The real issue here is proprietary baseband modems. These modems contain fully functional microprocessors along with low level access to the main processor. Even if you replace your ROM with an open source one, it is usually impossible to change the firmware on the modem.
It'd be nice if someone designed a phone that architecturally resembled a computer attached to a mobile hotspot.
You could have an SoC of your choice for a user-facing operating system and a separate SoC with separate memory for the baseband and whatever the hell the carrier wants to push to the device. The operating system running on the user SoC could have a driver that allows it to get internet access from the baseband SoC over some high-bandwidth-but-not-memory-sharing bus.
Until I can buy something like this, my gpg and ssh keys are staying far away from my phone, which kind of sucks.
I recall reading an article years ago describing iPhone being architectured like this. Even if the baseband system is compromised, it don't have access to the rest of the system. And traffic from the rest of the system passing thru the baseband is mostly encrypted.
I don't know if it's true, but it makes sense given the, allegedly, crappy code base in Broadcoms firmwares.
>> "To protect the device from vulnerabilities in network processor firmware, network interfaces including Wi-Fi and baseband have limited access to application processor memory. When USB or SDIO is used to interface with the network processor, the network processor cannot initiate Direct Memory Access (DMA) transactions to the application processor. When PCIe is used, each network processor is on its own isolated PCIe bus. An IOMMU on each PCIe bus limits the network processor’s DMA access to pages of memory containing its network packets or control structures."
Although I guess it makes sense given that apple designs their own application processor SoCs and then has to use a separate (Qualcomm, Intel) modem rather than using a Snapdragon eight-something with everything talking to everything in the same package.
I'm not a huge Apple fan lately, and have never liked the iPhone, but this definitely seems like a pretty concrete bullet point for "iPhone is generally more secure than Android."
Well, the iPhone 6, released after the San Bernardino shooter incident involving an iPhone 5S, used PCI-e to talk to the NVMe.
For maximum speed (900MB/s), the NVMe in the 6 shipped data to/from the processor core using NVMe-side DMA bus mastering.
This begged the question: if you could hardware-MITM the communications between the NVMe and the main processor, and then reverse-engineer the way the DMA bus mastering was done... could you do arbitrary I/O on the main CPU?
Well, the NVMe has a package-embedded Cortex-M5 (actually a Cortex-R5) inside, which handles raw NAND interface, TRIM, sector reallocation, and related functionality. (It may operate at 200MHz.)
So... since the NVMe is PCI-e, it begs the question, could you possibly connect it to a PC? The answer is a solid YES, if you're motivated enough to commision the custom ZIF SOIC receptacle required. But it Just Works(TM)!
It turns out the firmware upgrades for this microcontroller were (at the time, at least) distributed in unencrypted iOS packages. This made it possible to understand the NVMe update process, fake the iPhone CPU side of the update sequence via the PC PCI-e connection, and exploit the firmware update code to write attacker-defined code into the host PC's memory - proving without a shadow of a doubt that the NVMe's PCI transciever fuses were configured for RDMA.
With this established, all you need to do is flip everything over and turn _the PC into a fake NVMe_ by creating a 2nd test rig (with a 2nd commission for the inverse of the SOIC socket) that hooks the PC PCE-e port to the iPhone CPU _via an FPGA_, figure out the various low-level steps involved in initialization before the RDMA bit is enabled...
...and discover that the iPhone 6 CPU doesn't IOMMU-protect the memory area where SecureROM is running from. (Since, at the point the NVMe is initialized, SecureROM is running and waiting for the NVMe to ping it so it can fetch and validate iBoot, the iOS stage2 bootloader).
Woops.
Maybe. Why didn't Apple IOMMU-protect the SecureROM area?!?
At least the guy who figured this out got $200k for his efforts.
Since I read the above I have 0% confidence in Apple device security.
To be fair, I highly doubt the 6's design phase started anytime after the incident, so maybe a "we don't need to push that far" carried through the life of the 6 project. I wonder if anyone tried to lobby to lock this down. Or maybe Apple doesn't care if people push that hard? Or maybe...
I mean, it seems kind of reasonable to assume that it's game over once an adversary gains physical access to the device, let alone MITMing busses inside the phone.
I was mostly concerned about what horrible things could be done via OTA updates from the carrier (or payloads designed to look like carrier OTA updates, since apparently they're rarely encryoted).
In the case of ultra-portable devices (that are all the more easily stolen) there should be a measure of physical security though. I also use the iPhone 6 example because the San Bernadino shooter's 5S was physically confiscated by police.
This being said, wireless vulnerabilities are indeed a high priority. You're probably already aware of the various vulnerabilities suffered by Broadcom Wi-Fi chipsets used in almost all phones.
Your concerns regarding cellular encryption are made all the more valid because of the extremely high political sensitivity of surfacing _anything_ that would even remotely suggest that encryption is not being used (classical security by obscurity). Someone asked for a cellular encryption indicator in Android 9 years ago, and I thought the response they received was very very insightful and gave a lot of food for thought. Slowly reading between the lines of every official reply is necessary. https://issuetracker.google.com/issues/36911336
The new Librem phones are supposed to have a hardware switch that cuts the power to the baseband modem when needed. That's about the best we can do at this point in time it seems.
Huh, this is an old trick but always a good one. Back in the days when iPhones were AT&T exclusive people managed to bypass the carrier lock by fuzzing all possible permutations of AT commands to the baseband. Once a crash was found it could potebtially be used as an exploit to modify its internal state.
It took Apple four years to harden their baseband firmware to resist all kinds of fuzzing efforts and bear in mind Apple only had 2-3 concurrent models to worry about. It must be harder for android vendors with their myriad different platforms.
