Your smartphone runs a second operating system which controls all radio communication with the base station. By exploiting this second OS, an attacker can remotely control the smartphone’s functionality, such as activate the microphone and camera, conduct SMS or phone fraud, install rootkits, or permanently destroy the device.
In addition to the application operating system such as iOS, Android, Windows or Blackberry, all smartphones run a second operating system in the firmware of the processor, to manage radio communication with the base station. The base station is generally a trusted cell phone tower, however an attacker can easily employ a portable base station transceiver to automatically communicate with, and infiltrate, all smartphones in the vicinity.
Smartphones have a dual CPU architecture – an application processor (APP) and a baseband processor (BB). The application processor runs the phone’s applications, while the baseband processor interfaces the phone with the cellular network. Most baseband processors are ARM processors. On an iPhone or Samsung Android for example, these two processors are on the same chip. Both CPUs generally have their own RAM, however some Android smartphones share RAM between the two processors. On iPhones and Samsung Galaxy devices, the baseband processor is the master – the application processor runs on top of the baseband.
By directly accessing the baseband processor through a rogue baseband transceiver, an attacker can bypass the application processor and all security mechanisms contained on the application layer. A GSM base transceiver station to conduct this attack can be purchased for around $1,500. From the baseband processor, direct attacks can control the whole device. Attacks on the baseband processor are totally invisible to the application layer, so could not be detected by any protection mechanisms running on the application level. There are also large RAM resources available to the baseband processor, which the attacker can use to store considerable amounts of audio for example. When a data connection is made, the audio can piggyback and be sent to the attacker’s server.
Firmware on the baseband processor is proprietary to companies such as Qualcomm, Infineon and Intel. Earlier iPhones used Infineon firmware, later models are equipped with Qualcomm. Samsung uses Qualcomm in the US, and Intel in Europe and Asia. HTC Android phones use Qualcomm. Blackberry and Windows phones have Qualcomm firmware. The firmware code base was created in the 1990s, when security issues were vastly different, resulting in lax security protections on the baseband processor – for example, all radio inputs from a base station are automatically trusted by the device. Even though the source code is not available, reverse engineering has been conducted to identify vulnerabilities in the baseband processor. Much of the work in this area has been done by Ralf-Philipp Weinmann of the University of Luxembourg.
Attacks on the baseband processor can be made via the cellular baseband stack, where a rogue transceiver is used to spoof a GSM network. Mobile devices will automatically connect with the rogue transceiver rather than the legitimate network if the signal strength from the rogue receiver is greater i.e. if it is in close proximity to the phone. To assist connection, a jammer can also be used by attackers to suppress signals from the legitimate network. As GSM does not provide any mutual authentication, there is no protection against connecting to the rogue transceiver.
This attack can also be conducted against USB data dongles used to connect a laptop the internet.
Most security attention is focussed on the application layer of smartphones. The application layer is far more hardened than the baseband processor. However baseband attacks are a serious threat. Although some baseband vulnerabilities have been fixed, this threat vector remains a major vulnerability as it receives far less attention.