Having discussed the issue of closed/open source code and without illusions regarding the technical solutions to the technological issues posed by the information age, we are publishing a translation of a relatively old (2013) and relatively technical text, which presents something that we all take for granted but also let it escape us. That all these smart devices (in this case, those that have mobile phone functionality, i.e., SIM card, antenna, etc.) provide access – the parallel question being to what and to whom. However, presenting the possibility of accessing something that we carry daily in our pocket might also constitute a first revelation of the materiality of what we call surveillance and repression.
I knew it all along and I’m sure most of you do too, but we never really talk about it. Every smartphone or other device with mobile communication capability (e.g. 3G or LTE) actually runs not one, but two operating systems. Besides the operating system that we see as end users (e.g. Android, iOS, PalmOS), it also runs a small operating system that manages anything related to this mobile communication. And because this function is time-critical, it requires a real-time operating system (RTOS).
This operating system is stored as firmware (stm: program permanently stored in special memory) and is executed by a separate processor (baseband processor). As far as I know, this operating system is completely proprietary (closed source). For example, the RTOS inside Qualcomm MSM6280 processors is called AMSS, it is built on top of the closed-source REX kernel and manages everything from USB to GPS.
The problem here is clear – these processors and the proprietary software they run are barely understandable, as there is no proper evaluation (note: by independent researchers and generally the “community” he means). This is somewhat strange if we consider how important these small bits of software are that are responsible for the operation of modern communication devices. You might think that these RTOSes are safe and secure, but this is not the case.1 You may have the most secure mobile operating system in the world, but you are still running a second operating system that is not well understood, is not sufficiently documented, and all you can do is trust Qualcomm, Infineon, and the other RTOS and baseband processor manufacturers.
The insecurity of baseband software is not a mistake – it is part of the design. The standards that govern how these basic processors and radio stations operate were designed in the 80s, resulting in very complex code written in the 90s – with the security mindset of that decade. For example, there is no provision to mitigate the exploitation of security gaps, resulting in the unrestricted use of exploits (note: programs that exploit security gaps). What makes it even worse is that every baseband processor inherently trusts any data it receives from a base station (e.g. a mobile phone antenna). Nothing is checked, everything is automatically trusted. Finally, the baseband processor is usually the main processor, while the application processor (e.g. the one running Android) is the secondary one.
We therefore have an operating system running on an ARM processor (stm: type of processor architecture), without any precaution against exploitation of security gaps (or at least minimal), which automatically trusts every command, piece of code or data it receives from the base station it is connected to. What could possibly go wrong?
With this in mind, security researcher Ralf-Philipp Weinmann from the University of Luxembourg wanted to examine the baseband processor software of Qualcomm and Infineon, and easily identified numerous bugs scattered throughout the code, each of which could lead to exploitation—rendering the device unusable or even enabling remote code execution. Remember: all of this over the air. One of the exploits he found required nothing more than a 73-byte message to gain remote access. Over the air.
You can do crazy things with these exploits. For example, to enable auto-answer, using the Hayes command set. This is a command language for modem designed in 1981 and still works on modern baseband processors found in today’s smartphones(!). Auto-answer can also be done silently and invisibly.
Although we can assume that the base stations in mobile phone towers managed by large providers/companies are secure, the fact is that these base stations are becoming cheaper and cheaper and are sold on eBay – there are even open-source software for base stations. Such stations can be used to target mobile devices. Place such a station in a high-traffic area – a commercial or other sensitive area – and you can remotely activate microphones, cameras, install rootkits (note: programs that leave a hole in the system so that access is available at any time), make calls or send SMS to specific numbers, etc. You can also completely destroy the devices.
This is a very serious issue, but also an issue that you will rarely hear about. The software in question is so complex that I assume few people in the world truly understand what is happening here. (stm: from a technical perspective)
This complexity is exactly one of the reasons why it is not easy to write your own version of baseband applications. The list of standards that describe only GSM is unimaginably long – and that is only GSM. Now add UMTS, HSDPA etc etc. And of course, everything is covered by a ridiculously complex set of patents. And on top of all this, the Communications Authorities require certification of the baseband software.
Add all this together and it’s easy to see why every mobile phone manufacturer chooses one of the already ready-made baseband processors with its corresponding software. This means that every smartphone has a piece of software that always runs (when the device is powered on [note: some claim it runs even when powered off]), which is essentially a black box. Whenever someone meddles with baseband software, many issues and security gaps are discovered, raising the question of how long this rather contentious situation can continue. It’s a shocking thought that mobile communications, the cornerstone of the modern world in both developed and developing regions, revolves around software that is of questionable quality, barely understandable, fully proprietary, and completely insecure by design.
Wintermute
cyborg #12 – 6/2018