266 comments

[ 3.3 ms ] story [ 262 ms ] thread
Waiting for the next Snowden.

In the meantime, you can use your smartphone inside a Faraday cage. Wrapping it in aluminium should help.

Not sure what you're implying with this comment. Is it that people concerned about security of their phones are wearing Tin-Foil Hats?
That if governments have privileged access to the hardware, it's not safe to use a phone until a whistleblower tells us what exactly they can do.
It's not necessarily safe to trust the whistleblowers either you know. They can lie, or be lied to, and even they can't know everything.

The only really safe assumption to work from is that all Turing-capable devices are evil.

> you can use your smartphone inside a Faraday cage.

Or, more accurately stated, "you can't".

You can't phone, but you can use the smart, the computer inside the smartphone :-)
The FBI has been tapping mobile phones as "roving bugs" for a decade: http://news.cnet.com/2100-1029-6140191.html
Heck, I'm sure it's been longer than a decade. Previous generations of mobile phones used FM unencrypted. You could eavesdrop on them with just a television that has a UHF dial on channels 70 to 83! (Audio carrier 811-889 MHz)
You can't use it inside any sort of Faraday cage, that's pointless. It's to prevent people from accessing it while it's inside one.

Pro tip: Refrigerator doesn't work, but cocktail shaker apparently does. (http://makezine.com/2013/06/26/edward-snowden-can-a-refriger...)

I thought that the refrigerator was more about soundproofing (that way it wouldn't matter if it was listening or not.)

Maybe if you are really in that sort of situation you should just do both, just in case.

I thought that the refrigerator was more about soundproofing (that way it wouldn't matter if it was listening or not.)

I think it depends on the model. I tested a couple of phones, including a blackberry, inside my fridge a few years before Snowden did his thing. We put them in and then tried to call them and none of them rang. But the fridge was one of those trendy stainless steel models. Perhaps a more ordinary fridge would have less effect on signal strength.

I've only seen fridges that are made with steel or aluminum. They would still leak RF around the door gaskets, but probably such a small amount that you'd have to be very close to a base station to be vulnerable, and it'd still be mostly soundproof.
> Waiting for the next Snowden.

The pinnacle of democracy: waiting for someone else to do it.

Naw, the pinnacle of democracy is the entitled whining after the longstanding obvious truth has been laid bare. Who needs objective forethought?
You can keep it in a Faraday cage whenever you don't need to use it or aren't expecting a call... since it should block all radio signals.
"Lastly, the baseband processor is usually the master processor, whereas the application processor (which runs the mobile operating system) is the slave."

Can maybe somebody explain what this means exactly? Could the baseband processor/OS be used as an attack vector to exploit the main mobile OS? Could the OS protect itself from this?

The baseband processor may have unrestricted access to the entire address space of the device or to address space which the application processor (and the operating system it's running) implicitly trusts.
(comment deleted)
AFAIK, access to the baseband and vice versa is through a network inside the phone. Physically, these two computers are separated, and communicate only through a well-defined network interface. No poking in other computer's memory.
Most modern phones don't really have a physically separate baseband processor and application processor, they run a real-time microvisor (usually an L4 based system, and frequently OKL4 - see http://wiki.ok-labs.com/#OKL4Microvisor4.0). The microvisor runs multiple virtual 'cells' (which are ARM operating systems that think they are running as supervisor), and ensures that the hard realtime requirements of the radio driver are met even if the kernel in the application cell is stuck in a loop.

Because the application processor is actually running in a virtual cell and not on bare metal, it doesn't have full access to the hardware and can't interfere with the radio cell - but the radio cell might still have access to everything.

I am assuming that the RTOS has direct and full unrestricted access to the hardware such as the camera and microphone? If so then I would also assume that an over the air attack to silently suck data from the camera and microphone would be pretty easy for those with access to the RTOS (such as governments)?

I know there has been software to do just this in the past on some Nokia devices but I would assume (I am doing that a lot in this post!) it is just as possible in pretty much every mobile phone?

Anyone with knowledge of this care to comment on my assumptions?

Why would the baseband processor need access to anything but the RF and maybe the GPS hardware?
For one thing, putting the voice signal processing in the baseband means that it's not vulnerable to timing glitches from "noisy neighbor" apps running on the application processor. For another, as a practical matter, a lot of the baseband software started out as the entire software stack for the single processor in a dumb-phone/feature-phone, which necessarily included the voice processing. Simply leaving it there avoids the technical effort of doing a port.
Quite often the baseband has the only direct access to the handset mic and speaker, including things like the agc and speakerphone. That's why a room bug can be implemented this way.

The article hints at a way to democratize access to this capability by using the RIL commands to turn on auto-answer and turn off any indication it's happening.

RIL commands being extended AT commands? There is a community of phone unlockers who know everything about these for Qualcomm chipsets but their tools have the best DRM I've ever seen.
Way back when a wrote a couple chapters for Android Application Development I wrote about Android's RIL daemon and the underlying device-specific RIL libraries. It's gotten a lot more complicated, but the source code is open and includes what appears to be a reference implementation: https://github.com/android/platform_hardware_ril

I have not looked at this part of Android source code in depth in a while, but from a quick look it still looks very edifying about how this part of a smartphone works.

