“stoweboyd: The baseband OS on mobile devices is a frightening mess: incompletely understood and very insecure: excerpt
Every smartphone or other device with mobile communications capability (e.g. 3G or LTE) actually runs not one, but twooperating systems. Aside from the operating system that we as end-users see (Android, iOS,PalmOS), it also runs a small operating system that manages everything related to radio. Since this functionality is highly timing-dependent, a real-time operating system is required.
This operating system is stored in firmware, and runs on the baseband processor. As far as I know, this baseband RTOS is always entirely proprietary. For instance,the RTOS inside Qualcomm baseband processors(in this specific case, the MSM6280) is called AMSS, built upon their own proprietary REX kernel, and is made up of 69 concurrent tasks, handling everything from USB to GPS. It runs on an ARMv5 processor.
The problem here is clear: these baseband processors and the proprietary, closed software they run are poorly understood, as there’s no proper peer review. This is actually kind of weird, considering just how important these little bits of software are to the functioning of a modern communication device. You may think these baseband RTOS’ are safe and secure, butthat’s not exactly the case. You may have the most secure mobile operating system in the world, but you’re still running a second operating system that is poorly understood, poorly documented, proprietary, and all you have to go on are Qualcomm’s Infineon’s, and others’ blue eyes.
The insecurity of baseband software is not by error; it’s by design. The standards that govern how these baseband processors and radios work were designed in the ’80s, ending up with a complicated codebase written in the ’90s - complete with a ’90s attitude towards security. For instance, there is barely any exploit mitigation, so exploits are free to run amok. What makes it even worse, is that every baseband processor inherently trusts whatever data it receives from a base station (e.g. in a cell tower). Nothing is checked, everything is automatically trusted. Lastly, the baseband processor is usually the master processor, whereas the application processor (which runs the mobile operating system) is the slave.
So, we have a complete operating system, running on an ARM processor, without any exploit mitigation (or only very little of it), which automatically trusts every instruction, piece of code, or data it receives from the base station you’re connected to. What could possibly go wrong?
With this in mind, security researcher Ralf-Philipp Weinmann of the University of Luxembourg set out to reverse engineer the baseband processor software of both Qualcomm and Infineon, and he easily spotted loads and loads of bugs, scattered all over the place, each and every one of which could lead to exploits - crashing the device, and even allowing the attacker to remotely execute code. Remember: all over the air. One of the exploits he found required nothing more but a 73 byte message to get remote code execution. Over the air. It sounds like the background for a Daniel Suarez-like scifi novel about an evil genius crashing the world’s economy by controlling the cell phones of politicians, bankers, and security personnel, and causing a stock market and financial market crash by making cell phones execute trades, steal money from bank accounts, and to fund his organization’s terrorism.”—Emergent Futures Tumblelog: The second operating system hiding in every mobile phone - Thom Holwerda
“Who are we, if not measured by our impact on others? That’s who we are! We’re not who we say we are, we’re not who we want to be — we are the sum of the influence and impact that we have, in our lives, on others.”—Neil deGrasse Tyson on Carl Sagan at yesterday’s Library of Congress event celebrating Sagan (via explore-blog)