Comment by marcan_42
4 years ago
> with DMA access to your phone.
This is false FUD that keeps being repeated. It's not true. No iPhone ever has had a baseband with DMA access to my knowledge, and modern Qualcomm devices have advanced IOMMU systems to firewall away the baseband from the rest of system memory. I'm sure some phones somewhere existed where the baseband was privileged, but it's not the norm.
Companies like Purism keep repeating this lie (their marketing is outright false) to sell you less secure "free" phones that actually have a larger attack surface for the giant proprietary baseband blob. On the Librem 5, the baseband is connected via USB, and they don't have USB device filtering enabled, so the baseband is exposed to the entire Linux kernel USB device driver attack surface. We know that's full of exploitable vulnerabilities, just ask any USB device developer how many times they've run into a kernel panic by accident. That's much worse than an embedded baseband with a single purpose shared memory interface and proper DMA restrictions.
Please research this stuff before continuing to propagate this myth. It doesn't help users' freedom nor security to have it being parroted over and over again.
That may be true of modern systems, but it was certainly true in the past. I"ve barely even heard of Librem 5 though. And we have no idea how actually true that is on an iPhone, thanks to Apple being Apple. (There have been limited attempts with limited success at proving this due to it's more closed nature, but I'm not willing to just take Apple's word on it.) I also don't agree on the nature of the USB attack surface but that's a different digression.
Either way, what's relevant to the thread is that the firmware is a closed-source binary blob that we scarcely have access to, so unless someone does the thing to unlock it, we're ~nowhere on a cheap LTE debugger. GNURadio might have something to say about that but maybe the hackers out in Shenzen (where LTE is 'less' patent encumbered) have different/better tools/options that we never hear about.
I believe you, but can you provide a source for the Qualcomm firewall?
https://www.reddit.com/r/CopperheadOS/comments/6wtul0/on_sen...
It's completely standard practice for SoCs to have IOMMUs these days. E.g. the Apple M1 has over a dozen coprocessors doing various things and sharing memory, but only the GPU coprocessor has access to OS memory (because it manages GPU page tables; we're working on figuring out exactly what the risks are with that one). Everything else is firewalled off.
Well, most of them anyway. The one in the Librem 5 does not AIUI.