I’ve always known this, and I’m sure most of you do too, but we never really talk about it. Every smartphone or other device with mobile communications capability (e.g. 3G or LTE) actually runs not one, but two operating systems. Aside from the operating system that we as end-users see (Android, iOS, PalmOS), it also runs a small operating system that manages everything related to radio. Since this functionality is highly timing-dependent, a real-time operating system is required.
This operating system is stored in firmware, and runs on the baseband processor. As far as I know, this baseband RTOS is always entirely proprietary. For instance, the RTOS inside Qualcomm baseband processors (in this specific case, the MSM6280) is called AMSS, built upon their own proprietary REX kernel, and is made up of 69 concurrent tasks, handling everything from USB to GPS. It runs on an ARMv5 processor.
The problem here is clear: these baseband processors and the proprietary, closed software they run are poorly understood, as there’s no proper peer review. This is actually kind of weird, considering just how important these little bits of software are to the functioning of a modern communication device. You may think these baseband RTOS’ are safe and secure, but that’s not exactly the case. You may have the most secure mobile operating system in the world, but you’re still running a second operating system that is poorly understood, poorly documented, proprietary, and all you have to go on are Qualcomm’s Infineon’s, and others’ blue eyes.
The insecurity of baseband software is not by error; it’s by design. The standards that govern how these baseband processors and radios work were designed in the ’80s, ending up with a complicated codebase written in the ’90s – complete with a ’90s attitude towards security. For instance, there is barely any exploit mitigation, so exploits are free to run amok. What makes it even worse, is that every baseband processor inherently trusts whatever data it receives from a base station (e.g. in a cell tower). Nothing is checked, everything is automatically trusted. Lastly, the baseband processor is usually the master processor, whereas the application processor (which runs the mobile operating system) is the slave.
So, we have a complete operating system, running on an ARM processor, without any exploit mitigation (or only very little of it), which automatically trusts every instruction, piece of code, or data it receives from the base station you’re connected to. What could possibly go wrong?
With this in mind, security researcher Ralf-Philipp Weinmann of the University of Luxembourg set out to reverse engineer the baseband processor software of both Qualcomm and Infineon, and he easily spotted loads and loads of bugs, scattered all over the place, each and every one of which could lead to exploits – crashing the device, and even allowing the attacker to remotely execute code. Remember: all over the air. One of the exploits he found required nothing more but a 73 byte message to get remote code execution. Over the air.
You can do some crazy things with these exploits. For instance, you can turn on auto-answer, using the Hayes command set. This is a command language for modems designed in 1981, and it still works on modern baseband processors found in smartphones today (!). The auto-answer can be made silent and invisible, too.
While we can sort-of assume that the base stations in cell towers operated by large carriers are “safe”, the fact of the matter is that base stations are becoming a lot cheaper, and are being sold on eBay – and there are even open source base station software packages. Such base stations can be used to target phones. Put a compromised base station in a crowded area – or even a financial district or some other sensitive area – and you can remotely turn on microphones, cameras, place rootkits, place calls/send SMS messages to expensive numbers, and so on. Yes, you can even brick phones permanently.
This is a pretty serious issue, but one that you rarely hear about. This is such low-level, complex software that I would guess very few people in the world actually understand everything that’s going on here.
That complexity is exactly one of the reasons why it’s not easy to write your own baseband implementation. The list of standards that describe just GSM is unimaginably long – and that’s only GSM. Now you need to add UMTS, HSDPA, and so on, and so forth. And, of course, everything is covered by a ridiculously complex set of patents. To top it all off, communication authorities require baseband software to be certified.
Add all this up, and it’s easy to see why every cellphone manufacturer just opts for an off-the-shelf baseband processor and associated software. This does mean that each and every feature and smartphone has a piece of software that always runs (when the device is on), but that is essentially a black box. Whenever someone does dive into baseband software, many bugs and issues are found, which raises the question just how long this rather dubious situation can continue.
It’s kind of a sobering thought that mobile communications, the cornerstone of the modern world in both developed and developing regions, pivots around software that is of dubious quality, poorly understood, entirely proprietary, and wholly insecure by design.
