Phone Hacking Extended to Radio Firmware: Presentation
Most publicly released hacks approach the problem of gaining privileged access (jailbreaking/rooting on the “white hat” side – and wiretapping/monitoring on the “black hat” side) by exploiting bugs found in programs running in the phone’s user space (such as apps that come with the operating system, and apps that you can download and install from the marketplace). A new approach set to be demonstrated at the Black Hat conference in Washington, D.C. will showcase a previously impractical method attacking the phone’s baseband processor.
The baseband processor is generally a separate CPU from the applications processor, which handles all of the apps you are familiar with. Baseband processing must be handled on a separate chip because timing is essential for all of its operations – it runs a “real-time OS” that can interpret and respond to incoming cellular network traffic immediately, without needing to check for user input or run other background programs.
Because there is a much higher amount of trust involved with cellular communications (it is assumed that the cell towers are secure) there aren’t as many security checks involved in each transaction as there are in the operating system. This wasn’t much of a problem in the past as GSM base stations were not practical to use in an attack due to cost. With the advent of OpenBTS software and other similar solutions – combined with a hardware platform like The USRP – it’s now possible to host your own GSM cell tower at a relatively low cost (several thousand US Dollars vs. tens of thousands of US Dollars)
This approach is however mired by legal issues, in most countries the cellular frequencies are strictly licensed and usage of the equipment for this purpose may be illegal.
Radio firmware hacking may eventually result in things such as a SIM-free GSM phone, where the radio firmware “spoofs” a SIM chip. Wiretapping at a level completely transparent to the phone’s operating system is also possible, to the user there would be no outwardly visible signs of tampering.