Have you documented the RPCs to the modem as well?
Yep. I had no idea this was the case until I read an article that came out shortly after the original iPhone. The dialer app in iOS during those first few months was pretty buggy and had an occasional tendency to crash or lock up while on calls, especially when pressing the "hang up" button. Every time it locked up on me, it'd never impact a call in progress though (much to my annoyance when trying to hang up).

It made perfect sense once I read that the speaker and mic were wired straight to the baseband, and the state of the dialer application had zilch to do with what was going on in the baseband.

I would also assume that an over the air attack to silently suck data from the camera and microphone would be pretty easy for those with access to the RTOS (such as governments)?

This is correct. The rule of thumb is this: If you need to avoid being tracked, do not under any circumstances carry a cell phone unless you have removed the battery. Even if it's powered off, it can still be activated to remotely track you as long as the battery is in it. This tactic was used in catching the recent serial killer Luka. http://en.wikipedia.org/wiki/Luka_Magnotta

From the article: "His cell phone signal was traced to a hotel in Bagnolet, but he had left by the time police arrived.[55]"

You can bet that, since he was on the run, his cell phone was off.

There are other examples besides Luka. Circumstantial evidence is very strong that law enforcement can track you if you've powered off your phone but haven't removed the battery.

(I feel so strange posting this comment, since those who would benefit from this advice are probably of dubious character.)

EDIT: I edited my comment before Guvante's reply. But it looks like some people aren't really convinced. So here's another comment, from tlb 113 days ago: https://news.ycombinator.com/item?id=6087399

"There is reason to believe phones have been remotely hacked by law enforcement using carrier credentials to leave the cellular radio running and registering with the cell network even after the off button has been pushed and the phone appears to be off. Starting point for further reading: http://www.brighthub.com/electronics/gps/articles/51103.aspx "

tlb = Trevor Blackwell, one of the best electronics hackers in the world. You may know him as the creator of the first robot that walks like a human. http://paulgraham.com/anybots.html

Now I've presented circumstantial evidence and an appeal to authority, so of course feel free to doubt me. But don't be surprised to discover you've been tracked when carrying a powered-off cellphone with a battery in it.

it is also an important piece of advice that could save someone's life for instance. there's nothing dubious about demanding privacy. now I just wish my nexus 4 had a removable battery..
This makes non-removable batteries creepy in addition to annoying!
Does removing the SIM prevent the common ways of tracing, or do they simply go off your IMEI?
The SIM isn't necessary to connect to a tower, meaning your GPS position will be reported unless you remove the battery.
Not necessarily your GPS, using it consumes more power ( ~ 30 - 100mA @3.3V ) than detecting your location passively using the cell-towers. It also takes longer to get a precise fix unless the phone is out in the open.
If you remove the SIM you are usually still able to make emergency calls (911, 999, 112), which means it can still connect to cell towers.
Not a direct answer, but: by law, any cell phone can still place calls to 911 with the SIM removed. We can probably extrapolate from there.
Right, I was just wondering about the tracking methods used. Do they select by your handset identifier, or an identifier in the SIM?

Would removing the SIM be at all helpful for avoiding tracking if you couldn't ditch a phone with an integrated battery?

No, it won't help to remove the SIM card. Unless you've removed the battery from your phone, then you can be tracked. And there's no such thing as "can't ditch my phone."
So, for instance, the FBI inputs selectors as the IMEI, not the phone number, when searching for people?

And there may be a legitimate reason why you may want to have a device. For instance, to run maps at a certain location. Or having data on the device you need once you arrive at a destination.

I worked telecoms a few years back. One of the things I worked on was an anti spam system for SMS. It had the ability to blacklist, throttle and log messages based on a number of identifiers including imei, phone number, Tower id, service center id and message content (typically binary patterns in non text payloads but there was nothing stopping it to be used to block messages containing certain text or keywords).

So if we were using these numbers to block messages then I'd absolutely expect government agencies to use them to monitor or track phones.

No, but you could clone or change your IMEI. Of course, doing so without care might also arouse suspicion, or otherwise betray your ID.
I see no reason for them being unable to do both: SIM identity and handset identity.
Instead of removing the battery, you could wrap the phone in foil.
Then, when you get stopped by the cops you have to explain why your phone is wrapped in foil. For which there can only be one possible reason. You might as well also carry a set of lock picks, crowbar and an acetylene torch, perhaps with a set of scales so that you can be processed that bit easier...
You can also create a Conspiracy theorist persona. Keep asking questions online with a semi anonymous account about the government excess, about the moon, the aliens, the freemasons etc.

Then if in court you can try to argue that for a tin foil hat like you, the actual tin foil cell phone protection isn't an indication of anything. And much less suspicious.

:-).

I like your thinking.

