The Second Operating System Hiding In Every Mobile Phone

Jah-Wren Ryel writes "Every smartphone or other device with mobile communications capability (e.g. 3G or LTE) actually runs not one, but two operating systems. Aside from the operating system that we as end-users see (Android, iOS, PalmOS), it also runs a small operating system that manages everything related to radio. So, we have a complete operating system, running on an ARM processor, without any exploit mitigation (or only very little of it), which automatically trusts every instruction, piece of code, or data it receives from the base station you're connected to. What could possibly go wrong?"

Old silent SIM firmware

[pieterh]

The SIM firmware runs silently and in the background and by some reports, even when the phone is switched off, it continues to slowly ping cell towers, making your phone trackable unless you remove the battery.

Re:Old silent SIM firmware

That is why it is getting increasingly tough to find a phone with a replaceable battery.

Re:Old silent SIM firmware

Surely a well designed chip can use the power of the radiowaves already in the air, negating the need for a battery...

Idiotic article

I run an aftermarket radio on my Nexus 4 that enables LTE.

It's not a separate operating system. It is the definitions for the SDR ASIC in the phone. It is not part of the main ARM processor - it's memory is just mapped through it to facilitate programming.

What the hell is wrong with Slashdot these past few years? It seems that ever since the dice buyout the place has just gone in the shitter.

Excessive Peer Review is Anti-Capitalist

[atom1c]

From the original article, the author (Thom, whom I recognize for his efforts) introduces the topic of peer-reviewing every minutia of the devices we use; he laments about the absence of peer-review in proprietary and closed-source. As an open-source advocate, such a viewpoint is naturally expected and his flashing a light on the subject is always appreciated. [But how does he know? Wouldn't technology companies use security consultants to conduct security audits?]

However, applying the same lines of argument to every closed-source scenario is really preaching anti-capitalism. That means they're arguing against trust of the technology creator, against their desire for trust-based compensation, against the notion of making a dollar in order to spend a dollar (due to constant disclosure of all things 'private'), and against the underlying notion of privacy. Actually, scratch that... they're simply hypocrites.

Why? Because they advocate disclosure (anti-privacy) by others, thus not trusting others. However, they want personal privacy in the hopes of establishing a reputation for being trustworthy -- or are they advocating an ultra-liberal utopia where commerce is not based on property but instead based on a crafted perception of trust? Either way, that's hypocritical behavior! If everything becomes subject to peer-review, then the notion of trust vaporizes... and in the process, privacy is gradually lost... and both factors lead to an erosion of aspects of capitalism.

TL;DR -- Peer-review everything means trusting nothing, disclosure of everything, and loss of privacy... yet it's hypocritical since the advocates seek to maintain anonymity when applying the same frustrations against capitalism as they do against trust-based commerce.

Re:All the other OS, too.

[georgeb]

I think you misread what the author is saying. The problem is not the fact that communications originating from your phone are potentially insecure (the situation you're trying to compare with the DSL modem and the myriad routers). The problem is that, the author alleges, the smartphones are primarily controlled by the baseband processor firmware; according to the author this piece of code is the governor of everything that happens on your phone. That means, with the appropriate base station changes, anyone can access your phone while sitting in your pocket, can activate the cam, the microphone, can access the contents of it's memory card, etc.

I do not fully trust the author because as far as I understand the baseband processor is supposed to control only the radio and nothing else. That means wifi, gsm and bluetooth. I don't understand why the baseband would have to deal with anything else, and why it would be the master processor and not just a blackbox "device" that the main OS sees and communicates with, in a properly isolated fashion. But then again I'm not knowledgeable enough to be certain about any of this.

If the article is correct then this is one of the scariest things I've read in a long time.

Re:All the other OS, too.

[YoopDaDum]

I believe the article has some gross exaggerations, and I'm in the baseband business. Of course I can't speak for all implementations, so this is my opinion only.

When the baseband is in a separate die, connected with some interface like SDIO for QCOM, HSI, USB HSIC, ... there is no way that the baseband will control any host resources (unless it can exploit a bug in the host software of course). When the baseband is in the same die as the application processor (AP) and its resources, it becomes at least possible in theory for the BB to access AP resources. But think about it: why do we have process memory isolation and MMUs in the first place? And a kernel sitting between hardware and user space? For security and fault isolation. Do you really want to be the poor engineer having to debug a complex system on chip (SoC) where a bug in the BB part can create weird bugs in completely unrelated parts of the system handled by different teams? That looks like a recipe for disaster. In the systems I work on you have hardware isolation between subsystems to prevent just this. And then a compromised BB can't do a lot of damage (same as for a separate die BB).

I believe the article is a bit sensationalistic and miss the real danger: a compromised base station. That's what the source articles quoted talk about. If you can compromise a cell you can spy traffic without any attack on the UE (encryption is only between device and cell). A fake cell is an issue with 2G but since then authentication is mutual: in LTE a device do authenticate the cell too, and won't work with a fake one. But that doesn't protect against a compromised cell. This is a risk with small and femto cells mostly, as macro cells are easier to protect. The only interest as see in compromising the BB is to use it as a vector to attack the host processor (which has been done), where you have access to much more interesting stuff. This requires a security exploit on the host side too. On its own the BB isn't really very interesting as an attack target.

While I'm at it, there are others not very serious claims here. The fact that one can redirect calls to voice mail with an AT command has nothing to do with baseband security. An baseband support a control interface, and even usually two: 1) a modern but proprietary interface and 2) the standard but old fashioned AT interface. You can do a lot with these commands, no need to compromise the BB. But normally such access is limited to trusted applications, so if anyone can access this it's a host security issue, not a baseband issue.
The baseband doesn't contain one RTOS but usually several instances. There's at least one RISC core (typically ARM), possibly more. At least one DSP, possibly more. With likely more than one OS: having an instance running linux is common, with other(s) on RTOS or even bare bone schedulers (depending on the complexity of the task at hand and timing constraints). That can vary a lot depending on each BB design, but as a rule of thumb for a modern LTE capable BB expect two RISC cores and two DSPs (YMMV).
The mutual authentication I've talked about already. Here the practical issue is that when the next gen is out there's not much interest in doing big upgrades to previous generations. So the lack of network authentication in 2G will stay with us until 2G is phased out, which is still a few years away in most places (big Japan networks have already killed 2G however).