Comment by DCKing

6 years ago

This blogpost propagates what I'd like to describe as an urban legend about baseband processors and main memory. The story originates from old times where even fancy phones allowed the baseband to write everywhere in main memory. The myth then becomes that you need the baseband physically separated from your main application processor.

But the world's moved on since those reports were made. It's FUD: https://www.reddit.com/r/CopperheadOS/comments/6wtul0/on_sen...

18 comments

DCKing

Reply
DyslexicAtheist  6 years ago

the claims on this link to the CopperheadOS reddit post dismisses the importance of baseband security which is pretty insane.

The baseband is permanently attached to a public network. Not having control over whether that connection actually is up is a huge security hole. The entire baseband software stack runs in supervisor mode. There are no non-executable pages, there's no stack protection.

EDIT-1: Qualcomm baseband chips have location tracking baked in. Even with a clean OS and no tracking apps, the baseband does it. The tracking data is commercially available: https://web.archive.org/web/20180514003056/https://www.qualc...

SeanMacConMara  6 years ago

It's not FUD. It's about different threat models.

General design failures/bugs from assumed acting-in-good-faith silicon/sw designers vs not-acting-in-good-faith silicon/sw designers.

Assuming the radio's are the primary threat to privacy then I'd prefer a design from a privacy activist company who explicityly designs the hw so that the less trustable parts are forced behind physcial and defined interface "firewalls".

  • DCKing  6 years ago

    No, it is FUD. Their threat model is explicit:

    > Complex parts like the cellular modem or the WiFi can access the very same RAM that is used at runtime to store your most private data, but at the same time they are controlled by binary-only firmware that no one except the manufacturer of that chip has access to.

    For the cellular modem, in your run-of-the-mill iPhone or Android phone nowadays, it is simply false that the cellular modem can access arbitrary data in RAM. Can't tell you about WiFi, but I expect a similar situation.

    There's a lot of room for improvement in secure smartphone architectures, but the "baseband can read your photos" trope is simply false.

    • jcims  6 years ago

      I don’t know much about the responsibilities of the baseband but it seems that there are other attack vectors. Can it read storage? What about unencrypted content going over the network?

      3 replies →

    • SeanMacConMara  6 years ago

      I think we are talking at cross purposes.

      If the chips are tightly integrated propriatary black boxes like on most hw then from my POV its _physcially_ possible for them to read anything regardless of what the designers/industry say because I do not trust them.

      You trust your sources that say "..simply false that the cellular modem can access arbitrary data in RAM". I don't. Even if you claim to have personally designed, fabbed and shipped that silicon I still have no practical reason to trust.

alex_duf  6 years ago

I know very little about the topic so bearing that in mind:

We're already in a world were we can't quite trust our CPUs, so why trusting baseband chips?

If it does make the design more complicated, it may also reduce the potential attack surface.

  • DCKing  6 years ago

    We can't fully trust the correctness of modern complicated CPU designs, leading to problems like <insert all speculative bypasses that have affected Intel CPUs the past 2 years>. But despite their complexity, CPUs and the CPU part of a smartphone SoC are usually extremely well understood (relatively speaking). The reason is that you actually need to run your software on these CPUs, so they need to be understood rather well. With better understanding comes better trust.

    On the other hand, the baseband processor is mostly unknown, black box hardware, running unknown black box software, that completely controls the transmission of cellular data. Of course it would be horrible if there was no separation between the CPU and baseband. You shouldn't trust that setup. But as it turns out, separation does exist!

    • ptx  6 years ago

      > But as it turns out, separation does exist!

      The article you linked to says: "There can be an IOMMU with very tight restrictions providing proper isolation or a setup where the IOMMU is effectively not doing anything and permits access to all of the memory. Determining that requires real research."

      So it sounds more like separation might or might not exist and you're not likely to find out if it does on your particular device.

  • DyslexicAtheist  6 years ago

    > If it does make the design more complicated, it may also reduce the potential attack surface.

    an increase in complexity would rule out reduction of attack surface. in fact attack surface would be guaranteed to increase

    • cyphar  6 years ago

      Well, that isn't generally true if the complexity is actually a security boundary. After all, all security designs are based on layers -- it's hard to add a layer of security without adding complexity.

      As a counter-example -- removing all of Linux's privilege checking would make the code a lot less complicated, but the attack surface would increase a million-fold. In this case, the Librem 5's separation of the baseband such that communication is done over USB (a protocol which doesn't have DMA) is a security improvement over giving the baseband DMA access.

      4 replies →

cartoonworld  6 years ago

Aren't the baseband components typically separated because they are a different regulatory domain?

My understanding is that integators buy the baseband module (with FCC and other licenses) and add it to their device so as to not incur the patent fees and oversight required by developing the radio device into every regional handset.