The second operating system hiding in every mobile phone

There is actually a 3rd inside the SIM as well <a href="http://en.wikipedia.org/wiki/Subscriber_identity_module#Design" rel="nofollow">http:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Subscriber_identity_module#Desi...</a><p>This is what Java Card was developed to run on.<p>If you are interested in getting lower level access to your radio, you could look at the defunct <a href="http://openmoko.com/freerunner.html" rel="nofollow">http:&#x2F;&#x2F;openmoko.com&#x2F;freerunner.html</a> project or the resurrection of the Freeruner, <a href="http://www.openphoenux.org/" rel="nofollow">http:&#x2F;&#x2F;www.openphoenux.org&#x2F;</a>

One of the side effects of software eating the world is that the world becomes more exploitable. I expect that over time we may see the emergence of general &#x27;software building codes&#x27; much like there are physical building codes, and more importantly liability associated with failing to provably meet such codes.<p>The current &#x27;random person implements firmware that controls the this chip&#x27; practice and the &#x27;no warranty etc etc&#x27; disclaimers will, I predict, be replaced by manufacturers who are willing to warrant their code.

... The voice came from an oblong metal plaque like a dulled mirror ... The instrument (the telescreen, it was called) could be dimmed, but there was no way of shutting it off completely. (1.1.3)<p>Oceanians live in a constant state of being monitored by the Party, through the use of advanced, invasive technology.<p>It was terribly dangerous to let your thoughts wander when you were in any public place or within range of a telescreen. The smallest thing could give you away. A nervous tic, an unconscious look of anxiety, a habit of muttering to yourself – anything that carried with it the suggestion of abnormality, of having something to hide. In any case, to wear an improper expression on your face (to look incredulous when a victory was announced, for example) was itself a punishable offense. There was even a word for it in Newspeak: facecrime, it was called. (1.5.65)<p>Is the the google input box a door to the world or a window into your mind?<p>How many fingers do you see?

Baseband hacking is how people made software-based carrier unlocks for iPhone 2G, 3G, 3GS, and 4 (GSM). Those exploits are somewhat documented here: <a href="http://theiphonewiki.com/wiki/Baseband_Device#Exploits" rel="nofollow">http:&#x2F;&#x2F;theiphonewiki.com&#x2F;wiki&#x2F;Baseband_Device#Exploits</a>

I am assuming that the RTOS has direct and full unrestricted access to the hardware such as the camera and microphone? If so then I would also assume that an over the air attack to silently suck data from the camera and microphone would be pretty easy for those with access to the RTOS (such as governments)?<p>I know there has been software to do just this in the past on some Nokia devices but I would assume (I am doing that a lot in this post!) it is just as possible in pretty much every mobile phone?<p>Anyone with knowledge of this care to comment on my assumptions?

Coming from a background of developing audio hardware drivers for the Blackberry (I worked on the last generation and current generation before getting bored and leaving a year ago), I can tell you that even if the baseband were able to turn on auto-answering, (I have no idea if that&#x27;s possible, by the way) it wouldn&#x27;t know how to configure the microphone and speakers to allow for recording or playback unless it convinced the application processor to help.<p>If you are concerned about your Blackberry spying on you, there&#x27;s a special &quot;security plug&quot; that you can insert into the headphone jack which will short all of the pins to ground, disabling the microphone. I assume other phones support this as well.

Nowadays processors are so tiny and cheap, they&#x27;re everywhere.<p># batteries<p>IIRC most battery charging circuits also have a dedicated real time ~OS running. <a href="http://www.youtube.com/watch?v=dlSBQ5b6Pdw‎" rel="nofollow">http:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=dlSBQ5b6Pdw‎</a><p># hard drives<p>Also recently someone did run linux in its hard drive controller (which is a set of arm cores, ~v9 and m3)<p>HaD intro : <a href="http://hackaday.com/2013/08/02/sprite_tm-ohm2013-talk-hacking-hard-drive-controller-chips/" rel="nofollow">http:&#x2F;&#x2F;hackaday.com&#x2F;2013&#x2F;08&#x2F;02&#x2F;sprite_tm-ohm2013-talk-hackin...</a><p>Direct link : <a href="http://spritesmods.com/?art=hddhack" rel="nofollow">http:&#x2F;&#x2F;spritesmods.com&#x2F;?art=hddhack</a>

There is also a second OS hiding in your computer right now! (There might even be a third, or forth, depending on your hardware configuration and manufacturer.)<p>Proprietary BIOS software has suffered the same issues for the last twenty+ years.

