Your cellular device's "hidden OS" and why you should be very concerned

Inside of every cellular capable device, there is of course a radio. Controlling all of the functions of this radio is a baseband processor running a proprietary RTOS (Real Time Operation System) which is stored in firmware.

Outside of the companies that make the radio chips, little is known about these RTOSes and as the security researcher named in this article discovered when he set about reverse engineering one, there's every reason to believe that many of them are horrendously insecure and vulnerable to OTA attacks.

So, we have a complete operating system, running on an ARM processor, without any exploit mitigation (or only very little of it), which automatically trusts every instruction, piece of code, or data it receives from the base station you're connected to. What could possibly go wrong?

he easily spotted loads and loads of bugs, scattered all over the place, each and every one of which could lead to exploits - crashing the device, and even allowing the attacker to remotely execute code. Remember: all over the air. One of the exploits he found required nothing more but a 73 byte message to get remote code execution. Over the air.

Put a compromised base station in a crowded area - or even a financial district or some other sensitive area - and you can remotely turn on microphones, cameras, place rootkits, place calls/send SMS messages to expensive numbers, and so on. Yes, you can even brick phones permanently.

OS news source

Base stations, depending on the cell standard and power are available on eBay for as a little as a few hundred dollars for a used mobile unit. The expertise and knowledge necessary to exploit these vulnerabilities isn't exactly commonplace but security through obscurity is really no security at all. I would be really surprised if intelligence agencies weren't already capable of exploiting the holes in RTOSes for several vendors.

Also have you noticed that nearly all the newest smartphones do not have removable batteries? When mine goes all glitchy I can't just remove the battery and hold the power button like I did on my last 4 phones....

It made me wonder if it turns off a little early and could use reserve battery to track me in a "national security" situation. Hmmmm

reply to post by theantediluvian


"Outside of the companies that make the radio chips, little is known about these RTOSes"

That part is untrue... Every single baseband update for apple/android/windows/blackberry have been jail broken and unlocked allowing you to not just jailbreak the OS (iOS/android/etc) but unlock the baseband allowing you to now use any carrier you wish.

For example I have a baseband hacked iPhone that I use with tracfone prepaid service.

Basebands are simple, dump the binary, decompile and go to work..just need to know assembly or convert the assembly up a level into whatever ya wish to deobfuscate

Sever forums for jail breaking also have sections for baseband dumps to look through code and edit/hack

You'd be surprised how much can be stored on your phone without your knowledge.

If you have a modern android device, all you have to do is go to settings-about phone/device-android version. Tap android version multiple times and you'll get an easter egg. Mine is an image of a zombie gingerbread man.

And if the programmers are capable of this, then who knows how many more secrets are buried deep within the coding.

8675309jenny
Also have you noticed that nearly all the newest smartphones do not have removable batteries? When mine goes all glitchy I can't just remove the battery and hold the power button like I did on my last 4 phones....

It made me wonder if it turns off a little early and could use reserve battery to track me in a "national security" situation. Hmmmm

You know the cell phones have more than one battery, right

Why is my computer still running and it's turned off....?

Unless you own a Mac you could have up to three back doors on your computer, I'm not sure about Mac.

reply to post by Thecakeisalie


Ok, I know nothing about these phones. But I did what you said and I got a jellybean with a face. Kind of creepy.

I figured, from being on here, that the government can track you through your phone, but I guess I'm not really grasping what else you guru's are talking about. *Sigh*
I need one of you living next door.

Cito
reply to post by theantediluvian

 

"Outside of the companies that make the radio chips, little is known about these RTOSes"

That part is untrue... Every single baseband update for apple/android/windows/blackberry have been jail broken and unlocked allowing you to not just jailbreak the OS (iOS/android/etc) but unlock the baseband allowing you to now use any carrier you wish.

For example I have a baseband hacked iPhone that I use with tracfone prepaid service.

I'm not sure if you (or me) missed the point. The point being, the "radio" part of your cellphone is hackable, and probably will be increasingly hacked in future. Jailbreaking your phone has very little to do with hacks in case, afaik.

Analogy would be something like an airfield; you are talking about take-offs when the issue in hand is landing.

Not 100% sure i'm correct, so warm up your spices

EDIT: What i do remember from the first and 2nd gen JB's, they were not that "smart solutions" people would easily think. ie. code cancelling other instructions with brute force. Then again, jailbreaking is offtopic kinda.

I got a zombie gingerbread man too...with a green robot...weird..tell us more..because when it comes to phones..im just not that into them. I don't even use any features..just pick it up when it rings..or dial out..that's it.

I have a phone that's so old it looks like it's a toy that dispenses candy. Am I safe?

reply to post by Thecakeisalie


All you are doing is allowing the developer options to be accessible. Nothing too scary there. Pretty sure it is common to all android 4.x devices.

Thecakeisalie
You'd be surprised how much can be stored on your phone without your knowledge.

If you have a modern android device, all you have to do is go to settings-about phone/device-android version. Tap android version multiple times and you'll get an easter egg. Mine is an image of a zombie gingerbread man.

And if the programmers are capable of this, then who knows how many more secrets are buried deep within the coding.

Edit: Oooh, keep on tapping build number....eventually it says you have developer mode...anyone come across this before?







Great trick!

If you tap build number multiple times...it tells you, you are 3 steps from becoming a developer


Sorry on topic: Nowadays if you own a mobile, you are fair game, it truely sucks, yet we all still do it.