… at least now we know how SkyNet takes over 😛
In every phone I’m aware of except the OpenMoko Freerunner (which uses RS-232), the baseband speaks to the “main” SoC through DMA. That’s what really makes most smartphones impossible to truly secure.
It’s by design of course. Just wait for another Snowden.
I hope it is by design, but Hanlon’s razor might be more adequate here: careful design would produce one small vulnerability to exploit, or several redundant vulerabilities, but te vast number suggests carelessness and/or stupidity. Though one may easily fit on top of another…
So, basically that black box system has full access to the RAM of the device, while also being the main communication component? This is really nasty.
Aren’t there 3 operating systems on many phones then? SIM card contains kind of an OS too.
Edited 2013-11-13 01:24 UTC
And Bluetooth, Wifi, GPS and touch chips have an internal processor too, running their internal software, which can be quite complex. They tend to use small ARM cores (M3, M0), and generally use an RTOS.
There are tons of RTOS for these applications, from tiny to titanic and from free to very expensive (and these axes are orthogonal): ThreadX, Nucleus, RTXC, pSOS, eCOS, RTMS…
So yes, in your cellphone there are a lot more than three operating systems running at the same time.
Add to that storage, which runs its own firmware, usually with an RTOS. And, if smartphone has an SD card slot, SD card runs its own firmware, too.
Indeed, SIM Card have their own OS too.
But they are more secure by design.
SIM Card don’t accept “anything that comes from the air”. Data must be properly encrypted, using industry standard algorithms (3DES or AES). Just this simple protection makes it immensely more secure than baseband OS.
Now, beyond that protection, these OS are software rubbish. They are safe mostly because they are extremely limited. Someone able to crack (or pass) the encryption layer protection would have no problem crashing the SIM card OS.
But stealing data from it ? nah, that’s the hardest part. This is probably the only thing which has been properly designed in these OS.
Oh yes? You might want to watch the talk of Karsten Nohl at OHM2013.
Beyond all those that run on their own chips for specific components there is also a low power operating system in most phones that run when the phone is powered off. Its main job is to react to power button key events.
edit: typos
Edited 2013-11-13 16:53 UTC
Very relevant warning. What kind of phone does RMS use?
I would think even a modern “dumbphone” would have this nastiness in it. A modem is a modem, and even the most basic cellphone has baseband software, if I’m not mistaken. So much for going off the grid by abstaining from smartphones.
And this potentially affects much more than just cellphones. My wife’s iPad and Kindle are both 3G versions, which means they have AT&T-connected modems in them. The iPad modem is “turned off” via iOS, but that doesn’t necessarily mean it’s off altogether. The Kindle’s 3G is used every few days when she doesn’t have a WiFi connection.
Beyond those devices, how many cars these days come equipped with onboard cellular connectivity? Here in the US it would be most if not all GM vehicles via OnStar, as well as Teslas. I wonder if every one of those devices have the same potential vulnerabilities as your average cellphone.
May be no mobile phones at all?
Tin can and string?
He doesn’t use one. He doesn’t like being tracked.
So I googled it.
He seems to know about this already. So he doesn’t own one but he borrows them from others if he feels the need.
He doesn’t seem to think that his voice can be matched by any listening system(s). GLWT Richard.
What’s ironic is that RMS really does have nothing to hide. He wants everything Free and out in the open, with the exception of personal things that SHOULD be private. He wants his personal privacy not because he’s doing anything illegal (well, maybe he smokes a little pot, but only fascists care about that), but because he believes in the inalienable right of personal privacy.
Basically, as the leader of the “Free†world, RMS is the ideal counter-argument to “if you have nothing to hide.”
But not that not all smartphone operating systems have this architecture; not Symbian, at least.
One of the differentiating points of Symbian is that it doesn’t need a separate baseband processor, as the GSM stack runs on symbian; it runs on the application processor (it is mostly a cost-cutting measure, as it means the device doesn’t need a separate processor for the baseband).
