Ask HN: How would French police locate suspects by tapping their devices?
Would they base it on exploits? Would they have to require manufacturers to add police APIs on the devices? Would a remotely activated camera / microphone / location get the active camera / microphone / location indicator?
55 minute edit: It seems like for simple stuff, like coarse location they can get it through the carrier; I assumed as much and it's relatively easy to get it done. For other stuff, rootkits and exploits are developed by some intelligence agencies which require manufacturing consent or physical interception. Then there's also groups that sell OS levels exploits such as the NSO group.
I'm guessing in the case of software exploits, the indicators would appear for camera / mic / gps. But maybe for hardware exploits they could bypass the circuitry? Seems like a lot of work for non-high-profile targets.
Later edit: Keyword "baseband" seems to be the most likely attack vector
[0] https://apnews.com/article/france-surveillance-digital-devic...
91 comments
[ 6.2 ms ] story [ 222 ms ] threadIt's rootkits/RATs, just malware developed by intelligence services and/or some technical branches of police, although they sometime hire external contractors for this.
They use exploits or physical access.
AFAIK there is no manufacturer giving backdoors to the french government(but the US and China definitely have some, I wouldn't be surprised if the US shared some access for major cases)
https://translate.google.com/?sl=auto&tl=en&text=ortungswanz...
The baseband is an embedded computer inside the phone that controls the device’s sensors and radios. It runs off of its own OS and is separate from the consumer-facing OS. The phone’s OS then talks to this embedded system.
All phones do this, even the iPhone whose baseband OS was some variant of L4 Linux, IIRC.
Various Intelligence Community people and documents have made statements that they can remotely activate the baseband to interact with a target device.
Also I could be thinking of something else entirely so, before repeating this, you'll probably want to google it.
why? because power.
what do do about it? get power. how to do that? dunno. If I told you then my own purported (and protracted) attempts would diminish. at least we don't get assasinated to death anymore..... ahahahaha (just our characters, andor career prospects, etc)
Basically rooting the phone but on a firmware level?
But is it still recording for later transmission? Perhaps!
This gives a trivial way to detect of the device is listening passively, at least on the workbench.
This microphones take 2.4 MHz clock and return PDM (pulse density modulation) signal. Does not seem very convinient for old-school analog electronic circuits, but it's pretty trivial to interface with any micro with pulse counter hardware.
And presumably the audio won't have any hum or interference from nearby radio transmitters, which is especially useful in cell phones.
[0] https://www.digikey.com/en/products/detail/cui-devices/CMM-4...
If this is true (and I generally believe this is is), and if basebands do indeed have backdoors for the government, why hasn't anyone found them? Why haven't we seen CVEs on this?
Can anyone point to a published baseband CVE that smells like a government plant, rather than a well-intentioned accident?
CVEs come out of Mitre, but lots of countries have equivalent systems or tracking codes. Further, large companies are pre-allocated blocks of CVEs to use.
But it’s irrelevant. The original position was that if govt are putting obvious remote access into devices, why has nobody ever seen and blogged or tweeted about it?
Now, can anyone definitively prove that they are back doors and not mistakes or exploits? No. But that's thanks to the age old "Never ascribe to malice that which is adequately explained by incompetence."
Is that talk recorded somewhere?
Title: "Over the Air, Under the Radar: Attacking and Securing the Pixel Modem" Summary/Slides: https://www.blackhat.com/us-23/briefings/schedule/#over-the-... YouTube (48 minute): https://www.youtube.com/watch?v=QrkB_enz2Pk
Talk at black hat =/= everyones devices are de facto vulnerable. For as tech savy as this forum is, its surprising how many people are not well read up on security.
The summary of vulnerability is this - if you use a cellular network, your baseband chip vulnerability is next to irrelevant. Your location can be triangulated from radio signals, and its likely that there are messaging contacts and calls that are logged that use the respective celluar services.
Now for pure data transmission from a secure messaging app. Most of the communication for privacy is done using end to end encryption apps like Telegram. While those can be compromised, those require a direct targeted attack on the device, you cant just remotely do this over the internet.