Not sure how it could be fully applied if in the police interrogation room having been apprehended in a dark alleyway with two large bin bags full of steaming skunk weed, freshly purchased off a Vietnamese gentleman insistent on counting every note of that £20000 just handed to him. Maybe that is just an edge case though.

Perhaps a better idea (and market opportunity) could be a 'walkers rucksack' that has a pocket for your cellphone. This pocket could be lined specifically to act as a Faraday Cage, explicitly so that you can have easy access to your phone for maps etc., yet be fairly certain that your day strolling in the hills will not be interrupted by the office, the wife and other cold callers. Such a bag could be plausibly denied in a way that plain old tin foil could not be.

(comment deleted)
> You can bet that, since he was on the run, his cell phone was off.

You then follow this with

> But if he was on the run, why was he carrying a cell phone? Answer: because he was stupid.

Your postulation that this is sufficient proof to say that they can track you with your phone off is suspect.

The baseband can control everything, and the baseband itself can be controlled remotely. It is at least technically feasible. There's no real room for doubt on that.
>the baseband can control everything Why would that be the case? Baseband in this case refers to a frequency, eg taking data(audio, SMS, etc) and mod/demodulating it. It should take raw data at the bottom of the OSI model and prep it for the RF front end, and vice versa. I may absolutely be wrong, but it doesn't have any connection to the microphone other than receiving preprocessed digital audio from the application processor. Look at the interface for an e.g TI cc2500, that's the sort of device that's being discussed
"Baseband" in this case refers to a dedicated CPU and software that handles all of the high-level cellular radio protocol work. It's where the logic would be implemented to handle the data coming from a chip like the cc2500.
I was skeptical the last time this subject came up, too, but someone pointed out that for an attacker with root access, it would be easy enough to reprogram the phone's power button to act like it was turning the phone off without actually doing so.

Given the fact that US law enforcement and security agencies are (now) indisputably known to be in the zero-day hacking business, the burden of proof is on those of us who've always claimed these stories were exaggerated.

Personally, I no longer feel confident about calling bullshit on much of anything. With the US government's infinite budget and unaccountable influence over device manufacturers and telcos, no hack is impossible.

Sorry but can't avoid laughing at infinite budget etc etc after a masterpiece such as https://www.healthcare.gov/

If all the operations are carried on by the same kind of contractors, we can sleep tight for few years.

Or a full-on cynic/paranoiac would suggest the poorly-done websites are part of a gaslighting scheme.
'gaslighting' - we don't use that term often in the UK, looks like a good word though... Please can you explain what that word means in this context. Thanks!
It's purposely constructing a false reality to make a victim think they are going insane. I am taking some rhetorical liberties by not intending the second part of that and using it to refer to the false information only.

http://en.wikipedia.org/wiki/Gaslighting

A friend of mine has always said that if you want a big f-up in projects then get the government to run it. But if you want something carried out with precision then get the military to do it.

Funny thing is, it doesn't seem to matter where healthcare systems are carried out they always run over time and over budget and end up in a big mess!

http://www.bbc.co.uk/news/uk-politics-24130684

That's the irritating thing -- that so much money is being spent for such poor results. The NSA isn't very cost-effective at preventing terrorist attacks, and healthcare.gov isn't very cost-effective at providing health insurance.

When confronted with my government's incompetence, I never know whether to be pissed off or relieved.

NSAs job isn't just to prevent terrorist attacks, it's also to gather and analyse information for the US government and to keep US communications secure. I don't know whether or not they're "cost effective", but I don't think anyone would doubt that they've given the US a huge strategic advantage.
I don't know whether or not they're "cost effective", but I don't think anyone would doubt that they've given the US a huge strategic advantage.

It's tough to say. They say their mission is vital, but then their mission is literally to lie for a living.

No, their mission is to protect U.S. communications and break everyone else's. They don't have to "lie for a living" typically since typically no one knows to ask them questions :P
I see your point, but this sort of work would be coming more from the makers of stuxnet than the makers of health insurance websites...
That's a different thing.

Can a phone be tracked while off - or can you install malware that prevents your phone from turning off while misleading the user to believe that it worked?

The latter is a lot easier to believe and what you talk about. The discussion above/the post you answered is about the former.

The addition of a mechanical power switch would probably make a successful product nowadays. Shouldn't be too hard to implement on individual phones if you have nimble fingers (not sure though, it's been ~decade since I last dissected one).
Good thing I never remove the battery when flying on an airplane.
"I feel so strange posting this comment, since those who would benefit from this advice are probably of dubious character"

I don't think there's too much social harm done in pointing this out. It seems to be so well known that it's referenced (visually or even verbally) in movies and TV shows like Breaking Bad, where the criminals take the batteries out of their phones as an extra precaution against being tracked.

How does airplane mode fit in with this? Wasn't it until recently that FAA regulations required cellphones have an explicit means to halt ALL radio communication? If the phone's radio is still potentially active even when the device is "off", how could these baseband OS's get government certification?
There is no confirmation whether baseband processor can be reached while device is OFF/in Airplane mod.