Not true. Symbian requires a baseband processor. However a lot of Nokia dumbphones would not have two systems, just one.
AFAIK, Symbian 9 is shown in the official documentation as to be paired with a baseband processor, as in
http://developer.nokia.com/Community/Wiki/Symbian_OS_Internals/02._…
But Symbian 8 was single-chip capable (i.e. with no separate baseband processor); not sure if that capability was maintained in Symbian 9. See
http://www.theregister.co.uk/2006/02/14/symbian_news/
It’s of course the other way around.
Symbian phones lack a seperate application processor, the UI runs on the baseband processor.
How can you do radio without a processor that runs it?
Think before you type.
But anyway, how does that matter? One processor or two, the baseband firmware is closed.
How does it matter is in fact the critical question. If everything is in the one processor and their is a breach in any part the complete system could be breached.
Now some phones will be more safe than others.
Like baseband and gps can be sharing same processor/memory for their baseband operations. Great for emergency services and person tracking.
Symbian 8 loads the baseband firmware. So the baseband firmware is a driver under Symbian 8.
So the old Symbian 8 was a Application Processor with a Software-defined radio connected. Basically a PC does not cease to be a PC because you connect a Software defined radio or win-modem either.
What defines if it a baseband processor or an application processor is what starts first. Symbian 8 devices it is Symbian 8.
Yes this did disappear in Symbian 9. Also you would not get what was Symbian 8 style past FCC any more. You might be able to get single processor past using arm trusted extensions but the baseband would have to be starting first. Over all it simple to get past regulators with decanted baseband processor with decanted ram. There have been issues with phones sharing baseband and application space.
Yes there is a open source baseband firmware issue is legally using it. http://bb.osmocom.org
Yes FCC and other regulator approvals are required to transmit to your standard telephone carriers.
Of course this is not a issue when you are your own carrier out side the normal phone network. Understanding baseband to make sim cards is in fact critical to open source GSM stations like openbts.
The application part is completely irrelevant when it comes to the telephony functionality.
The microphone and speaker are connected to the BB processor.
A breached BB has the effect of somebody else listening to your calls, reading your SMS.
Nobody cares about the appliation side.
The stuff on the application processor is just a PDA, if you have a modem in the same case does not matter.
That’s just your definition, nothing accepted by the general public.
Those phones do the demodulation in a DSP which is connected to the (BB-) processor.
The modulation is even done without the DSP involved.
Your definition of a SDR is different than the definition of the rest of the world.
Again, just your gentleman definition.
I’m not a security expert at all, but I’ve been working on mobile radio access technologies for several years, so I feel quite confident to say that some or your claims are wrong. E.g:
“The standards that govern how these baseband processors and radios work were designed in the ’80s, ending up with a complicated codebase written in the ’90s – complete with a ’90s attitude towards security.”
Well, GSM’s baseband was developed from late 80’s to early 90’s, UMTS’ from late 90’s to early 00’s, and LTE’s can be now be considered almost finished. I know that GSM is not secure at all now (it was when it was released, but now it has been cracked), but I’m not so sure about UMTS (CDMA is very hard to demodulate, so cracking is even worse) and LTE (OFDMA is quite a headache).
“What makes it even worse, is that every baseband processor inherently trusts whatever data it receives from a base station (e.g. in a cell tower). Nothing is checked, everything is automatically trusted.”
This is NOT TRUE. At all. Even from GSM times. Handheld devices run a bunchload of ID checks to know what basestation is sending data; and basestations also carefully allocate and check mobile ID’s. This is especially true in UMTS (where you have to discriminate interferring users by using pseudorandom codes) and LTE (where you even need angle-of-arrival information to reach more users).
So, I’m not claiming that mobile basebands are inherently secure, but they’re definitively not based on 80’s security technology.
On the other hand, I agree with your viewpoint that the closed implementations and the huge standards are not the best way to allow the community to check for security bugs. But manufacturers are the main supporters of actual standardization bodies, so it’s quite complicated to fight against it.
No? Where does that claim come from?
GSM is a set of standards written in the 80s. Go to the ETSI website and look it up.