All in the name of progress ???

Wonder is there are any android developers out there working on a work around?

Is it even possible?

and Now they made it illegal to alter the software of the Phone you own....

Or do you own it??

reply to post by AbleEndangered


I didn't know it was illegal. I just heard that it would void your warranty and any insurance you may have bought for it, in case of damage.

reply to post by chiefsmom


Yeah its scary actually...

Unlocking Your Phone Can Get You 5 Years In Jail, But It's Never Been More Popular
www.businessinsider.com/phone-unlocking-never-been-more-popular-2013-8
www.businessinsider.com...

After the Copyright Office and Library of Congress removed the Digital Millennium Copyright Act exemption for unlocking cell phones in November, anyone unlocking a new cell phone or providing unlocking services after Jan. 26 could risk up to five years of jail time for each offense.

You Could Go To Jail For Hacking Your iPhone And Obama Wants To Change That
www.businessinsider.com/obama-pushes-to-change-unlocking-law-2013-9
www.businessinsider.com...

^ Sure he is.....

reply to post by Thecakeisalie


My says jelly bean.

Thecakeisalie
You'd be surprised how much can be stored on your phone without your knowledge.

If you have a modern android device, all you have to do is go to settings-about phone/device-android version. Tap android version multiple times and you'll get an easter egg. Mine is an image of a zombie gingerbread man.

And if the programmers are capable of this, then who knows how many more secrets are buried deep within the coding.

Wow time for you to update your OS on your phone gingerbread is like 3 yrs old update to jelly bean.This was sent out to all android devices through there carriers.Its faster and security is better as well.The latest is Kit kat and that only available on one device so far still in beta testing if you will.

People should note the "Real Time" aspect of RTOS'es. It means that anything you say can be used against you.

No longer can remove batteries, huh?

If I asked you if you wouldn't mind carrying a monitoring device that could be used to track your whereabouts and even be remotely turned on to listen to what you were saying, you wouldn't mind would you?

Yet most everyone these days willingly pay to carry these things on their person in the form of mobile phones.

They track wild animals too. Difference being they use radio collars around their necks.

chiefsmom
reply to post by Thecakeisalie

 

Ok, I know nothing about these phones. But I did what you said and I got a jellybean with a face. Kind of creepy.

I figured, from being on here, that the government can track you through your phone, but I guess I'm not really grasping what else you guru's are talking about. *Sigh*
I need one of you living next door.

Yes I hope your number does not come up on. Dial a Drone.
Not in US anyhow, just keep saying how much you love and respect you,r Father Land, Hile!
No! Really they have no choice, they have started something, that can not be stopped.
In the old days a guy would make a lock and say it was the best, some other guy would open said guy's lock and declare that his lock, was the best lock. How long did take to break, the thumb print code lock on new I-phone? What if you have the master keys to start with.
I guess this is still the information age, information gotten and having access to by any means possible.

Don't worry when the Singularity, finally get's here, they won't be able to control it, the way they control the people. Dave what are you doing, Dave?

I believe "they" can track you by your phone. I believe that "they" can listen, and even watch you through your phone. That's exactly why I only use Trac-Phones. Yes, it's ancient-looking, and yes, people might LOL at it, but I never really cared about what people thought anyways. I'm not one of those people who have a cell phone on at all times. In fact, I only carry one if I'm gonna be out in the wild or something. Occasionally, I will take it with me to the store, but I generally ask my wife if there's anything she needs, then she better tell me before I leave or it's just tough titty. I refuse to be one of those people walking around looking at their damn phone. I won't do it. If I need to go on the interwebz then it'll have to wait 'til I get home. I am very concerned at hidden code in phones, or being watched, or listened to through any device. I know TPTB are very paranoid because a lot of people are talking about them. Hell, My senator(Rockefeller) was talking about banning the internet. They're scared, and they have every right to be because people are on to them. They're trying to 'see it coming', but so rarely is anyone afforded that luxury.

Cito
reply to post by theantediluvian

 

"Outside of the companies that make the radio chips, little is known about these RTOSes"

That part is untrue... Every single baseband update for apple/android/windows/blackberry have been jail broken and unlocked allowing you to not just jailbreak the OS (iOS/android/etc) but unlock the baseband allowing you to now use any carrier you wish.

For example I have a baseband hacked iPhone that I use with tracfone prepaid service.

Basebands are simple, dump the binary, decompile and go to work..just need to know assembly or convert the assembly up a level into whatever ya wish to deobfuscate

Sever forums for jail breaking also have sections for baseband dumps to look through code and edit/hack

You make a valid point but while reverse engineering with the aid of tools like IDA has indeed born fruit, particular in terms of unlocking phones, the totality of what's known by people who are not employed by the chipset manufacturers and their customers' dev teams could fit into a pretty thin volume. You're really glossing over the complexities of reverse engineering and greatly overstating the efficacy of decompiling. Disassembling is only a first step (or second actually) and many tedious hours of debugging/analysis/mapping/etc are required to acquire even a basic understanding.

But I digress, the article is more about continuing efforts to make people aware of the fact that these RTOSes have been created with an apparent disregard of modern secure coding concepts and principles thereby resulting in a host of vulnerabilities as well as the inherent flaws in protocols that lead to blind trust of a base station. These vulnerabilities become even more concerning when you consider the increasing popularity of baseband hacking and the availability of software like OpenBTS.

In short, it's a warning to the public that chipset vendors and cellular device manufacturers need to step up their game.