How much protection does an add-on GSM modem give me vs. built into phone ?

John Case case at SDF.ORG
Wed Oct 3 21:09:17 UTC 2012



> First, stay away from Qualcomm-based phones. In them the baseband controls
> all physical memory, as documented in the Replicant project, and thus has
> control over the application processor (the "unix computer").


Ok.  So what I am shooting for is a firewall between the baseband 
processor and the application processor, and I was indeed correct that in 
a "real" mobile phone there is a lot of bleeding between the two.


> Second, even Infineon-based phones are not completely safe, however you can
> use Replicant on the Nexus S, and thus there is no proprietary binaries (on
> the Unix side) and less risk of meddling from a third party. However, this
> won't prevent a baseband exploit from doing evil stuff. In addition there
> are Android vulnerabilities constantly appearing, last one as you may have
> heard concerned the SGS3's NFC stack.


Well, that is why I said "unix computer" and not specifically android - if 
I am running a computer (like a samsung galaxy player) then I could do 
something besides android, and perhaps gain quite a bit of control.


> Finally, the scenario you suggest (connecting a 3G USB modem) to a computer
> seems very impractical although it adds a layer of safety since the
> microphone will be fully under the control of the system you trust. However
> battery life will probably be very, very short as compared to your current
> 2G phone.


Yes, ok.  Battery life is bad, as well as the physical logistics of 
connecting a full sized USB dongle to a micro-USB port, etc.


> By the way, as documented in presentations at CCC, Blackhat, etc. GSM
> networks are not safe, there are multiple vulnerabilities ranging from
> offline decryption of comms to active mitm attacks. 3G networks use
> stronger, mutual authentication and do not suffer from this. In several
> phones, such as the Nexus S, you can force the network mode to 3G only and
> therefore have a better level of security.


Yes, but the real trick I am interested is isolating (or at least 
controlling) the interaction between the baseband processor and the 
application processor.  Using a computer with a USB dongle gives me that 
control ... would I have that same level of control if we had free 
software running on the baseband processor, or is there still additional 
bleeding possible simpy by virtue of being built into the computer ?

Also, just for my own notes, what is the industry term for "making changes 
to application processor side of customers handset?"  I have heard of some 
regular examples of how carriers update things and enforce changes to 
phones in this way (or relock them ?) but what is the term for that 
behavior ?

Thanks.




More information about the baseband-devel mailing list