UMTS and LTE are newer, but that’s a different topic.
Uh? He gave a concise reason regarding some of the newer basebands.
I’d recommend HackRF if you want to easily mess with baseband. http://www.kickstarter.com/projects/mossmann/hackrf-an-open-source-…
It’s amazing how many people here in the comments claim to have a clue about GSM basebands.
Nobody, even the author of the original article mentioned osmocombb. You may want to look it up.
What you need is a 15$ phone, not a fucking expensive SDR. Just because you know some random piece of hardware does not put you in the position to recommend anything to anybody. If the people reading the comments here are as dumb as you they will waste hundreds of $.
That thing is only usable for GSM. With a SDR you can mess with CDMA, UMTS and LTE. Not only that, but you can do much, much more beside hacking phone networks.
Also, that piece of software is only usable as a baseband software for your own stupid phone. You can’t impersonate a base staion with it with ease.
Better think before posting stupid comments and embarass yourself.
Edited 2013-11-14 07:54 UTC
There is no usable code released for anything other than GSM.
Implementing a stack for UMTS takes man years (given a programmer who is experienced in that field already).
This is unrealistic, only a purely theoretical possibility.
Not true. There are quite a lot of applications for osmocombb, not only ‘mobile’, which is the normal MS functionality.
Of course a general purpose SDR has more possibilities, but that’s well out of scope of this discussion.
Yes you can.
http://bb.osmocom.org/trac/wiki/Software/Transceiver
That’s not any more complicated than running ‘mobile’.
“As far as I know, this baseband RTOS is always entirely proprietary.”
Not “entirely” proprietary. Qualcomm’s AMSS is based on OKL4, whose source code is available: http://wiki.ok-labs.com/
I remember being able to download the sourcecode from the same OKL4 version on which the AMSS of a phone of mine was based.
The OS is only a small portion of the code that runs in the baseband, though.
No, OKL4 is closed source. The old “academic” open source version on their site is nothing like the current “commercial” version running on phones.
Also, OKL4 is just a tiny tiny part of the baseband software, the rest was/is/will be closed as always.
Great. That’s the same relationship as with Darwin and Apple iOS. That gets you absolutely nothing, it’s just a microkernel.
Anyone reading this comment thread might find what’s known about the iDevices interesting:
http://theiphonewiki.com/wiki/Baseband_Device
It’s an RTOS and is perfectly capable of running basband and radio on the same SOC.
BlackBerry could possibly design a cheapest smartphone ever if they exploited their gem fully.
Some Symbian devices already had that architecture, it didn’t really result in major enough cost savings.
[…] “While we can sort-of assume that the base stations in cell towers operated by large carriers are “safe” […]
Well… If things are as described, I wouldn’t trust base stations, in every country I visit.
Perhaps this is tangential, but I just read this article on the decline of Real-Time Linux. https://lwn.net/Articles/572740/
It would be nice if you could have “one kernel to rule them all” – i.e. nearly all functions in a phone handled using the Linux kernel. But I don’t think that will ever happen or would be desirable/feasible in any case?
I don’t think RT Linux would ever be a good fit for Mobile Phones but it’s still a great project for other uses, so its loss would be sad. Maybe somebody more knowledgeable would like to disagree with me?
did run ENEA OSE (www.enea.com) besides the Ericsson OS.
But this was in the past.
But I am pretty sure, the iPhone 5s has at least 3 OSes:
iOS, the baseband-OS and the OS running inside the Cortex-M3 (motion controller).
I think the term OS may be a bit overextended when applied to systems which are basically rudimentary executives.
What makes an OS and OS? Can we call DOS and OS? Or does an OS needs at least virtual memory? Or even a (G)UI?
Granted, the average woman/man on the street will use the term OS for Windows (and maybe Linux).
Nowadays even iOS or Android come to mind. But to me these a GP(general purpose)OS’es.
For example, QNX. This is the OS even claims to be an RTOS. But the executive is Neutrino, the µkernel.
So to me, any SW which handle resource management, offers some kind of IPC and supports multiple tasks is an OS.