And I join the crowd who think that is impossible. I bet someone would notice weird patterns if the baseband kept working despite of device off. (Speakers catching 2G, battery drain, interference with other devices, etc.)

The radio interface could listen/wait without even replying, ie wouldn't make the GSM RFI speaker noise. If governments, carriers and law enforcement could all manage to use this so incredibly rarely that it's never been observed.. then it could be real.

Given the types of people that would have to have access / knowledge of this though. For example people that suspect their partner of infidelity and is on the police liaison team of a carrier say...

I agree it's very unlikely, someone would have noticed it by now.

Oh, that is a fair point.

Though, not receiving any information back, draws the tracking practice significantly more difficult.

It need only reply if it is requested to do so, therefore for 99.9 recurring percent of the time there need be nothing observable.
Or reply in some side channel, piggy back the next (expected, ie when the user has switch back to normal mode) UMTS radio packet for example. I don't know the packet structure but I expect there are areas that could be re-purposed covertly. We did after all fit the entire SMS system into such a space.
"Airplane mode" is essentially and AT command sent to the baseband to disassociate and go to sleep, it doesn't disable the baseband CPU, DSP or anything else.

You could argue that "off" is the same thing, for instance, many Qualcomm devices boot with the BP first and and can do a lot before the AP is even taken out of halt, without initializing the LCD display, backlight, etc.

Theoretically, that wouldn't be hard:

* Push the airplane mode button.

* Have the FAA place the phone in a faraday cage for testing the phone.

* Don't remotely activate the phone at this point (which you wouldn't be able to anyway, the phone is in a faraday cage )

* "Forget" to tell the FAA about the cellular equivalent of "wake on lan" we built into this phone.

Don't feel bad about yourself. I had a history teacher on college who was a very important political criticize of Hugo Chavez government. Each time she was going to talk about politics, she took the battery of her cell phone.
TL;DR yes, the BB cpu has full access to everything, including the "main" cpu and all running processes. Why not, right? :)

It is important to note that all smartphone chips are optimized first for low cost and low power usage.

To actually isolate the baseband processor+GPS+Cell radio+Mic+Speaker would require a second high-speed bus.

Most cell phone processor designs put both the baseband and application processor in the same package both for cost and power saving reasons. Since both processors are typically ARM cores they will easily interface to the same bus for memory and peripherals. Only having one external bus means fewer external components, which is typically the strongest factor relative to the total power and cost.

There is also the legacy element. The article notes that most of the BB code is at least a decade old by now. Unless that code got a major rewrite, it would not run on a new, isolated architecture.

Specific processor block diagrams:

Samsung - https://memorylink.samsung.com/ecomobile/mem/ecomobile/appli...

Qualcomm (page 4) - https://developer.qualcomm.com/download/qusnapdragons4whitep...

That's not always the case. For instance, on Galaxy Nexus (CDMA), the radio is split from the AP, and are in fact manufactured by two completely different folks (the AP is TI OMAP, and the radio is VIA Telecom). I'd imagine the same thing with Mediatek, who is a large and growing player. You are right that Qualcomm does fuse their radio with their AP, though, and they do control quite a lot of the US market.
Well, good, if the radio and baseband do not live on-die with the AP. Market forces are pushing for a completely integrated design, but it's interesting from a security perspective.

The baseband is still considered the master CPU during boot - at least on the CDMA Nexus. So although there are some corner cases in terms of architecture, the security model is still completely broken. Send a payload to the baseband over the air, compromise it, and the entire phone is yours.

"I am assuming that the RTOS has direct and full unrestricted access to the hardware such as the camera and microphone?"

You're thinking small ... the baseband processor (typically) has DMA access to the processor itself. Never mind pedestrian stuff like peripherals...

Further, since carriers interface with the baseband processor for OTA updates, that means your carrier has (essentially) DMA access to your phones cpu. I wish people appreciated just how deeply (as deep as deep gets, basically) your carrier can control the device in your hand - even if you have "rooted" it.

Does it also have access to internal debug registers in the cpu? Because some techniques(TREZOR) encrypt memory and store the key in those registers, as an antu-malware technique.
No, not really. The actual answer is more complex.

Camera:

The high data rate required for imaging module means that it doesn't run on a shared bus. There's a number of standards, some proprietary and others loosely defined, but they all use direct connections to the image processor (which is in many cases part of the SoC).

Microphone:

Probably not going to access this one, because microphone wouldn't be on any sort of bus. They'll have a direct connection to a ADC, which would have a direct connection to an audio signal processor in the SoC.

Other sensors:

This depends on the implementation. If they use I2C, there's a good chance they'll be on a shared bus on which the baseband processor is also located. However, accessing that data requires details about the specific sensor. If a particular model of phone is being targeted, this isn't too hard. For example, I know the iPhone 4 uses the LIS331DLH Accelerometer. I can find the datasheet for that part, and then write a simple driver to access it's data. If they use SPI, which isn't a bus-based protocol, there's little chance of accessing the information directly. SPI devices can be daisy chained or separately selected to put more than one on a single port, but in such a configuration there's only ever one master (which would be the CPU).