> Modern smartphones have a CPU chip, and a baseband chip which handles radio network communications (GSM/UMTS/LTE/etc.) This chip is connected to the CPU via DMA. Thus, unless an IOMMU is used, the baseband has full access to main memory, and can compromise it arbitrarily.
> It can be safely assumed that this baseband is highly insecure. It is closed source and probably not audited at all.
The problem is less that there are identified issues, and more that the variety of hardware and vulnerability of the implementation is suspicious.
To my knowledge the situation has changed nowadays and IOMMUs on smartphone SoCs are now common. Having said that I still don't rate the security of any smartphone and you should assume it will get compromised. There's a million reasons for this:
- Baseband is still radioactive and probably trivially compromised by any nation-state adversary so it's all down to the IOMMU.
- IOMMUs are hard to configure correctly and frequently misconfigured by drivers which don't use them correctly.
- Any host driver bugs in talking to the baseband might be exploitable.
- It's hard to verify an IOMMU is actually working correctly, so it's not like any of this is commonly audited.
- We're talking about SoCs here with the baseband usually integrated on the same chip, so there's always the risk of some undocumented channel between the baseband and the rest of the chip the vendor omitted to notice or tell anyone about.
The situation is at least better than it was but it's still 100% my assumption that no phone can be trusted in the face of an adversary who can put up a fake cellular network. There's simply far too much proprietary firmware, mysterious black boxes, etc. to be able to really trust these things.
Also I'm assuming here there's a desire to get access to the host processor and stored data, but you don't need to do that if you just want to get at the microphone or GPS or leak someone's location or so on. There's a million bad things someone could do getting access just to the baseband even if the IOMMU works right.
It's like what intelligent skeptics keep saying in the ongoing discussion of UFOs / UAPs and claims of extraterrestrial visits: With everyone having a camera in their pocket (or, more likely, in their hand) these days, shouldn't there be more compelling photographic evidence of extraordinary things at this point, if extraordinary things are really happening?
Edited to add: I guess I said it pretty well further down in that thread, "It does seem like some researcher or journalist should have blown the case open by now if this thing were systematically providing telemetry from everyone's "powered off" (but still plugged in) machines to an intelligence agency."
Or you can play the public hero and end up best buddies with Snowden and exiled from every Western country. The governments don't particularly like whistle blowers.
And if you found a backdoor, you probably wouldn't want to use it on every device all at once and reveal its existence. Somebody somewhere will log it. But if you carefully pick and choose your targets, just a few in a million (or several billion), it might not be detected for a long time.
White hack groups like Project Zero routinely find these exploits. That doesn't necessarily mean they're planted, it just means that it's definitely possible to hide them from common view, and it takes a lot of skill and dedication to uncover that, then also a strong enough corporate shield to protect you from any possible fallout.
Unlike taking pictures of UFOs, it's not just being in the right place at the right time. It takes a very high level of skill that the general population doesn't have.
Also check Mexico incidents of deactivated devices, Samsung, Oppo, Motorola and others have rootkits, too.
Civil liberties matter to everyone at some point.
https://libreboot.org/faq.html#intel
https://libreboot.org/faq.html#amd
Most (all?) modern smartphones comingle the baseband and application processors to the extent that the baseband has direct access to the application processor's memory. You can logically envision your smartphone's GUI/application environment as the baseband's guest. You are not in charge, despite owning the device.
unless the com chips have a purely passive mode ..
It’s code in the kernel which allows the baseband to effectively execute code in said kernel.
Definitely not ideal, but (especially without seeing baseband code) not something you can call a backdoor.
That said, I’d never use a Samsung. But that’s a whole other story.
Other capabilities require access to the device, either through an exploit or spyware.
Only for high value targets of course, otherwise they'll just go with a simpler and cheaper route.
https://podcasts.apple.com/au/podcast/darknet-diaries/id1296...
https://www.extremetech.com/computing/170874-the-secret-seco...
https://www.androidauthority.com/smartphones-have-a-second-o...
events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf[PDF]
https://en.wikipedia.org/wiki/SIM_Application_Toolkit
It's under the control of the mobile operator which knows the secrets keys to send commands to the phone OTA.
