The Second Operating System Hiding In Every Mobile Phone

Jah-Wren Ryel writes "Every smartphone or other device with mobile communications capability (e.g. 3G or LTE) actually runs not one, but two operating systems. Aside from the operating system that we as end-users see (Android, iOS, PalmOS), it also runs a small operating system that manages everything related to radio. So, we have a complete operating system, running on an ARM processor, without any exploit mitigation (or only very little of it), which automatically trusts every instruction, piece of code, or data it receives from the base station you're connected to. What could possibly go wrong?"

Firmware

In the real world, this is called Firmware.

Re:Firmware

[emj]

Yeah kind of makes all of those hand waving sci-fi hacking tools look plausible.

A secure computer is a computer without power, network and Qualcomm baseband chips.

Re:Firmware

[dos1]

It's not "stored in firmware". The described OS *is* a firmware.

Re:Firmware

[kimvette]

Soo many times I've wished computers ran on magic.

I wish computers ran on magic because then when someone whose expertise way outside of what I do requests an explanation and struggles with the details but is insistent upon knowing them, I could say ", because magic" then they would accept that and say "I see."

Re:Firmware

So? Firmware vs. software is a distinction based on the storage medium. The point of the article is that there is a second OS in all mobile phones which has not gotten enough attention so far. That second OS runs on the "baseband processor", which is the processor that performs all the radio interface functions that are timing-critical. This OS is usually riddled with bugs, as researchers have found when they fuzzed the baseband processor from the network side. There's also an open source baseband implementation called Osmocom. Besides, there's a third OS and processor in every GSM phone: The SIM. The subscriber identity module is a smart card with embedded processor and OS, running independently of the other processors in the phone. Most phones trust everything the SIM tells them, and that's a completely opaque system controlled by the network operator. The SIM can send and receive SMS messages and upload programs into the phone and have the main processor execute them.

Re:Firmware

[girlintraining]

In the real world, this is called Firmware.

Firmware used to be low-level controllers that only handled a small number of instructions related to a specific task; Like a hard drive. All it needed to do was process requests for data and a few other basic operations, and so it was relatively simple. Firmware today though doesn't really meet that definition -- due to the lower costs of FPGAs and similar, these controllers are now trivially reprogrammable and because the original designers didn't consider the hardware to be an attack vector, it has full access to everything, like say, the PCI bus; It can talk directly to the CPU and queue instructions, change the stacks, alter memory, and more.

Modern OS' aren't designed with this in mind; They expect an attack from the 'higher' layers -- ie, userspace. They don't expect an attack against the kernel to come from the hardware itself.

Conspiracy

[BreakBad]

Every thinks a virus will cause the Zombie Apocalypse, when in truth it will be a broadcast of "Never gonna let you down" on infinite loop. Rick is Chinese...didn't you know? The same people who make these 'Cell' phones. Cell.....terrorist cells! OMG it all makes sense now.

Re:Conspiracy

[SomeoneFromBelgium]

Every thinks a virus will cause the Zombie Apocalypse, when in truth it will be a broadcast of "Never gonna let you down" on infinite loop.

Which is actually worse.

Re:Conspiracy

[clickclickdrone]

when in truth it will be a broadcast of "Never gonna let you down" on infinite loop. Rick is Chinese...didn't you know?

His real name is Rick Shaw.

Old silent SIM firmware

[pieterh]

The SIM firmware runs silently and in the background and by some reports, even when the phone is switched off, it continues to slowly ping cell towers, making your phone trackable unless you remove the battery.

Re:Old silent SIM firmware

Surely a well designed chip can use the power of the radiowaves already in the air, negating the need for a battery...

Re:Old silent SIM firmware

[dotancohen]

Surely a well designed chip can use the power of the radiowaves already in the air, negating the need for a battery...

That is exactly how RFID works. However, RFID fields are much stronger and the receiver is much closer.

