Have carrier attacks from the baseband been seen in the wild?
By comparison, application-based encryption of messages addresses a bunch of real threats. The NSA is not the only threat; malicious wifi operators, for example.
"Fake cell towers" are rampant across America and operate without warrants. Thats why the police are trying to hard [0] to protect their existence. There is a new project today announced to track all the IMSI catchers around America: https://www.indiegogo.com/p/1016404
These tend to be used to track locations of people but they can also be used to intercept SMS and mobile internet traffic.
They're vectors for layer-2 attacks. The (valid) implication is that you don't have to assume Verizon is colluding with NSA to be concerned about attacks on the baseband.
Good point. But at the same time, a secure, bug free baseband won't save you from a fake cell tower that's intercepting and recording your text messages.
Yes, but a secure, bug free open baseband would, since the first use cases that would be addressed is verification of towers, not blindly camping to the strongest signal, and monitoring your cipher strength.
With an open baseband you could do much more useful and sophisticated firewalling and ACL of your interaction with the cellular network.
As it stands now, you just camp to the strongest signal and do whatever it tells you - including download and run arbitrary java apps to run on your sim card (probably without your knowledge).
German police and intel agencies sent 440,000 sms type0/stealth attacks to trace phones last year, FBI sent an OTA to a suspects internet stick to broadcast his location, and something shady is going on at airports according to Cryptophone GSMK who's radio 'firewall' goes off whenever you get near an airport. Besides that Samsung backdoor found by Replicant Mod that has access to /data and /sdcard haven't heard of other directed attacks yet.
Of course google can install whatever they want on your device if given a NSL including a modified WhatsApp that sends in plaintext straight to the police everything you type but haven't heard of that yet either.
Since Facebook makes money harvesting data wonder if WhatsApp grabs advertising keywords first then sends via textsecure layer.
How would you see a baseband attack in the wild without access to the baseband? It is a circular problem. The main issue is "we just don't know," the baseband is unverifiable from a security standpoint.
good luck detecting baseband attacks in the wild. i hope you've got a transceiver with you and a rainbow table for cracking the A5/1 etc on your cell link.
@nsxwolf because surprisingly the baseband is actually the main processor in most modern designs, the application processor (your quad core snapdragon or whatever) is a slave to the baseband and receives events and data it
Partly because, historically (e.g. on feature phones), the GSM baseband serves as the primary processor (with real-time responsiveness requirements), with "applications" as a subordinate function. The concept of GSM being "just" a modem peripheral is a more recent development, coming more from the laptop arena; pushing that model down into phones (especially cheap phones) will take work.
Even on top of that, the concept of not trusting your peripherals is a recent one as well. Ideally, all hardware peripherals would have no more permissions than they need; for instance, no ability to DMA except to specific pre-arranged regions. In practice, most systems don't actually set up that level of security.
Is this true of say, the iPhone? It seems like a wifi iPad or iPod Touch is exactly the same as an iPhone, but without the baseband. If the baseband were a peripheral of the A8 SoC, this would seem like a trivial difference. But it seems if that's not the case, the iPad A8 would have considerable architectural differences compared to the iPhone one.
It's less true in some modern smartphones (disclaimer: not an expert on the iOS/iDevice architecture in particular), but a shocking amount of code still ends up on the baseband, and the baseband still has as much trust as the kernel. For example, the baseband processor often serves as an offloading engine for power efficiency reasons, to avoid waking up the main processor; thus, the baseband processor might have direct access to the audio hardware, so that phonecall audio doesn't need to wake up the host CPU.
Ok. I do go a bit overboard sometimes with the rants about closed baseband firmware.
But it needs to be stressed that these kind of things are not the magic fix for mobile phone comms that people think they are.
A lot of use cases in our current world involve state owned telecom entities and Joe-Arab-Spring-Six-Pack should not be confused into thinking this solves that problem.
I pointed this out in a comment a few days ago, but the era in handset design when basebands were unilaterally trusted is over. I believe modern Qualcomm basebands are firewalled off from the rest of the device using MMUs, they do not have the ability to do DMA and their firmware is significantly hardened using techniques like ASLR, stack canaries and even using a proprietary VLIW instruction set that is barely documented.
Handset makers and carriers all have strong financial incentives to harden the basebands against hacks because they don't want people unlocking their phones, which was often being done by exploiting bugs in basebands. Also, they need the airwaves to have integrity and mobile protocols are all based on the assumption of trusted endpoints that don't violate the rules. Now that DIY GSM base stations have become a reality, carriers face a nightmare scenario of someone running a buggy or malicoius "tower" that infects basebands of any phones that enters into range and starts them doing some kind of horrible attack against the carrier infrastructure. E.g. you can imagine an extortion attempt that works this way. It's in their best interests for their devices to behave predictably and be controlled only be themselves.
ARM TrustZone. It controls access to various hardware. Other software, including the kernel and baseband isn't supposed to be able to even observe its state. There's a base set of functions which handset vendors can add to. Of course, it has vulnerabilities too.
I haven't heard of any process hardening going on though. Do you have a source for that? I want to learn more about it.
Sure, but getting an IOMMU right on a complicated platform that didn't historically lean on IOMMUs is different than "the IOMMU is backdoored".
Why this isn't just a nit is, if you believe (say) VT-d is backdoored, a lack of IVT research projects isn't evidence of the absence of backdoors. Presumably, if the NSA is serious enough to backdoor Intel chipsets, they'll do it in a manner that a couple of independent security researchers can't black-box.
While there is no doubt you are correct that a baseband attack is possible, it's a much, much harder task for a Telco to get control of your baseband, start poking around in it and reading your private messages via this channel. Has there been any released code that exploits this?
They easily have the technology now to read all your SMS and capture all the data you send. If you can crypt this, you're much better off from a privacy and security perspective than if you don't.
That's what's important about this announcement.
Your BIOS might be spying on your, or your hard disk, or your wifi card, your video card.
This offers good, strong protection for a lot of the attacks your data can be subject to. Not every attack, but the majority.
That is very true and often overlooked. You get Google and SELinux enabled and security domains and such and all is good except for that fact that there is this little brick stuck on on the motherboard running proprietary code, accessing any memory on the phone and talking to the outside world.
Maybe it makes sense for non-baseband enabled devices, tablets, phones with baseband chips disabled somehow (physically).
Or something like a Nexus 7 and then something like Portal. I (perhaps unwisely) mostly trust USB between two devices I control, and even wifi between two devices I control. If I can put the baseband shit on a USB stick plugged into Portal and then use wifi or usb to my tablet, I'm a lot happier.
Somewhat, but not entirely, ameliorated if one were to somehow ensure the baseband and other open components don't share RAM. This is how the Neo900 plans to attack this problem.[1]
Well, asop/cyanogen on a tablet w/o gsm/4g should be pretty safe. About as safe as computing gets these days... now with play services, you obviously add a backdoor to an otherwise reasonably trustworthy system...
Without that, your carrier owns you at a bit by bit level in the memory of "your" computer.