Is there any working being done to modernize those protocols? I'm sure Apple can demand that by a given timeframe, a new standard has to be supported or else new iphone won't work on the carrier's network (and which carrier would not want iphones to work on their network?). It's not like Apple is afraid of such things. I'm sure if apple implemented them, google/samsung would follow within 1 or 2 years.
In the meantime, is there a refactor/rewrite of that '90 code bash that is full of bugs and unused functions? And if so, do any phone manufactures use that improve "firmware"?
As noted in the article, Apple/Google have nothing to do with this problem and little reason to care until widespread reports of spoofed towers hacking people's phones start making the front page.
This is on the RF manufacturers: Qualcomm, MediaTek, Spreadtrum, Samsung LSI & HiSilicon (Huawei).
It's very important to understand this risk, but also to keep it in perspective.
Both the two major phone vendors --- Google and Apple --- have teams of people who are acutely aware of the baseband thread, many of whom are equally as talented as RPW.
Further, though the article seems carefully written enough to avoid the misconception, the basebands on modern phones don't get direct access to AP memory, but are instead connected over a high-speed serial connection with a limited command set.
> Further, though the article seems carefully written enough to avoid the misconception, the basebands on modern phones don't get direct access to AP memory, but are instead connected over a high-speed serial connection with a limited command set.
That's good to know; for some reason I had an idea that it was all done via DMA.
Any idea about how exploitable that command set is?
Have a look around for one oldish implementation in Linux kernel: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.... . If you're more interested in exploiting something on the baseband side, that source code is more difficult to come by and supposedly protects quite well from unexpected traffic from AP side.
Does anyone know if this protection was designed in from the initial conception of the major mobile OSes, or was it added on later when the relevant companies/engineers learned of how insecure the baseband processors are? I suppose you could explore the source of early versions of Android to see, unless it's all deep in a driver or something.
Note that plenty of the security holes are actually required by major carriers to be present. Just sayin'.
Also, for trust to be thrown out the window, a lot of changes would probably need to happen both in baseband software and in the networks themselves. Not seeing that happening anytime soon.
Isn't that how Samsung hides Absolute Computrace rootkit/spyware in the hidden partition ?
I read that it can not be removed not even by reinstalling the OS. But it looks like PC manufacturers like Lenovo found a way to hide the same rootkit in their BIOS.
I assume that when the hardware becomes available to run an open source GSM baseband, the software will follow shortly afterwards. (Or if qualcomm ever releases docs for their closed hardware).
The FCC will require signed builds on radio hardware shortly after that.
Best outcome is to have a vetted open source baseband project with reproducible builds so we can verify our signed binaries.
Funny the author calls the code little understood with no peer review, yet when has the baseband processor on your phone crashed? Not nearly as often as the OS. Just because he does not grasp it does not mean it is poorly implemented. It goes through very extensive reliability and interoperability testing.
They aren't understood since standards such as LTE are very complex, tying in RF hardware, DSP in ASICs, and software.
In the meantime, is there a refactor/rewrite of that '90 code bash that is full of bugs and unused functions? And if so, do any phone manufactures use that improve "firmware"?