The phone could probably use the power of the radiowaves in the air to do very low power things like perhaps change an e-ink display slightly. There is no way that there is enough energy to actually transmit a signal hundreds of meters.

Re:Old silent SIM firmware

[fisted]

Surely not, as there isn't much energy to harvest in the first place. You'd need way more to create a signal strong enough to to be picked up by the tower, so either you have your tower very close, or your idea is moot.

Re:Old silent SIM firmware

[ebno-10db]

Shake it to wake it!

It would be especially interesting with women who keep their cell in their bras (a not uncommon practice).

Re:Old silent SIM firmware

[ruir]

Low tech solution, leave phone at home?

Re:Old silent SIM firmware

[Fri13]

What is a *shielded* faraday cage? I thought faraday cage was *the shield* :-)

Re:Old silent SIM firmware

[Gavagai80]

Please. Anyone paranoid enough to take the battery out of their phone to avoid being tracked would simply not bring the phone with them, which is both easy and effective.

Re:Old silent SIM firmware

[MMC+Monster]

You do realize that unless the cell phone knows where you are it's impossible for you to receive a call.

Or do you expect every cell tower to send out every call request to everyone in the world?

If you don't want to be tracked by your cell carrier, don't carry a cell phone.

Re:Old silent SIM firmware

[YoopDaDum]

No. The SIM is powered from the baseband, and when the baseband is off the SIM has no power supply and can't do anything. Plus the SIM can only communicate with cell towers through the baseband, never on its own. The SIM cannot wake-up the baseband on its own, enabling the radio subsystem can only be done from the host processor. So what you described is not possible.

What is possible however is that when your device cellular radio is on and the baseband is enabled, then the SIM can directly use the baseband to communicate with the network using what is called the SIM Toolkit (STK). This can be done with or without the user being informed. The STK also many features like transforming the numbers you dialed (to seamlessly add a routing prefix, or redirect), filter calls (block or accept), get and report a location, etc. The specs are public, look for 3GPP TS 31.048 and ETSI 102.223 (using USAT and CAT instead of STK, but it's all the same under different names).

Re:Old silent SIM firmware

[sl4shd0rk]

even when the phone is switched off, it continues to slowly ping cell towers

Got a source for that? According to Samsung and Nokia, they have no idea how that would be possible*. I'm not saying they aren't "under oath to lie about it", but if you're going to pimp that legend, at least enlighten us as to the source of your infallible research on the topic.

[*] http://arstechnica.com/security/2013/11/samsung-nokia-say-they-dont-know-how-to-track-a-powered-down-phone/

Re:Old silent SIM firmware

[biodata]

Reference from the wikipedia article on Mobile Phone Tracking (check the original source if you can be arsed and let us know if sounds true): Declan McCullagh; Anne Broache (December 1, 2006). "FBI taps cell phone mic as eavesdropping tool". Cnet. Retrieved June 24, 2010. "Kaplan's opinion said that the eavesdropping technique "functioned whether the phone was powered on or off." Some handsets can't be fully powered down without removing the battery; for instance, some Nokia models will wake up when turned off if an alarm is set."

Re:Old silent SIM firmware

[quacking+duck]

That is why it is getting increasingly tough to find a phone with a replaceable battery.

Or, you could buy something other than an iPhone.

Or a Nexus 4. Or a Nexus 5. Or an HTC One / One X+. Or a Sony Xperia Z1. Or an LG G2. Or a Nokia Lumia 1020.

The AC is correct. A surprising number of high-end smartphones, including Google's own flagship units, have followed Apple by using non-replaceable batteries.

Re:Old silent SIM firmware

[Lumpy]

This is 100% bullshit.

I have an old E62 here that was Charged 2 years ago and then put in the drawer off. I just turned it on and it's still charged, in fact 80% charged. if the radio was turning on for ANY reason it would not have that much battery left.

Let's check another... Old unused iphone 3S here IT also still has 80% charge after sitting for a year unused and off.

and yes they BOTH have a sim card in them. AT&T loves sending out new sim cards every time you get a phone.

