I know for a fact that it does contain a separate CPU for the baseband.
Re: (Score:2)
I run an aftermarket radio on my Nexus 4 that enables LTE.
It's not a separate operating system. It is the definitions for the SDR ASIC in the phone. It is not part of the main ARM processor - it's memory is just mapped through it to facilitate programming.
What the hell is wrong with Slashdot these past few years? It seems that ever since the dice buyout the place has just gone in the shitter.
The place was going downhill long before then. It's like anything that's open to the general public. There's always someone who thinks he can garner 15 seconds of Internet fame by posting to geek paranoia.
Re: (Score:2)
"It seems that ever since the dice buyout the place has just gone in the shitter."
There is too much money for it NOT to go in the shitter. Knifing that baby was worth millions of dollars. It was a good run, but as Slashdot inevitably descends further into suckage there is nothing the user base can do. It's not our site. It doesn't belong to us. Not our property.
Time to find an alternative to Slashdot and just use this place for lulz.
Re: (Score:2)
Because it's harder to exploit.
Did you know that inside EVERY SINGLE electronic circuit is an "OS" that is trusted for EVERYTHING? It's called "the laws of physics". If that circuit gets a signal to switch on, EVEN FROM A MALWARE AUTHOR, *it will switch*.
Worse, there's absolutely NO WAY to remove it!
QUICK! HIDE FROM THE PAEDO TAKING OVER YOUR COMPUTER!!!!
It doesn't even need a malware author. A stray electronic field is usually enough to flip the switch on or off or more likely completely burn it out.
Re: (Score:2)
I learnt recently that these baseband processors are controlled over a serial connection, and talk old-school Hayes AT commands.
So if this is true, then it should be reasonably easy for hobbyists to buy baseband processors off the shelf and interface them to microcontrollers or Arduino or whatever fairly easily, and get instant Wi-fi/Bluetooth/cellular data support?
Yes, and pretty much every site that sells Arduinos and other microcontrollers sell them.
Have you never actually looked? Do a search on "GSM" on any of those sites, there's a zillion modules with various GSM chipsets. Trivial to make calls, handle data, send/receive SMS, etc ...
Re: (Score:2)
I know you can buy modules like that for embedded designs. I don't know where a hobbyist can get something with a power supply and an RS-232 port, but I find it hard to believe that nobody makes it. As long as all the wireless protocol stuff is in the module, it should be possible to get a cert.
Re: (Score:2)
Sparkfun has them for $50. https://www.sparkfun.com/products/10138 [sparkfun.com]
Re: (Score:3)
There talking about a situation where the attack vector is over-the-air, not via the secondary processor (the correct name for the thing that runs games instead of a radio). I don't know whether this is realistic, but it is what's being discussed.