Your smartphone's hidden, radio-controlling OS is totally insecure

Every mobile phone runs two operating systems; the one you interact with (like Android or Ios), and the one that controls the radio hardware. This second OS is ancient, creaking, and wildly insecure. Security researcher Ralf-Philipp Weinmann of the University of Luxembourg presented work on reverse-engineering the most popular "baseband" OSes from Qualcomm and Infineon and the horrifying security vulnerabilities he found. Anyone operating a cellular base-station (you can buy 'em on Ebay or build them from open source hardware specs) can send a 73-byte message that lets them run raw code on the processor; can silently activate auto-answer, crash the device, brick devices, install rootkits, send SMSes to premium numbers, and more.

You can do some crazy things with these exploits. For instance, you can turn on auto-answer, using the Hayes command set. This is a command language for modems designed in 1981, and it still works on modern baseband processors found in smartphones today (!). The auto-answer can be made silent and invisible, too.

While we can sort-of assume that the base stations in cell towers operated by large carriers are "safe", the fact of the matter is that base stations are becoming a lot cheaper, and are being sold on eBay - and there are even open source base station software packages. Such base stations can be used to target phones. Put a compromised base station in a crowded area - or even a financial district or some other sensitive area - and you can remotely turn on microphones, cameras, place rootkits, place calls/send SMS messages to expensive numbers, and so on. Yes, you can even brick phones permanently.

* The second operating system hiding in every mobile phone [Thom Holwerda/OS News]

(Thanks, Kyle!)

Notable Replies

  1. So my years of experience typing "ATDT" and "ATH" commands into rubber suction-cup, 300 baud modems can go back on my resume now!

  2. I think that's pronounced "NSA". Seriously. This could be how they tapped Merkel's phone.

  3. The magic of the smartphone is that one CPU does everything from playing Angry Birds to cell data packet handling. The answer isn't to double the hardware, it's to make the software better.

    Unfortunately, the cell packet handling software is so highly evolved, and so close to the metal, that a rewrite would be a billion-dollar proposition.

  4. We can safely assume this has been completely exploited in the field for many years by criminals both inside and outside of government.

    And we can also safely assume that anyone motivated enough has been listening in on conversations and taking pictures clandestinely of the conversations of presidents, prime ministers, members of Parliament, senators, representatives and governors.

    Not long before some of that information gets leaked publicly or sold on the open market.

    As mentioned on Hacker News
    The FBI has been tapping mobile phones as "roving bugs" for a decade:

    An open and secure baseband SoC/OS is a reasonable project for a well funded startup. I betting there's about to be an eager market.

  5. CPUs are cheap; small CPUs near-disposably so. Doubling the hardware is one legitimate way to get security without doing the rewrites. Call it a firewall.

Continue the discussion

23 more replies