But let's go further, With the radio OFF there is no power for the magical sim to run it's software. Yes I have done some GSM hacking and on every single phone I have tested there is 0.00V going to the power pads on a SIM card when the phone is switched off. I have made a thin flexible ribbon to slip in between a sim and it's phone contacts to sniff what is going on between the sim and phone to create a unlocker for phones that had issues being unlocked. with all those wires brough out you can see there is no voltage there. and when you power up a SIM on it's own it does not look for devices to talk to. They are passive devices that require the phone radio hardware to talk to it and get information. Some had a java engine in them for encryption use, but those have not been common for nearly a decade.

Re:Old silent SIM firmware

[anagama]

Yes, but with a replaceable battery, you can carry a spare.

I don't know what the deal is with thin -- beyond a certain point it just doesn't matter and in fact, makes the phone harder to hold really. But I don't think people will be happy till phones are as thin as a razor -- who cares about the gashes and gushes of blood so long as the phone is thin thin thin!

MCUs run firmware

[fisted]

News at 11.

Re:MCUs run firmware

[rasmusbr]

Yeah, I'm surprised anyone thinks this is news. It's been like this since the days of the grayscale Nokia phones. A phone that is turned of can still be located by the cell towers and it can in some cases be remotely turned on and used as a listening device. Back then security experts advised to remove the battery before you discussed secrets in a corporate or government setting, in order to avoid falling victim to espionage.

I guess it's just not very practical to follow that advice. Some government agencies and some corporations have probably installed jammers or shielding around certain meeting rooms in order to keep top meetings secure.

Re:MCUs run firmware

[ebno-10db]

Some government agencies and some corporations have probably installed jammers or shielding around certain meeting rooms in order to keep top meetings secure.

In labs where classified government work is done (not necessarily very high level classification either) you're often required to put your cell in a box or something outside the lab before you enter. You don't have to turn it off, which makes it fun to figure out whose cell is ringing when you have a whole basket of them.

Re:Risk Mitigation

What.

Excessive Peer Review is Anti-Capitalist

[atom1c]

From the original article, the author (Thom, whom I recognize for his efforts) introduces the topic of peer-reviewing every minutia of the devices we use; he laments about the absence of peer-review in proprietary and closed-source. As an open-source advocate, such a viewpoint is naturally expected and his flashing a light on the subject is always appreciated. [But how does he know? Wouldn't technology companies use security consultants to conduct security audits?]

However, applying the same lines of argument to every closed-source scenario is really preaching anti-capitalism. That means they're arguing against trust of the technology creator, against their desire for trust-based compensation, against the notion of making a dollar in order to spend a dollar (due to constant disclosure of all things 'private'), and against the underlying notion of privacy. Actually, scratch that... they're simply hypocrites.

Why? Because they advocate disclosure (anti-privacy) by others, thus not trusting others. However, they want personal privacy in the hopes of establishing a reputation for being trustworthy -- or are they advocating an ultra-liberal utopia where commerce is not based on property but instead based on a crafted perception of trust? Either way, that's hypocritical behavior! If everything becomes subject to peer-review, then the notion of trust vaporizes... and in the process, privacy is gradually lost... and both factors lead to an erosion of aspects of capitalism.

TL;DR -- Peer-review everything means trusting nothing, disclosure of everything, and loss of privacy... yet it's hypocritical since the advocates seek to maintain anonymity when applying the same frustrations against capitalism as they do against trust-based commerce.

Re:Excessive Peer Review is Anti-Capitalist

[Punko]

Sorry Sunshine, you're mixing apples and oranges. He's advocating peer-review for technologies to be widely used and trusted by people. He's advocating privacy and anonymity for people. You are trying to say that asking that the tools we use to privately communicate should be trusted, because the corporate bodies that make them deserve to be trusted. People have the right for private communication, with the exception of pre-authorized, court sponsored, evidence gathering. People are allowed to be anonymous. We do not have to carry papers when we travel locally/internally. We are free to associate. I do not have to trust that the software you have installed on a device that that I own. I certainly do not have to give up my rights to grant rights where they do not belong

All the other OS, too.

