Gather 'round boys and girls, it's time for yet another tale to chiiill your boooones! Alright fine, it's yet another worrisome story about an aspect of the technology we've come to love over the past few years.


So you might be wondering, what exactly is a Baseband Processor? Well, in a nutshell, it is the main chipset of your device. It is responsible for all the telecommunications and directly interfaces with the hardware. It also includes stacks for telephony protocols. Because this processor is used to deal with time critical tasks, it requires a Real Time Operating System (RTOS) (Real Time, loosely speaking, means that every task takes a known amount of time to complete). This RTOS is usually propriety, provided by companies like Qualcomm, MediaTek, and Infineon, and is stored in firmware. Why is this so bad? It doesn't seem like it's any different from anything else in the technology industry; after all, companies sell software left, right, and center. Well, the scary part comes from a bunch of different places.

Because it is propriety, the processor and the software are poorly understood and poorly documented; there is no peer review. This means that we only have Qualcomm's, MediaTek's, Infineon's, and others' guarantee regarding the state of the software. This is concerning because modern smartphones actually have two operating systems: the application OS (Android, iOS, etc) that runs on an application processor, and the RTOS that runs on the baseband processor. What's more, the baseband processor is usually the master while the application processor is the slave. This means that you could have the most secure OS running on your phone, but it doesn't amount to a hill of beans because you're still running this second OS.

OK, so what? What does it matter if there's a second OS? It's just as secure as the application OS right? Well...not quite. The standards that govern how baseband processors and radios work were designed in the 1980s. Complicated codebases were written in the 1990s, along with the 1990s' attitude towards security. To add to that, the processor trusts whatever data it receives from a base station (cell tower) and does not check anything. To be concise: a poorly understood, poorly documented, real time operating system written without exploit mitigation runs on the master chipset that automatically trusts whatever data it receives and whatever code it executes. Super secure right?

Ralf-Philipp Weinmann, a researcher from the University of Luxembourg, took on the task of reverse engineering both Qualcomm's and Infineon's baseband processor software. He found tons of bugs everywhere; bugs that could lead to exploits, which in turn could be used to do anything from crashing the device to giving an attacker control of the device by allowing them to execute code. Ralf-Philipp found an exploit that required a measly 73 byte message to remotely execute code...a message that was sent over the air! To add to that you could further exploit the phone by using the Hayes Command Set, a command language designed for modems in 1981 that still works on modern baseband processors!

While it could be argued that because the only way to pull off such an attack is to use a cell tower, the insecurity of these processors isn't something to be concerned about. After all, cell towers are safe(er). However, portable base stations are becoming more and more economic; it is becoming easier for an attacker to take one of these portable base stations to a crowded area and attack a whole boatload of devices. They could then use these infected devices to send SMS messages, turn on cameras, turn on microphones, etc. All this by virtue of the baseband processor's inherent insecurity.

What's unfortunate is that it is extremely difficult to write your own baseband software. The standards that govern it are ridiculously long, and there are multiple such standards (GSM, UMTS, HSDPA, etc). Additionally, the baseband software needs to be certified. These obstacles make it so that phone and device manufacturers are more than happy to use existing baseband processors and software than go through the hassle of creating their own.


I'm afraid there is no "I know this looks bad, but I wouldn't worry about it" sentiment regarding this. This is a known issue that everyone seems to ignore. The insecure and antiquated baseband software is a giant barrier that no one wants to go through the trouble of knocking down. As the world is right now, almost every one of our devices is incredibly insecure at the most fundamental level. If you squint just right, you might argue that there is a silver lining in that in order to do any kind of real damage, you really have to know the environment in which you are running. However, this approach is effectively that of IBM's mainframe, namely 'security through obscurity'. It isn't a real solution, and it doesn't guarantee anything. At least in IBM's case, the mainframe is really hard to break into. Baseband processors and their associated RTOS? Less so.




Sources and Further Reading:
https://events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf
http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone
http://readwrite.com/2011/01/19/baseband_hacking_a_new_frontier_for_smartphone_break_ins#awesm=~on0964sRjvixyz
https://www.youtube.com/watch?v=fQqv0v14KKY

Log in or register to write something here or to contact authors.