That would be a later jailbreak, not a baseband unlock per se.
Geohot's first iPhone hack, IIRC, used an unsecured JTAG pinout he managed to find on the PCB that allowed direct write access to the firmware. Later it was discovered that the system bootloader had enough exploits that the process could be done entirely in software.
Later iPhone models would gradually ramp up security to the point that nothing of this sort could be done very easily even with physical access.
The popular esp8266 wifi microcontroller was initially sold as a wifi interface to other microcontrollers, communicating over a serial interface, using AT commands. Indeed this was the first esp8266 I came across (ESP-01) - a cheap wifi interface for an arduino. Later folks discovered that the esp is more powerful itself than an arduino, but I think the stock firmware that comes on the chip is the serial-wifi interface using AT commands.
Many peripherals with serial interfaces still use AT commands - Bluetooth <-> Serial adapters, the original ESP2866 firmwares where it was a Wifi-to-Serial adapter, most Serial <-> CANBus/OBD adapters like ELM327, basebands all spring to mind.
Dialup was still a thing in this century, even if it feels like a long, long time ago. You could still reset people's connections by having them echo ATH0 back to you, if they were on a bad setup.
Only if you could get the other party to type +++ first to enter command mode, though. I'm not aware of any modem that would accept commands, including ATH0, outside of command mode. Then again, there were a lot of bad modems in the world…
Well, yeah, my "ATH0" was shorthand for "+++ATH0". All it would take was a hand crafted ping packet and a bad modem on the receiving end. The better modems implemented the Hayes safeguard of checking that no data was sent for an entire second after the third plus. Then, and only then, they would enter command mode.
As recently as 2001 the majority of americans used dialup to connect to the internet. AOL was the worlds biggest ISP, and carried more than 50% of all US web traffic.
They're used by a variety of communication devices. I recently worked with some Phoenix Contact industrial bluetooth devices that used Hayes commands for configuration.
That Startech device still isolates the data line, it just has the added bonus of adding fast charging support. It'd be effective as a "USB condom" alternative.
USB-C has separate lines for the "Configuration Channel", that is used to negotiate voltage and amperage. I'm unaware if the specification allows for cables without data lines, but I don't believe they would be required.
It would only work on USB-C host devices as well though, USB-A would still revert to either 500mA as long as the data lines are tied with a resistor
I have several cables like this. It's always briefly mystifying when I accidentally grab one to sync some data. No negotiation, my fancy devices just charge at 500mA using these cables.
This allows KDE/modemmanager to unlock the SIM card of my phone by just plugging it in though. I like it. I know my phone isn't top-notch on security but thankfully I know it isn't and take precautions outside.
Yep, when using an untrusted USB power source, you can use what is called a "USB condom": either an adapter or a USB cable with the data wires cut letting only power go through. You can search the web for tutorial on which wires to cut in your USB cable, or for already made USB condoms to buy for less than $10 a piece.
Not sure of any that do that, but I've seen quite a few that support most of the charging standards and negotiate the highest current available (still at 5V) so that the phone can usually charge reasonably fast.
Don't do that. Ever. Always use your own charger and cable, preferably the ones that came with the phone. If not make sure you're sourcing them from a reputable company and not an anonymous Chinese importer.
Has anyone done research yet on the ability to control low level modems using a GSM tower? It seems likely commands like these could be executed over the air.
Also I see they got access to /proc which I assume is also access to memory via /proc/pid/mem?
I've done a little, and from what I saw AT wasn't available over the air, but more scary stuff like "update your firmware to this unsigned binary" and stuff were. Testing was with SIM[8/9]00. Albeit those are simpler basebands than you would find in a smart phone. They have a "lol, what's a OS/mmu" view of the world.
Awesome, reminds me of my day's working in telco, doing automated testing of our DPI based billing by having a laptop on my desk connect > download file > disconnect > repeat and checking for discrepancies in the records. Was it ever hard to find the AT commands at the time to automate this from the spec sheets on the modems.
I'm surprised that the full command strings appear verbatim in the firmware --- and even more surprised that they appear with their "AT" prefix; this suggests they're being parsed by an algorithm that isn't particularly efficient, like a linear search. If something more optimised like a switch or trie were used, it wouldn't be possible to extract them this way, and some more intense reverse-engineering would be required.
Sequential search is near optimal for short lists. On embedded hardware you don't always have the luxury to create elaborate data structures for the "proper" solution.
That makes it all the more surprising that they would include the "AT" prefix, which all the commands start with --- if I were implementing a command processor like this in a memory- and CPU-constrained environment, I'd match "AT" separately from the rest (differing) parts of the command.
They probably support other commands without a common prefix. It's not worth special casing a subset of the command set. It only burns a few dozen bytes.
Am I conflating 2 different issues? Before, it was a theoretical risk. So with a basestation/stingrays you could do it remotely, and now over USB as well.
Really curious, why treat these automation capabilities as a vulnerability? Several security popups appeared, a cable was attached, an application executed on the computer... as a user I'd much rather have the possibility in the future of automating my phone's UI than to have vendors treat this as a vulnerability and patch.
Edit: Just realized that the commands bypassed the prompts. That is a different beast. But the question still remains.
I found it somewhat amusing that they mentioned model, manufacturer, IMEI and serial as being a "sensitive information leak" --- if you're in physical possession of the phone, those things can be found without even turning it on.
It doesn't require an attacker to have physical possession of the phone. They just need you to plug your phone into one of their USB ports. Something like a public charging station would be perfect for this.
An IMEI and serial are still unique identifiers that can be used for tracking.
They do internally, but as far as I know there's no way to send them from outside - you have to be root, and if you're root you don't really need AT commands to exfiltrate data.