There's also the possibility of reprogramming a PINMUX to move access from the AP to the BP on the same SoC for something like SPI.

Essentially, most of the pins on the SoC are re-programmable to have different functions or connect to different logical blocks within the SoC.

Along these lines there's also bit-banging SPI or I2C, which should work fine for infrequent updates from an accel or compass (and now things like pedometers being added to devices.)

As for microphone, if it's being read by the audio DSP, it's certainly accessible from the baseband, at least on Qualcomm . If nothing else you can load a DSP module that allows access to the raw PCM (or vocoder) data.

Same is probably true for the camera, which is usually on an HSIF or similar bus connected to the DSP.

For an example of an open-source GSM implementation that would allow one to build a base station, see http://en.wikipedia.org/wiki/OpenBTS . There are lots of videos about it on youtube where you can see it in action.
There is also a second OS hiding in your computer right now! (There might even be a third, or forth, depending on your hardware configuration and manufacturer.)

Proprietary BIOS software has suffered the same issues for the last twenty+ years.

Good thing all these embedded computers in my computer don't have antennas attached with buggy baseband that blindly decodes and trusts messages coming thereon. :-)
Right, it's not like wifi adapters have independent processors of their own with closed-source, potentially buggy firmware that does DMA into main processor memory. :-)

It's also worth thinking about netboot (which comes in several flavors), in which the main processor's potentially buggy BIOS may be independently decoding and processing packets coming over physical wires.

And on USB, don't forget SMM code emulating PS/2 input devices by parsing USB HID packets. I think part of the reason why real mode exploits was never very common was that the address DOS allocated memory depended on for example what TSRs you were running.
Remember that story a few months ago about how some government agency had replaced all its keyboards and mice in response to a malware infestation? A lot of folks (including some here) took this as Yet Another Show of Government Cluelessness. I found myself wondering instead if there was a world in which folks advised by government security experts (i.e., you-know-who) would have a good reason to do something like this and not say why.

There is. It's a world in which their opponents had a zero-day against the Windows USB driver, and a way into the government's supply chain. And in which you-know-who wants to play the same game themselves against opponents elsewhere.

As it happens, the wifi adapters I'm using don't have any firmware at all - most Atheros ones are old-fashioned peripherals with no processor of their own, and some of the remaining ones have offical open source firmware. Good luck finding a baseband interface like that.
The largest firmware images shipped with Ubuntu in /lib/firmware are for network adapters:

    ls -Sl /lib/firmware | head
    -rw-r--r-- 1 root root 1845305 Apr 10  2013 phanfw.bin
    -rw-r--r-- 1 root root 1531932 Nov  8  2012 i6050-fw-usb-1.5.sbcf
    -rw-r--r-- 1 root root 1334532 Nov  8  2012 i2400m-fw-usb-1.5.sbcf
    -rw-r--r-- 1 root root 1251036 Nov  8  2012 i2400m-fw-usb-1.4.sbcf
    -rw-r--r-- 1 root root  707392 Nov  8  2012 iwlwifi-2030-6.ucode
    -rw-r--r-- 1 root root  701228 Nov  8  2012 iwlwifi-135-6.ucode
    -rw-r--r-- 1 root root  695876 Nov  8  2012 iwlwifi-2000-6.ucode
    -rw-r--r-- 1 root root  689680 Nov  8  2012 iwlwifi-105-6.ucode
    -rw-r--r-- 1 root root  679436 Nov  8  2012 iwlwifi-6000g2b-6.ucode
https://github.com/torvalds/linux/search?q=phanfw (QLogic qlcnic)

https://github.com/torvalds/linux/search?q=i6050 (Intel WiMAX)

https://github.com/torvalds/linux/search?q=i2400m (Intel WiMAX)

https://github.com/torvalds/linux/search?q=iwlwifi (Intel WiFi)

Even BIOS can be considered as a second OS hiding in your PC.
While we can sort-of assume that the base stations in cell towers operated by large carriers are "safe"

Um.

The link to the ETSI 3GPP specs is a bit silly: it shows not only all the related specs but also all the versions of those docs.
This is all a bit over the top. Yes, the baseband may be compromisable, that doesn't mean that the operating system is. Your photos, data etc should be safe as long as there aren't further exploits (which of course exist).

Furthermore, i have yet to hear of a slave high level operating system to the baseband. iOS or android being initialised and commanded by a secondary baseband OS would just be a bizarre setup. That of course does not mean that the baseband doesn't pass commands to the high level OS. Though if the interface is well shielded, exploiting it could be tough (correct me if I'm wrong, but I don't think baseband exploits exist for iPhone 5/5s).

Now, I'm sure the NSA however have some interesting possibilities that Angela Merkel would be all to keen to know about ;).

This is all a bit over the top. Yes, the baseband may be compromisable, that doesn't mean that the operating system is.