So my question, based on those assumptions, is: this application toolkit, as well as OS level calls would require an exploit by the intelligence agency to be able to give commands such as start the camera and stream it? I guess the barrier between the OS and the SIM holding hardware would have to be broken so that the camera could be made to stream to some random endpoint.
https://www.etsi.org/deliver/etsi_ts/131100_131199/131111/17...
Here's the DGSE (or not): https://www.google.com/maps/@48.8743323,2.4081584,16z/data=!...
In contrast, here's the US CIA: https://www.google.com/maps/@38.952807,-77.1456773,16z/data=...
Stumbled across that while traveling in Paris and thought "Who masks public satellite imagery in 2023?"
Yandex maps, of course, no such compulsion. Ridiculous stuff.
https://yandex.com/maps/10502/paris/house/ZlcCdgBpTkUbWFZ0a3...
OS level attacks seem more likely. The lazy option for a police agency would just be to purchase or develop a couple mobile browser exploits, and then serve warrants to French telcos requiring them to MitM targeted traffic. When the target tries to load something via http, redirect them to the exploit server, deliver the payload, and dump everything from their device and collect location, camera, and audio going forward.
Edit: Most people also seem to be overlooking the low-tech solution - get a warrant to break into the target's house or seize their phone during a "random" traffic stop, and use physical access to the device to do whatever.
This seems highly unlikely to not alert someone as the camera / video / GPS icons would show up as being in use.
> Most people also seem to be overlooking the low-tech solution - get a warrant to break into the target's house or seize their phone during a "random" traffic stop, and use physical access to the device to do whatever.
I think people are not really overlooking, but the question is related to the remote enabling of GPS / Video / Audio interception. This kinda excludes random traffic stops or breaking into someone's house.
As such, "do significant vulnerability research on closed source hardware/software to find vulnerabilities across common baseband processors" seems like a way to achieve this.
You would need a privesc to dump the data from other apps due to app sandboxing anyways. And once you have root, you can disable the GPS/video/camera indicators, since they are controlled by the OS.
> I think people are not really overlooking, but the question is related to the remote enabling of GPS / Video / Audio interception. This kinda excludes random traffic stops or breaking into someone's house.
Initial physical access is the poor man's way of enabling long-term remote access.
> As such, "do significant vulnerability research on closed source hardware/software to find vulnerabilities across common baseband processors" seems like a way to achieve this.
Go present a set of options to a government bureaucrat, and tell them:
A. you can build a vulnerability research program for 7-8 figures, pray that your best researchers don't get poached by Google after you train them, and maybe get something useful in five years.
B. you can buy a couple of existing browser exploits and privescs for 6-7 figures, enabling remote access.
C. you can use your legal powers to break into the suspect's home/office and load monitoring software on their phone with physical access.
They are going to pick B or C.
https://en.wikipedia.org/wiki/OMA_Device_Management
Send special SMS, which makes the phone contact download instructions on what to do from a given URL. All in the background.
Even Pinephone's modem has a few FOTA binaries that handle remote instructions from different operators. I guess the binaries of the OMA DM processing programs are provided by the mobile operators, or co-developed with the modem manufacturer. It can't turn on the camera or whatever, and is disabled by default, but that's just because the modem is not integrated into the main SoC.
https://megous.com/dl/tmp/f498105e651c5935.png
I was one of them and my phone (Android, Samsung, operator is Orange) suddenly was taken over. It started to root a sound I never heard (loudly), vibrate like crazy and the screen was locked to an emergency message that covered everything else. I had to click on the message to make it go.
This test shows that the administration already has some level of control, through the network provider's OS layer.
I don’t hink it shows that. This likely is cell broadcast (https://en.wikipedia.org/wiki/Cell_Broadcast)
Many phones allow you to disable it (according to that Apple page not always: “In some countries or regions, you may not be able to disable Government Alerts”). See https://support.apple.com/en-us/102516, https://www.quora.com/How-can-you-block-or-disable-cell-broa...)