[DrYak]

The situation isn't that much different as a desktop user connecting to the internet over a xDSL/Cable/whatever modem without first overwriting its firmware with a secure one (at least, with a modem, the user is the one uploading the firmware, and as most are Linux based, its easy to have a more or less secure firmware. Unlike the GSM/GPRS/LTE chip which is handled by the service provider, thought there exist ISP-remote-administered modems).

And with TFA's phone example, there's the OS running inside all the verious relay (different machine inside the cell tower, router, service provider's main router/server, tons of other routers along the optical fiber road [including a few NSA listening stations, the moment this road crosses the north American continent], a group of mail server receiving, storing and retrieving mail, then again a long chain of server and router [and another NSA listening station and/or FSB's or MSS's or ONYX's or ...] up to the recipient's servire provider, the the users' home routeur [with the xDSL and the Wifi firmware as additional steps inside, not necessarily opensource, although some chip makers are helping a lot], and finally the recipient's tablet [+/- an additional closed firmware on that chip too).

All this step could corrupt (unintentionally) or tamper (on purprose) or listen [hello NSA], on anything that is sent it the clear.

Sending things on the internet is as secure as sending a post card, especially back when much more of the processing was handled manually. Except that the current equivalent of my exemple's post-offices employee are much less moral. And except that the post office happens to have a weirdguy who's obessive-compulsive about xeroxing every single post-card he handle and store it into a binder "just in case he needs to embarass publicly someone in the future, and also to unmask communist conspiracies" whose name is either Ned S. Andale, or Feodor Stefanov Bakunine. Also except that there are at least 3 such guys in 99 out of 100 post offices.

Again the only way to trust your data is to practice end-to-end encryption. Encrypt it on you phone before sending it away. Decrypt then only on the receiving tablet.

An untrusted phone firmware is nothing new, and isn't much different than the trust into the OS running into another server along the transmission chain.
With one small difference: when you remove the battery of a phone everything is shut off your android running on your big octa-core big.little ARM CPU, but also the proprietary real-time system running inside the small ARM core inside the radio chip (that in practice functions as if owned by the phone company whose SIM is inserted).
Whereas, you can't just walk out and pull the cable of the NSA/FSB/whatever listening station in the middle of somewhere in the USA.

Re:All the other OS, too.

[faffod]

Don't get nostalgic about the old manual days where an employee might have a chance to glance at your postcard. These days the post-office (and by extension every branch of government that wants to) memorizes each and every post card you receive. http://www.techdirt.com/articles/20130703/12551523709/old-school-metadata-still-being-harvested-usps-turned-over-to-law-enforcementsecurity-agencies-request.shtml

Re:All the other OS, too.

[georgeb]

I think you misread what the author is saying. The problem is not the fact that communications originating from your phone are potentially insecure (the situation you're trying to compare with the DSL modem and the myriad routers). The problem is that, the author alleges, the smartphones are primarily controlled by the baseband processor firmware; according to the author this piece of code is the governor of everything that happens on your phone. That means, with the appropriate base station changes, anyone can access your phone while sitting in your pocket, can activate the cam, the microphone, can access the contents of it's memory card, etc.

I do not fully trust the author because as far as I understand the baseband processor is supposed to control only the radio and nothing else. That means wifi, gsm and bluetooth. I don't understand why the baseband would have to deal with anything else, and why it would be the master processor and not just a blackbox "device" that the main OS sees and communicates with, in a properly isolated fashion. But then again I'm not knowledgeable enough to be certain about any of this.

If the article is correct then this is one of the scariest things I've read in a long time.

Re:All the other OS, too.