Incorrect. In most cases the baseband processor has complete, unfettered access the application processor, which means it has complete, unfettered access to the OS.

.. and by unfettered, we mean it has DMA access to the application processor. It's not a hook or an API call or some functions it can call - it has low level bit for bit access to manipulate the CPU that your OS (like android) runs on.

Further, your carrier (verizon, att, whatever) can push OTA updates and commands straight to baseband via the radio, bypassing the CPU and OS (like android) and manipulating the phone on a low level bit by bit basis.

Even the most well secured, rooted, reloaded phone has every piece of it totally owned by the carrier, via the baseband processor.

Yes, that includes your photos.

DMA has security modes, implemented by pretty much every standard baseband chip in use today (Qualcomm, Infineon, you name it). In the oldern days baseband exploits were used to crack iPhones. As far as I'm aware of, this hasn't happened in the last two generations of iPhones. So no, you do not have unfettered access to all the data, only the "baseband" segment, unless you manage to hack your security setting for the baseband. For which you first have to hack the Primary OS. I hope you get the theme..
It's not unusual for the baseband to control the application processor's boot sequence. Quite a lot of phone unlocking/rooting/jailbreak exploits go via the baseband.

I don't think baseband exploits exist for iPhone 5/5s

True, but that just means that people haven't broken into the baseband yet, not that if the had done that it would be impossible to break into the application processor.

"That complexity is exactly one of the reasons why it's not easy to write your own baseband implementation. The list of standards that describe just GSM is unimaginably long - and that's only GSM. Now you need to add UMTS, HSDPA, and so on, and so forth. And, of course, everything is covered by a ridiculously complex set of patents. To top it all off, communication authorities require baseband software to be certified."

This is HN.

I don't think implementing a replacement is all that daunting given enough time and money. I wonder if there's a business model that will pay for it?

A 2G baseband implementation is probably not too hard. Making 3G and all the mobile data protocol variants and LTE inter-operate reliably is probably harder.

The irony is that LTE invites a look at a minimal "layer 2 only" baseband and doing everything else in the higher-level OS, but, instead, baseband code just gets hairier.

It's not a technological problem as much as a political one. Baseband processors implement umpteen standards (politics) and have to be certified by communication authorities (_big_ politics).

And what is the point of building a more secure implementation, if all these tools must (by law and by standard) have backdoors for local authorities anyway?

I got a chance to look inside Fabrice Bellard's LTE eNodeb code. http://www.bellard.org/lte/

It runs on an i7.

FFS, does that guy ever sleep?
I doubt it. I seriously cannot fathom his skill. I mean that, I truly cannot comprehend being that good.
Baseband hacking is how people made software-based carrier unlocks for iPhone 2G, 3G, 3GS, and 4 (GSM). Those exploits are somewhat documented here: http://theiphonewiki.com/wiki/Baseband_Device#Exploits
This is also how we did it for some of the unrEVOked roots for HTC devices back in the day as well (mainly the "forever" tool).
> By design

Of course -- all the telecoms have been in bed with the NSA for decades. That's how you play ball in the US.

... The voice came from an oblong metal plaque like a dulled mirror ... The instrument (the telescreen, it was called) could be dimmed, but there was no way of shutting it off completely. (1.1.3)

Oceanians live in a constant state of being monitored by the Party, through the use of advanced, invasive technology.

It was terribly dangerous to let your thoughts wander when you were in any public place or within range of a telescreen. The smallest thing could give you away. A nervous tic, an unconscious look of anxiety, a habit of muttering to yourself – anything that carried with it the suggestion of abnormality, of having something to hide. In any case, to wear an improper expression on your face (to look incredulous when a victory was announced, for example) was itself a punishable offense. There was even a word for it in Newspeak: facecrime, it was called. (1.5.65)

Is the the google input box a door to the world or a window into your mind?

How many fingers do you see?

But we've _always_ been at war with Eastasia…
Eurasia has been bombing us since we were little boys!
And then there is also the one on the SIM doing all the encryption and authentication stuff...
Cant wait Tegra 4i hacking allows unrestricted i500 SDR platform access :D
Would you please elaborate ?
Aren't all modern basebands SDR?
I think we'd all be better off and get to a user-centric mobile experience a lot sooner by isolating the network communication in a dedicated device.

I'm toying with the idea that next time I have to upgrade my mobile (hopefully not soon), a better way to go is something like mifi + netbook + smart watch (+ maybe some compact chorded keyboard).

Exactly.

If you want a mobile phone that you control, you need to buy something like a samsung galaxy player (contains no baseband processor, contains no mobile phone infrastructure) and then attach a USB modem to it (or carry a MIFI or whatever).

There's one problem, however, and that is all of the fancy noise cancellation and voice smoothing are actually done on the baseband proc, and userland implementations of this for VOIP apps are typically pretty crummy.

Me, I am sticking with my MOTO FONE / F3 for now.