&quot;That complexity is exactly one of the reasons why it&#x27;s not easy to write your own baseband implementation. The list of standards that describe just GSM is unimaginably long - and that&#x27;s only GSM. Now you need to add UMTS, HSDPA, and so on, and so forth. And, of course, everything is covered by a ridiculously complex set of patents. To top it all off, communication authorities require baseband software to be certified.&quot;<p>This <i>is</i> HN.<p>I don&#x27;t think implementing a replacement is all that daunting given enough time and money. I wonder if there&#x27;s a business model that will pay for it?

Quite possibly a third or fourth OS as well ... <a href="http://boston.conman.org/2013/01/22.2" rel="nofollow">http:&#x2F;&#x2F;boston.conman.org&#x2F;2013&#x2F;01&#x2F;22.2</a>

For an example of an open-source GSM implementation that would allow one to build a base station, see <a href="http://en.wikipedia.org/wiki/OpenBTS" rel="nofollow">http:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;OpenBTS</a> . There are lots of videos about it on youtube where you can see it in action.

For all the &quot;NSA&#x27;s probably in on this&quot;, remember this also leaves openings for China, Russia, and possibly others to get in on this.

Often the RTOS is not exactly free, but not entirely closed either. A while back, i used to work on Nucleus RTOS by Mentor Graphics with a pretty impressive global foot print <a href="http://en.wikipedia.org/wiki/Nucleus_RTOS" rel="nofollow">http:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Nucleus_RTOS</a>. It used to be sold as an api (with source code given to customers) who developed applications based upon it. I have written portions (IPsec&#x2F;IKE, SNMP, Ipv6) of its networking stack and at least all of its customers have access to source code. It is pretty well written with very decent coding conventions and can be compared to any good well known open source project (VLC, even Linux kernel). Then there are others such as Wind River&#x27;s VxWorks among the more popular ones. Though i am not very sure of its licensing model, but it is pretty well recognized and established in the embedded world. Just that these are not as well known in the over all software community but rather more restricted towards those in the embedded industry.

I would donate for somebody setting up a server that streams audio (and video, …) from all phones in reach. With bitcoin this could even be pulled off anonymously. I would hope for such a server streaming data from financial districts, one at a time would finally lead to something to change about this. Donations would help buy antennas and rent space in financial districts.

<i>While we can sort-of assume that the base stations in cell towers operated by large carriers are &quot;safe&quot;</i><p>Um.

&quot;Lastly, the baseband processor is usually the master processor, whereas the application processor (which runs the mobile operating system) is the slave.&quot;<p>Can maybe somebody explain what this means exactly? Could the baseband processor&#x2F;OS be used as an attack vector to exploit the main mobile OS? Could the OS protect itself from this?

I think we&#x27;d all be better off and get to a user-centric mobile experience a lot sooner by isolating the network communication in a dedicated device.<p>I&#x27;m toying with the idea that next time I have to upgrade my mobile (hopefully not soon), a better way to go is something like mifi + netbook + smart watch (+ maybe some compact chorded keyboard).

MSM6280 is 7 years old. The author has no clue how advanced these RTOS have become now and the kind of effort that goes into security at a system level e.g. xpu, smmu etc.

Even BIOS can be considered as a second OS hiding in your PC.

Though about GSM, if you want to learn more:<p>* <a href="http://osmocom.org" rel="nofollow">http:&#x2F;&#x2F;osmocom.org</a><p>* <a href="http://www.youtube.com/watch?v=xOp_wtsHAe8" rel="nofollow">http:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=xOp_wtsHAe8</a><p>* <a href="http://www.youtube.com/watch?v=_0LCgxe24Po" rel="nofollow">http:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=_0LCgxe24Po</a><p>* <a href="http://www.youtube.com/watch?v=9cBJV3yTaQo" rel="nofollow">http:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=9cBJV3yTaQo</a><p>* <a href="http://www.youtube.com/watch?v=9cBJV3yTaQo" rel="nofollow">http:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=9cBJV3yTaQo</a><p>Your phone has GSM, even if you&#x27;re only on 3G or 4G networks though (unless it&#x27;s a pure CDMA phone) - and the concepts are anyway quite similar in 3G&#x2F;4G networks an phones.

I talked to a friend of mine who is an engineer at Qualcomm, and he said the article is exaggerated and out-dated. Current basebands don&#x27;t use REX OS anymore, and they put mitigation mechanisms in place, so this piece seems like FUD.

as someone who closely works on qualcomm baseband processors, i can say that security is one of the top priorities of qualcomm. There are whole bunches of teams dedicated to sec&#x2F;vuln analysis. Not saying that the issues mentioned in the article did not occur...but I believe that those probably occured in older chips (a few generations older)<p><i></i><i>standard disclaimer</i><i></i> Views above are personal and do not reflect views of Qualcomm

No wonder not only NSA, but also FBI and probably other agencies exploit these like crazy by using fake towers or other methods.

