What Secrets Lurk In Your Cellphone Baseband

It was only a few months ago that we heard of a DoS for Android devices that mishandled the reception of a bunch of class 0 SMS messages, and the astute readers of this blog will recall this was fixed in Android 4.4 (at least for the Nexus branded devices).

I have spent my spare time playing with cellular basebands from a variety of cellphones of all operating system persuasions and at the risk of sounding alarmist will state – perhaps prematurely – that there are certain “features” that you, the owner of the cellular device likely don’t know about that could potentially violate your privacy in ways that you potentially haven’t even considered. We’re not just talking about relatively well known issues like the misuse of malformed class zero SMS messages as a way to “ping” phones to generate network traffic and thus assist with geolocation. This goes beyond that.

Anyone with a cellular phone needs to know that even if you run an AOSP build that you self compiled (and carefully source audited) that those binary blob drivers – often from Qualcomm – and the cellular baseband in its entirety may betray your attempts at achieving the privacy that should be a basic human right.

I been somewhat surprised at E911 and the way some carriers have implemented this “feature” – which can be invoked without 911 or 112 being dialed, but the real juicy stuff is buried deep in your phone. The ability to listen to your microphone without your consent or knowledge has been documented as fact and known by the FBI, an organization that is proud of stepping on the constitutional rights of Americans, as a “roving bug”.

I would argue that there would be a void in the market for a cellular phone that is provably secure (of course software can have bugs, but at least lay everything on the table and have some of the brightest minds in our industry examine it – keeping the number of lines of code down will make this task easier) and furthermore incorporates integrated encryption – not just over UMTS or other mobile IP services – but over the standard and GSM compressed voice channel. Although quality may be average this has been a long sought after feature.

That said – nothing will ever stop your carrier from finding you using radiolocation. Unfortunately this is just something we cannot design out.

2 thoughts on “What Secrets Lurk In Your Cellphone Baseband

  1. Mike,

    With regards a “secure phone”, sorry it cannot be done…

    The reason is that to get approval for connection a GSM phone has to go through a fairly strict test requirment.

    Thanks to the UK gov through what is now BT the specification requires for “safety reasons” the “operator listen in feature” as do IIRC all ISDN phones, and certainly in the UK all CO switches and PABX lines.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s