OSNews On Cell Baseband Vulnerabilities

OSNews has a interesting article on the potential security vulnerability goldmine that is the modern phone baseband. I have a lot more to add to this subject including how the baseband could covertly aid the surveillance of a phone user, but I will leave this for a more thoroughly researched article that I will no doubt place upon this blog at some point in the near future (think E911 geolocation and remote enabling of autoanswer to create a “walking bug” as the FBI has been known to call them)

2 thoughts on “OSNews On Cell Baseband Vulnerabilities

  1. Mobile phones are complex beasts and the standards they rely on make sever six foot piles of A4 print out… but worse still many of these standards are either reliant on or derived from many other standards dating back to the 1950’s or earlier.

    When you look at a simple mobile phone it consists of two computing units. The most obvious is the “Baseband processor” which controls the radio, audio, modem and other hardware such as the keypad and lcd. This is generaly a bespoke system which may be based on a commercial Real Time Operating System (RTOS) and has been certified to meet –all be it barely– the certification requirments. However by and large the way such systems are developed is the “chip vendor” supplies example code along with example layouts that the phone manufacture uses with little or no examination. The RTOS and Baseband control software are reused from previous phone designs that may be ten or more years old…

    The second processing system in a simple mobile phone is the Subscriber Identity Modual (SIM) and this is supplied by the service provider you wish to connect the mobile phone to and in theory the interface between the Basband Proc and the SIM is fully described (it’s not). Importantly the SIM whilst not requiring to have an RTOS has a standard interface to the “network” and acts as the “master” in many functions…

    Often the SIM has a Java interpreter within it along with some kind of crypto engine which is responsible for many of the security functions. Unfortunatly about 1/6th of the SIMs only have single DES which means that Over The Air (OTA) updates to the SIM are far from secure. Even when using a more secure algorithm the crypto keys are not realy kept secure and are handed out to many entities that “sub contract” etc. The FBI are known via court records to use OTA of the SIM to make finding users and logging data sent/received via Pico/Nano Cells very simple. Also many other SIMs suffer from “buffer overflow” type problems which can be used to totaly avoid any security on the SIM with a couple of malformed packets.

    The next issue is that the SIM can force the basband unit to be OTA updated or “augmented”, this is known to be a secondary attack vector by the FBI to get raw access to data held on the baseband processor such as “phone books” and “call lists” etc.

    So any mobile phone simple or smart can be easily “owned” by those with access to the OTA interface. Thus the TLA’s don’t need or realy want to get access to the third processor on a smart phone unless it’s being used in a way to either obscure communications or provide further evidence (I’ll leave moot the question of planting evidence for a “Parrellel Construction”).

    With regards the “Silent answer” this is not a “software bug” but a requirment going back to the 1950’s by GCHQ/MI5 that the then General Post Office (GPO now BT) ensured got into the early digital standards and have continued to ensure their continuance in all modern standards.

    • Clive: thanks for your lengthy response. Having to get ready for travelling and knew that if I mentioned anything more than just a link to the other sites I would be wasting hours writing about the many issues I have with UMTS hardware and the current state of the modern “smartphone” The USIM “javacard” spec is a disaster. The interesting thing is that most of the features of the modern USIM lie unused, hell even the integrated phone book isn’t used by most smartphone users who instead save their address book in phone memory (probably due to silly things like arbitrary length limits on names and the fact that multiple numbers can’t be defined for a single contact without kludges that don’t carry from one phone to the next, not to mention that nontext data that could be useful like address fields aren’t catered for). Naturally on modern phones your address book is sync’d to the cloud by default and that’s just the way the intelligence agencies like it. Another route to compromise someone’s phone that is rarely spoken about is via not just the OTA update feature but by – in the case of Android – the Google market updater. This allows Google to side load an app onto your device without your consent or even knowledge. Most who own an android phone will have seen the “Google settings” menu appear overnight with no prompting about a year ago. This is the kind of power they have. Not to mention the fact that the Android Device Manager – which can interrogate your phone and return a GPS ping from their web interface (billed as a feature to locate or remotely wipe lost phones) is turned on by default and many non technical users don’t have any idea the thing exists. And then we get into lower level stuff – baseband E911 responses. In an enabled phone your cell can quietly (this occurs obviously outside Android so you won’t see the GPS icon) enable your GPS and send the coordinates back to your carrier (who will then kindly forward the info to law enforcement). Even with phones that lack this feature (or some carriers like Verizon for example implement it in userland as an app that is trivial enough to remove – the way some implementations work is also trivial enough to spoof, example one carriers app intercepts a specially crafted SMS class 0 that never gets shown to the user like a normal flash SMS and the software will automatically respond with lat/long every X minutes until cancelled. If you have a MSMC that will route class 0s and many will you could send such a request to a phone and get a ping response back theoretically) it is not good news all ’round. Of course even if this didn’t exist they could use radiolocation (ie triangulation) without the handset’s cooperation but I think the increased granularity of GPS along with the “active” nature makes it a much more dangerous invasion of privacy. Here’s the kicker – phones that are sold elsewhere in the world may have a US carrier’s E911 implementation. My nexus 4 for example has the cell broadcast parser for american amber and presidential alerts. Another issue is that carriers were allowed to design their own spec for location info – so there’s no standard and the specs are all closely guarded and the only way you’d likely be able to discover it would be through a slightly black hat technique – use a SDR to emulate a handset, make a 911 call and wait and see if they send any voodoo to the phone. Of course you’d be wise to use a fake IEMI ;-). At least you can do 112/911 without SIM auth.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s