I'd be (pleasantly) surprised if devices like the Galaxy Player didn't still have binary blobs for the Wifi/BT and video hardware. Even NICs for otherwise fairly open PC/ATX machines all still have the proprietary blob firmware drivers.
The Mifi is the same thing as the baseband in your cell phone, and can even do SMS. Many of them are running Linux on the AP side now to support more advanced Wifi routing features.

If you were really paranoid, you might consider the possibility that it has a microphone or a speaker that can be treated like a microphone. (Though I don't know of any that actually have a beeping, vibrator or piezo output.)

Also, they may have some form of e911-compliant GPS receiver, though whether the RF is hooked up for it I wouldn't know.

Well even a completely trustable cell radio is tracked with tower triangulation. The only way I see to fix this is to completely rearchitect the mobile network by getting rid of subscriber IDs, using anonymous payments for tower access, and then a mix network for transit privacy. That is to say, location data is a wash for the foreseeable future..

Surreptitious microphones and other sensors are indeed still a problem, but they seem easy to audit/remove in the short term, and if this model catches on and they become a real threat, the physical audits just have to go deeper.

What you do gain is a processor that can be trusted by the user (in the same way we all trust Intel CPUs), with the Mifi only seeing encrypted communications. Also we've moved the demarc point solidly between two separate physical devices - upgrade your pocket computer without involving your cell provider, and replace your communications ability without affecting your user environment.

Well first you're assuming that those that created the system consider known identity to be a misfeature, even beyond that necessary for payments.

Trustable/trusted doesn't mean trustworthy in the sense of an individual citizen's expectation of privacy, it means that you have given the entity your private information, in trade for service and convenience.

The irony of old spy tradecraft is that we all possess hardware that could conceal in plain sight anything that previously had to be hidden completely, the existence of electronics or recording/transmitting ability (including film) would immediately indicate the role of the person as someone engaged in some kind of espionage. Now we can all carry sophisticated sensors and communication devices in most places, and all but cameras in many others.

What physical audit would tell you if the MEMS sensor in your device has been repurposed for audio pickup. (Assuming that the capability isn't already in the firmware, or that simple observation of the signal output (including power fluctuations) could reveal the same information to the microprocessor.

The only case I'm aware of where the courts have blocked this kind of surveillance involved an OnStar vehicle system using an analog cellphone which could only serve it's intended purpose or the government's, but not both simultaneously. This is not an issue with digital and IP-based systems, which can easily serve two masters.

Ah, you're use of "trust" again, Intel CPUs have features that actively work against you, such as with vPRO. I would agree that a non-cellular PDA and Mifi are superior to an integrated device from a privacy and personal autonomy perspective.

> you're assuming that those that created the system consider known identity to be a misfeature

No, I'm just speaking from the perspective of system design, for what it would take to actually hide your location data - to put boundaries on the problem we're talking about.

> trusted ... means that you have given the entity your private information

Yes, which is why I used "trustable", which I'll admit isn't necessarily the best word either as I'm currently trusting my phone with call/text data, even knowing how broken it is. On the other hand, I personally don't have my phone setup to access my general files, because I simply don't feel that the thing in my pocket is actually my agent.

> physical audit would tell you if the MEMS sensor in your device has been repurposed for audio pickup

Well the point is that a Mifi (with untrusted baseband) shouldn't have these sensors.

> Intel CPUs have features that actively work against you, such as with vPRO.

And probably other ones ones that don't show up in marketing materials. Which is why I made an explicit parallel to trusting Intel CPUs to generally run the code we tell them, even if this isn't necessarily true. We have to define a boundary so that we can solve the problem we're talking about with a platonic ideal of a trustable CPU, while separately solving the problem of not having trustable CPUs.

(comment deleted)
I don't think you understand what an operating system is.
While the reasons stated by the gp might not be the best ones to justify his assertion, browsers are an environment for running arbitrary untrusted code, and have a lot of similarities with operating systems (like job control, memory management, hardware access, etc).
There is actually a 3rd inside the SIM as well http://en.wikipedia.org/wiki/Subscriber_identity_module#Desi...

This is what Java Card was developed to run on.

If you are interested in getting lower level access to your radio, you could look at the defunct http://openmoko.com/freerunner.html project or the resurrection of the Freeruner, http://www.openphoenux.org/

Or the neo900

http://neo900.org/

AFAICT, the neo900 has a plain old closed baseband processor.

So you can "root" it and control the OS all you want, your carrier still owns you and your phone, what with (potentially) DMA level access to your CPU.

neo900 is interesting, but it is not any more open in this regard than any other handset.

There was a great Defcon talk about this called The Secret Life of SIM Cards that I can recommend watching (they release the video for these some time after the conference).

The talk itself was about a group that had an enormous camping trip (I hope that phrasing doesn't diminunise it) called Toorcamp of a few thousand people that thought it would be fun to also put together their own cell network for just them. They bought and programmed SIM cards and hid puzzles in the programs on them.

But the amount of programming that can be done on the SIM card alone without involving the main processor at all was really quite fascinating and there's a lot of detail in the talk if you can track it down. Here are the slides at least https://speakerdeck.com/codebutler/the-secret-life-of-sim-ca...

