The Second Operating System Hiding in Every Mobile Phone
November 12th, 2013Back in July 2013, The Washington Post reported that nearly a decade ago, the National Security Agency developed a new technique that allowed spooks to “find cellphones even when they were turned off. JSOC troops called this ‘The Find,’ and it gave them thousands of new targets, including members of a burgeoning al-Qaeda-sponsored insurgency in Iraq, according to members of the unit.”
Many security researchers scratched their heads trying to figure out how this could be so.
—
Maybe it’s malware.
Maybe it’s a feature.
Via: OSNews:
I’ve always known this, and I’m sure most of you do too, but we never really talk about it. Every smartphone or other device with mobile communications capability (e.g. 3G or LTE) actually runs not one, but two operating systems. Aside from the operating system that we as end-users see (Android, iOS, PalmOS), it also runs a small operating system that manages everything related to radio. Since this functionality is highly timing-dependent, a real-time operating system is required.
This operating system is stored in firmware, and runs on the baseband processor. As far as I know, this baseband RTOS is always entirely proprietary. For instance, the RTOS inside Qualcomm baseband processors (in this specific case, the MSM6280) is called AMSS, built upon their own proprietary REX kernel, and is made up of 69 concurrent tasks, handling everything from USB to GPS. It runs on an ARMv5 processor.
The problem here is clear: these baseband processors and the proprietary, closed software they run are poorly understood, as there’s no proper peer review. This is actually kind of weird, considering just how important these little bits of software are to the functioning of a modern communication device. You may think these baseband RTOS’ are safe and secure, but that’s not exactly the case. You may have the most secure mobile operating system in the world, but you’re still running a second operating system that is poorly understood, poorly documented, proprietary, and all you have to go on are Qualcomm’s Infineon’s, and others’ blue eyes.
The insecurity of baseband software is not by error; it’s by design. The standards that govern how these baseband processors and radios work were designed in the ’80s, ending up with a complicated codebase written in the ’90s – complete with a ’90s attitude towards security. For instance, there is barely any exploit mitigation, so exploits are free to run amok. What makes it even worse, is that every baseband processor inherently trusts whatever data it receives from a base station (e.g. in a cell tower). Nothing is checked, everything is automatically trusted. Lastly, the baseband processor is usually the master processor, whereas the application processor (which runs the mobile operating system) is the slave.
So, we have a complete operating system, running on an ARM processor, without any exploit mitigation (or only very little of it), which automatically trusts every instruction, piece of code, or data it receives from the base station you’re connected to. What could possibly go wrong?
Related: iPads Banned from Cabinet Meetings Over Surveillance Fears
I have been advised by a techie that this dual OS system is true for ALL WIFI devices. I have no way of verifying if that comment is true, but it makes sense. My advisor is the network manager for a major N. American city.
On “The Find” article, it depends on the phone. When most phones are off, they are dead to the world. The only thing that it’s listening for is the power button.
On some phones, when you press the power button, it’s only going to standby. The screen is dark, and it draws minimal power, but can still talk to the towers.
So is it in standby or is it off? I know a lot of people think standby is off. Sure, they’re easily tracked.
On the baseband hacking, he’s a couple years late on this breaking news.
http://readwrite.com/2011/01/18/baseband_hacking_a_new_frontier_for_smartphone_break_ins#awesm=~on7rRdRZv36Fcz
Some phones can have some things done to them. It wasn’t clear in either article, but does issuing a ATA or ATS0=1 just initiate a data session, or a voice session? I suspect it’s just connecting the phone to a tower, but doesn’t give any magic permissions to the device.
Now, setting up a femtocell would let you evesdrop on all the voice and unencrypted data goodness that your phone wants to send.
If you’re so inclined to have private voice calls, it would be simple enough (if you’re so inclined) to set up a private VoIP server with mandatory encryption, and use a VoIP app rather than the phone’s native dialer.
With such a setup, I could talk to someone on the other side of the world, and all that anyone can evesdrop on is seeing encrypted data streaming through to a common VoIP server.
I say a private VoIP server, because you only know how secure something is that you physically control. If there someone else physically controls it, they have the power to manipulate it as needed (or demanded by warrant and/or NSL).
I know some people love Skype. I questioned the trustworthiness of them when they started, and even more now that they are owned by Microsoft. Sure, it can be private, unless they want to eavesdrop at the server.