That means, with the appropriate base station changes, anyone can access your phone while sitting in your pocket

My pockets are not large enough for anybody to sit in there. Not much of a danger here.

can activate the cam

That's a good idea. That way he'll see where I'm carrying him in my pocket.

Re:All the other OS, too.

I've seen this before, but I've never actually looked at any phones' schematic to prove it's true.

Take a look at Replicant, a fork of Cyanogenmod for people who are religious about software freedom. Replicant aims to have absolutely no proprietary software, but so far, none of their supported phones achieve that. They all have a statement along the lines "Modem firmware is non-free and there is no free alternative" and another saying "The modem controls CPU memory (read/write)".

The closest thing to a free phone is one of the OpenMoko phones. They still use a proprietary modem, but it communicates over SPI, and the main CPU is the master.

Re:All the other OS, too.

[Arker]

" I don't understand why the baseband would have to deal with anything else, and why it would be the master processor and not just a blackbox "device" that the main OS sees and communicates with, in a properly isolated fashion."

Because it is simpler/faster/easier/cheaper to simply give the baseband DMA, and once that is done any notion that the ARM chip is truly a 'master processor' is gone with the wind.

It's not, it's the games and graphics coprocessor. It does not have control of the system and could not be trusted even if every single line of code executing on it were mathematically proven.

Re:All the other OS, too.

[YoopDaDum]

I believe the article has some gross exaggerations, and I'm in the baseband business. Of course I can't speak for all implementations, so this is my opinion only.

When the baseband is in a separate die, connected with some interface like SDIO for QCOM, HSI, USB HSIC, ... there is no way that the baseband will control any host resources (unless it can exploit a bug in the host software of course). When the baseband is in the same die as the application processor (AP) and its resources, it becomes at least possible in theory for the BB to access AP resources. But think about it: why do we have process memory isolation and MMUs in the first place? And a kernel sitting between hardware and user space? For security and fault isolation. Do you really want to be the poor engineer having to debug a complex system on chip (SoC) where a bug in the BB part can create weird bugs in completely unrelated parts of the system handled by different teams? That looks like a recipe for disaster. In the systems I work on you have hardware isolation between subsystems to prevent just this. And then a compromised BB can't do a lot of damage (same as for a separate die BB).

I believe the article is a bit sensationalistic and miss the real danger: a compromised base station. That's what the source articles quoted talk about. If you can compromise a cell you can spy traffic without any attack on the UE (encryption is only between device and cell). A fake cell is an issue with 2G but since then authentication is mutual: in LTE a device do authenticate the cell too, and won't work with a fake one. But that doesn't protect against a compromised cell. This is a risk with small and femto cells mostly, as macro cells are easier to protect. The only interest as see in compromising the BB is to use it as a vector to attack the host processor (which has been done), where you have access to much more interesting stuff. This requires a security exploit on the host side too. On its own the BB isn't really very interesting as an attack target.

While I'm at it, there are others not very serious claims here. The fact that one can redirect calls to voice mail with an AT command has nothing to do with baseband security. An baseband support a control interface, and even usually two: 1) a modern but proprietary interface and 2) the standard but old fashioned AT interface. You can do a lot with these commands, no need to compromise the BB. But normally such access is limited to trusted applications, so if anyone can access this it's a host security issue, not a baseband issue.
The baseband doesn't contain one RTOS but usually several instances. There's at least one RISC core (typically ARM), possibly more. At least one DSP, possibly more. With likely more than one OS: having an instance running linux is common, with other(s) on RTOS or even bare bone schedulers (depending on the complexity of the task at hand and timing constraints). That can vary a lot depending on each BB design, but as a rule of thumb for a modern LTE capable BB expect two RISC cores and two DSPs (YMMV).
The mutual authentication I've talked about already. Here the practical issue is that when the next gen is out there's not much interest in doing big upgrades to previous generations. So the lack of network authentication in 2G will stay with us until 2G is phased out, which is still a few years away in most places (big Japan networks have already killed 2G however).