That's a really cool link. Easily one of the more interesting things I've read in a while, thanks!
I did some JavaCard development on a project probably ten years ago - and the highlight was meeting the "Head of SIM" at a major network, being told how many times a day everyone's SIM card 'crashes'.
I wrote my Master's thesis on software platforms for smartcard applications in 1999. An interesting platform running javacard apart from SIMs is/was the Java iButton from Maxim (then Dallas Semiconductor).

Also, all ATM cards which are smartcards (i.e. almost all of them in countries such as France, Norway) can also hold several applications. The banks just doesn't allow it. In theory you could, even with today's technology, buy a blank card (say, with a David Bowie picture if that's your thing) and have the bank, visa, mastercard, grocery loyalty programme, library card, frequent flyer applications etc on it. Just carry one card! But no, everyone wants to own the card have their logo in it. Sigh.

I'm in London and they are rolling out contactless applications for certain things now. Subway sandwiches all take them. London buses you can pay by swipign your debit card and there is one bank that has a debit card/oyster card(oyster card is use on all London transport).
We used to have them in Poland for a few years now, virtually every single place has contactless terminals. In the UK I managed to use mine at Greggs,and the lady working there had absolutely no idea what I've just done, they were very confused after I told them that they have contactless terminals. Other than that, Subway and McDonalds have them.
There also might be a 4th running on the application CPU: a TEE OS.
Don't forget the OS running on the NFC chip.
The second operating system hiding in every mobile phone? Really?

There's a ridiculous number of operating systems hiding in every mobile phone. What do you think runs on the GPU? What about bluetooth, wifi and GPS? What about all those sensors? The camera interface? The video acceleration? The SIM card? The NAND flash?

Try harder.

The GPU, bluetooth, wifi, and GPS chips are not running their own operating system kernels. They have firmware microcode that gets loaded when their drivers are loaded, but they aren't running a completely separate dedicated realtime OS.
The SIM card, however, is indeed running it's own little OS.
What do you think is in that "microcode"? Most of what I mentioned is usually running on an ARM of some sort. I count that code as an OS, because it's a pretty narrow definition otherwise.
Default register initialization values and functions to encode/decode and transmit/receive packets of data do not equal an operating system in my book. Maybe you draw the line at a different level of the stack than I do.

I'm totally willing to be admit that I might be wrong about this, but I wasn't under the impression that Broadcom and Atheros and Intel were using ARM CPUs in their wifi/bluetooth/GPS chipsets.

The missing piece here is that WiFi/Bluetooth/GPS chipsets ARE usually using ARM CPUs internally. GPUs generally run a funky DSP-like core but there's still some kind of OS scheduling tasks and running code to interact with the main CPUs.

The cost of laying down a fully-fledged CPU has reduced to the point where it's simpler and less risky to use an off-the-shelf ARM core (or similar), instead of a big bunch of hard logic combined with coefficient. And most of those CPUs have some sort of runtime, which is an OS, depending on where you draw the line on that.

Or MIPS or other isas, but still fairly powerful CPUs.
> What do you think is in that "microcode"?

Can someone say what this is used for:

$ grep GOOGLE /usr/src/linux/.config

# CONFIG_GOOGLE_FIRMWARE is not set

?

This is not like net interface blob, this is like google firmware and we all know what that means >:-)

Some of the common Bluetooth and WiFi chips out there are definitely running their own realtime OS; the Bluetooth chips at least are apparently quite complicated (WiFi hardware designers seems to be less keen on doing everything in firmware).
These are drivers in the kernel. RTOS is another thing.
Wonder if instead of downvoting this, perhaps someone could explain what I made wrong?
Those are fair questions. Just want to point out that not all of them might be hiding (closed source).
It shouldn't come as a surprise that you're not "offline" unless you take the battery out of your phone and wait a good minute or so. And there's no wireless power source "force feeding" your phone...

This is well known to anyone who's done DSP optimization work for any of the wireless carriers.

Wait, are you saying it is possible to force feed a phone in theory, or in practice right now?
> This is such low-level, complex software that I would guess very few people in the world actually understand everything that's going on here.

I would not be surprised if the NSA would employ quite a few of them.

After reading all the comments, I'm beginning to think the Butlerian Jihad may not be such a bad thing after all...
I had to Google this. Here's a Wiki P link:

https://en.wikipedia.org/wiki/Butlerian_Jihad

It's from Frank Herbert's Dune :( Sad because I read this series (all six, I kid you not!! 1,2,6 are good 3,4,5 not so good) 25 years ago nearly and I had forgotten this specific detail. Time is indeed a cruel mistress and thanks for making me feel old :)

Perhaps I remember thisparticular detail because I've read the six books six times... And, hum, I feel old right along with you...
MSM6280 is 7 years old. The author has no clue how advanced these RTOS have become now and the kind of effort that goes into security at a system level e.g. xpu, smmu etc.