Have carrier attacks from the baseband been seen in the wild?
By comparison, application-based encryption of messages addresses a bunch of real threats. The NSA is not the only threat; malicious wifi operators, for example.
"Fake cell towers" are rampant across America and operate without warrants. Thats why the police are trying to hard [0] to protect their existence. There is a new project today announced to track all the IMSI catchers around America: https://www.indiegogo.com/p/1016404
These tend to be used to track locations of people but they can also be used to intercept SMS and mobile internet traffic.
They're vectors for layer-2 attacks. The (valid) implication is that you don't have to assume Verizon is colluding with NSA to be concerned about attacks on the baseband.
Good point. But at the same time, a secure, bug free baseband won't save you from a fake cell tower that's intercepting and recording your text messages.
Yes, but a secure, bug free open baseband would, since the first use cases that would be addressed is verification of towers, not blindly camping to the strongest signal, and monitoring your cipher strength.
With an open baseband you could do much more useful and sophisticated firewalling and ACL of your interaction with the cellular network.
As it stands now, you just camp to the strongest signal and do whatever it tells you - including download and run arbitrary java apps to run on your sim card (probably without your knowledge).
German police and intel agencies sent 440,000 sms type0/stealth attacks to trace phones last year, FBI sent an OTA to a suspects internet stick to broadcast his location, and something shady is going on at airports according to Cryptophone GSMK who's radio 'firewall' goes off whenever you get near an airport. Besides that Samsung backdoor found by Replicant Mod that has access to /data and /sdcard haven't heard of other directed attacks yet.
Of course google can install whatever they want on your device if given a NSL including a modified WhatsApp that sends in plaintext straight to the police everything you type but haven't heard of that yet either.
Since Facebook makes money harvesting data wonder if WhatsApp grabs advertising keywords first then sends via textsecure layer.
How would you see a baseband attack in the wild without access to the baseband? It is a circular problem. The main issue is "we just don't know," the baseband is unverifiable from a security standpoint.
good luck detecting baseband attacks in the wild. i hope you've got a transceiver with you and a rainbow table for cracking the A5/1 etc on your cell link.
@nsxwolf because surprisingly the baseband is actually the main processor in most modern designs, the application processor (your quad core snapdragon or whatever) is a slave to the baseband and receives events and data it
Partly because, historically (e.g. on feature phones), the GSM baseband serves as the primary processor (with real-time responsiveness requirements), with "applications" as a subordinate function. The concept of GSM being "just" a modem peripheral is a more recent development, coming more from the laptop arena; pushing that model down into phones (especially cheap phones) will take work.
Even on top of that, the concept of not trusting your peripherals is a recent one as well. Ideally, all hardware peripherals would have no more permissions than they need; for instance, no ability to DMA except to specific pre-arranged regions. In practice, most systems don't actually set up that level of security.
Is this true of say, the iPhone? It seems like a wifi iPad or iPod Touch is exactly the same as an iPhone, but without the baseband. If the baseband were a peripheral of the A8 SoC, this would seem like a trivial difference. But it seems if that's not the case, the iPad A8 would have considerable architectural differences compared to the iPhone one.
It's less true in some modern smartphones (disclaimer: not an expert on the iOS/iDevice architecture in particular), but a shocking amount of code still ends up on the baseband, and the baseband still has as much trust as the kernel. For example, the baseband processor often serves as an offloading engine for power efficiency reasons, to avoid waking up the main processor; thus, the baseband processor might have direct access to the audio hardware, so that phonecall audio doesn't need to wake up the host CPU.
By comparison, application-based encryption of messages addresses a bunch of real threats. The NSA is not the only threat; malicious wifi operators, for example.