Re: All the other OS, too.

[i+ate+my+neighbour]

I don't know how functional, but there are 2 free firmwares being discussed and used(by a few people) in the OpenMoko community. Apparently it is illegal to use a non-approved baseband firmware on public networks.

Re:Idiotic article

[ebno-10db]

It's not a separate operating system. ... It is not part of the main ARM processor

"It is not part of the main ARM processor" means it's a separate processor, which is correct, and it does run a separate OS (RTOS really).

It is the definitions for the SDR ASIC in the phone.

If it's SDR, then it must be running on a processor. In practice, it's a mix of hardware and software implementation. For example, despreading CDMA signals is easy to do in hardware, and a complete waste of a processor's power in software. There are probably also one or more DSP's buried in there somewhere. Despite some extensions for light-duty stuff, ARM is not a good choice for DSP.

Re:Why stop there?

[Anon,+Not+Coward+D]

but if someone devices an exploit for QM, the phone will be compromised and not... at the same time

Exploits for baseband processors

[benjfowler]

Baseband hacking article: "Baseband Hacking: A New Frontier for Smartphone Break-Ins"

http://readwrite.com/2011/01/18/baseband_hacking_a_new_frontier_for_smartphone_break_ins#awesm=~on54yB5zHMVt93

Apparently, the firmware in baseband processors don't get updated a lot because of certification requirements, vendor laziness, etc, and certain well-funded attackers have swags of exploits for phones that can crack phones from over-the-air through the baseband processor itself.

Everything has software

[saider]

By this logic, even your computer has multiple operating systems. The chipset on your motherboard is not pure hardware - there are small cores in there running embedded software that you never see. I am not talking about BIOS, which is another type of firmware, that is visible to the user.

EVERYTHING these days has software. Shipping a software patch is cheaper than a recall. This goes back to the old joke - the mechanical engineer thinks it is an electrical problem, the electrical engineer thinks it is a mechanical problem, but they both agree that it should be fixed in software.

This story reminds me of the Simpsons episode where Kent Brockman breaks a story about the government training people to kill on an industrial scale. "They call it the 'Army', but I have a better name - Killbot Factory".

Re:Everything has software

[ebno-10db]

By this logic, even your computer has multiple operating systems. The chipset on your motherboard is not pure hardware - there are small cores in there running embedded software that you never see.

But unlike a cell phone, not every embedded processor is directly connected to a public network.

Re:probably the most secure part of the phone....

[ebno-10db]

There talking about a situation where the attack vector is over-the-air, not via the secondary processor (the correct name for the thing that runs games instead of a radio). I don't know whether this is realistic, but it is what's being discussed.

Re:Risk Mitigation

[Rob+the+Bold]

What.

I'm pretty sure this is all hypothetical. Or at least the "guests" part.

Doesn't match the architecture.

[DrYak]

I do not fully trust the author because as far as I understand the baseband processor is supposed to control only the radio and nothing else. That means wifi, gsm and bluetooth.

Usually, wifi is handled by another chip, with its own different firmware. This might have started changing now with more consolidation sought by system integrators.
Frequently GPS is also handled by the radio sub-system.
(That's why you have feature phone with GSM + Bluetooth but no Wifi, that's also why Wifi only tablets also lack GPS [early iPads, for exemple]. )
In some rare occurrences, this chip can also communicate with SD cards (it has a SPI interconnect).
(That's very frequent in USB 3G/4G modems. It's basically a standard radio chip, with the bluetooth and GPS function turned off and packaged inside an USB stick, with a SD card reader as a bonus. But instead of talking to a main system ARM runing Android, it talks over an USB chip to a whole computer/laptop running Linux or Windows. Note that recent exploit mentioned on /. found way around the firmware limitation, and forcefully turned the Bluetooth on, creating a possible extra entry point and thus extending the attack surface)

I don't understand why the baseband would have to deal with anything else, and why it would be the master processor and not just a blackbox "device" that the main OS sees and communicates with, in a properly isolated fashion.