It shouldn&#x27;t come as a surprise that you&#x27;re not &quot;offline&quot; unless you take the battery out of your phone and wait a good minute or so. And there&#x27;s no wireless power source &quot;force feeding&quot; your phone...<p>This is well known to anyone who&#x27;s done DSP optimization work for any of the wireless carriers.

Waiting for the next Snowden.<p>In the meantime, you can use your smartphone inside a Faraday cage. Wrapping it in aluminium should help.

The <i>second</i> operating system hiding in every mobile phone? Really?<p>There&#x27;s a ridiculous number of operating systems hiding in every mobile phone. What do you think runs on the GPU? What about bluetooth, wifi and GPS? What about all those sensors? The camera interface? The video acceleration? The SIM card? The NAND flash?<p>Try harder.

&gt; This is such low-level, complex software that I would guess very few people in the world actually understand everything that&#x27;s going on here.<p>I would not be surprised if the NSA would employ quite a few of them.

Maybe the future is in making calls over the Internet, not a private cellular network?<p>Or maybe the future is in open source software defined radio?<p>I never tried it, but I heard OpenMoko could run BSD.<p>In any event, I hope the future is one where I can read, modify and compile the source for my handheld&#x27;s bootloader and operating system, as I currently can do with my laptop&#x27;s bootloader and operating system.

I wonder if there is any relation between this set of vulnerabilities and the Datong system used by the UK authorities to mimic&#x2F;replace mobile phone base stations. <a href="http://www.wired.com/threatlevel/2011/10/datong-surveillance/" rel="nofollow">http:&#x2F;&#x2F;www.wired.com&#x2F;threatlevel&#x2F;2011&#x2F;10&#x2F;datong-surveillance...</a>

And then there&#x27;s also TrustZone[0] so don&#x27;t be surprised if there&#x27;s an additional hypervisor or RTOS running on the main application processor.<p>[0] <a href="http://www.arm.com/products/processors/technologies/trustzone/index.php" rel="nofollow">http:&#x2F;&#x2F;www.arm.com&#x2F;products&#x2F;processors&#x2F;technologies&#x2F;trustzon...</a>

After reading all the comments, I&#x27;m beginning to think the Butlerian Jihad may not be such a bad thing after all...

So maybe a relevant question as we move away from desktop computing is whether your mobile device can be identified through online activity, such as commenting, searching, email etc. This would be useful for locating dissidents.

This is all a bit over the top. Yes, the baseband may be compromisable, that doesn&#x27;t mean that the operating system is. Your photos, data etc should be safe as long as there aren&#x27;t further exploits (which of course exist).<p>Furthermore, i have yet to hear of a slave high level operating system to the baseband. iOS or android being initialised and commanded by a secondary baseband OS would just be a bizarre setup. That of course does not mean that the baseband doesn&#x27;t pass commands to the high level OS. Though if the interface is well shielded, exploiting it could be tough (correct me if I&#x27;m wrong, but I don&#x27;t think baseband exploits exist for iPhone 5&#x2F;5s).<p>Now, I&#x27;m sure the NSA however have some interesting possibilities that Angela Merkel would be all to keen to know about ;).

Cant wait Tegra 4i hacking allows unrestricted i500 SDR platform access :D

Who makes the baseband software? Those who make it I guess are more inclined to fix the bugs (because there are paying customers), at least in areas that they can fix...

The link to the ETSI 3GPP specs is a bit silly: it shows not only all the related specs but also all the versions of those docs.

Ohh every phone of mine crashes in a 20 min subway travel since 10 years no matter Android, Symbian.. It must be this RTOS.

What about TRON? <a href="http://www.t-engine.org/" rel="nofollow">http:&#x2F;&#x2F;www.t-engine.org&#x2F;</a>

&gt; By design<p>Of course -- all the telecoms have been in bed with the NSA for decades. That&#x27;s how you play ball in the US.

St microelectronics is a firm who provides radio chipsets for apparently 80% of all phones out there

It&#x27;s one of those rare cases (like BIOS too) where obscurity actually means more security...

And then there is also the one on the SIM doing all the encryption and authentication stuff...

Does anyone know if the Firefox OS replaces these proprietary RTOSes?

The NSA has probably already figured this out.

I was expecting this OS to be the browser. The browser really is another OS these days especially with all the new HTML5 specs (firefox OS being the proponent of such things).<p>The way HTML5 is progressing it might even beat the API of the OS it seems! For example, the OS itself might have no contacts API but the browser has HTML5 API to access them!