advertisement
advertisement

Secrets From Your Smartphone’s “Other” OS

Radio and sub-cellular signals are interpreted by a hidden operating system within every brand of smartphone. And it’s full of security holes waiting to be exploited.

Secrets From Your Smartphone’s “Other” OS
[Image: Flickr user Lennart Tange]

With all the information access we give our smartphones, OS security exploits rightly get immediate attention (and nearly immediate patching). But there’s a secondary OS running behind iOS, Android and the rest, used exclusively to interpret radio signals to cell towers–whose 90s-era code has such minimal exploit mitigation that it’s a wonder it hasn’t been used for large-scale hacks or pranks.

advertisement

For starters, this OS operates in real-time–it’s called a real-time OS, or RTOS–and sits in firmware running on the baseband processor (which is the master to the application processor running the front-end OS). The software here is all proprietary, its source code locked, preventing peer review. As OSNews’ Thom Holwerda points out, this is by design, since the baseband processor/radio combo were designed in the 80s, coded in the 90s, and built to inherently trust incoming data from a base station like a cell tower. And since baseband controls radio, you can hack it over the air–no local connection to the device is required.

So what’s standing between you and widespread hacking? Nothing but ignorance. Coded 20 years ago and fully proprietary, the antiquity and lack of awareness of around RTOSes are their saving grace; in fact, the OS only exists on Wikipedia as a single note referencing Holwerda’s article. On the other hand, most phone providers buy off-the-shelf baseband implementation, meaning that if you crack one, you crack them all.

“Baseband hacking” became a real thing to fear as far back as 2008 when the jailbreak pioneering iPhone Dev Team spoke about iPhone baseboard hacking possibilities at 25C3 in Berlin. University of Luxembourg Security Researcher Ralf Philipp Weinmann discussed it at DeepSec2010 and it finally buzzed around the mediasphere in early-to-mid 2011 after Weinmann’s Black Hat presentation.

Despite Weinmann’s ability to hack one of these with an airborne 73-byte message to get a remote code execution, the execution of such a hack is still difficult for the average hacker–so much that a $100,000 prize was left on the table at last weekend’s Pwn2Own competition in Tokyo after hackers failed to hack any phone’s baseband processor.

Know anyone who can crack a RTOS? We’d love to hear about them. Tweet us @fastcolabs and let us know.

advertisement
advertisement