Yup. For all the designs I've seen (and some smart phones have 100% fully open designs, such as the various OpenMoko boards), the radio chip is just a blackbox device talking over some limited channel to the main SoC (in OpenMoko GTA02/03 it's something imitating a serial interface. There's not much difference between an old PC talking to an anolog modem over serial and a openmoko talking to the radio chip).

Then usually the main SoC talks to the other peripherals: RAM is directly soldered to the CPU in a Package-over-Package fashion, so it's completely innaccessible. Camera, sound chip, memory card, charger controller are also connected to the SoC on other channels (SPI, I2C, etc.)

But then again I'm not knowledgeable enough to be certain about any of this.

When thinking hard there would be a few broken design were this could happen.
Note that such designs are to be considered broken. Having so little isolation toward the chip that is constantly talking to the outside and downloading updates is a serious security and stability issue.

And stability *IS* an issue: I've had problems with old phone (not supported anymore by constructor) having bad updates on their modem and having problems.
(Once I need to call my service provider and then, after a long debuging session and several tentative upgrade [over the air], I ended-up changing SIM).

Possible such bat design:

- Fully integrated chips: where one single chip is repsonsible for everything on the phone.
That's the situation with QualComm's Snapdragon. Okay, the phone maker will spare an extra chip and room on the PCB.
But that's pure nightmare fuel regarding security and stability.
(When a HP Pre 3's modem crashes, the whole phone freezes and crashes. There are entire forum threads about this).

- Everything on the same bus: several common interconnect in smartphone (like SPI) can talk to several chips on the same bus.
If the SoC (of course), the Camera, audio codec AND the radio are all on the same bus, the radio chip could pull some shit and disturb the bus (to act as if it was a master and turn on the camera, then listen on the bus to eavesdrop audio and video packet which where destined to the main SoC).
That's an awful design, both from a security point of view (the modem should be considered untrusted) and quality (a crashed radio could crash other component, also they have all to share the very limited bandwith on the bus: SPI has only 100Mbit/s, for instance).
The modem should b

Re:Over-the-air Security Protocols

[YoopDaDum]

Hi there. I'm not following 3G closely but in LTE the encryption schemes are secure. You have two options, both 128 bits: SNOW 3G (inherited from 3G as you can guess ;) and an AES scheme. Both secure as of today. In R10 or R11 a Chinese scheme called ZUC has been added too, also 128 bits. The operator decides on which scheme is used, and the device must support both SNOW 3G and AES today.

The big thing is that the encryption is between the device and cell (base station). The assumption is that the cell is secure, and behind the operator network is secured by other means. So it's important to protect the cell (eNB in LTE) against compromises. A fake cell won't work as in LTE the authentication is mutual: the UE won't work with any cell, except for an emergency call.

For more details have a look at the 3GPP 33.401 spec, for example the latest R9 version.

wtf-am-i-reading.jpg

[FuzzNugget]

This is called "firmware", dipshit.

Non-story, move along.

Radio Modems - New Features

[Eddy_D]

It is true that some newer Radio modems (eg. Telit models and now some new models from Cinterion) have the ability to run scripted programs on the baseband processor. I played with a Telit modem that could run Python scripts. I really don't think that the commercial modems that normal smartphones use would have that capability though.. it would be a dumb thing for the modem manufacture to add in.

Likely the smartphone modem will also have a GSM chipset (eg. Qualcomm) as well; this is mainly separate from the baseband processor and have limited contact with it (eg. maybe need some AT commands to control the GSM modes).

In general, the firmware running on a baseband processor is very hard to change. Changes to that processor must be re-vetted through several approval processes (PTCRB and usually one or more carrier, eg. AT&T) and consume time and money. It is for this reason that you cannot program your own code into this processor (I'm guessing scripts don't count as a program as they are sandboxed within an internal VM-like system).