Linked by Thom Holwerda on Tue 12th Nov 2013 23:06 UTC
PDAs, Cellphones, Wireless

I've always known this, and I'm sure most of you do too, but we never really talk about it. Every smartphone or other device with mobile communications capability (e.g. 3G or LTE) actually runs not one, but two operating systems. Aside from the operating system that we as end-users see (Android, iOS, PalmOS), it also runs a small operating system that manages everything related to radio. Since this functionality is highly timing-dependent, a real-time operating system is required.

This operating system is stored in firmware, and runs on the baseband processor. As far as I know, this baseband RTOS is always entirely proprietary. For instance, the RTOS inside Qualcomm baseband processors (in this specific case, the MSM6280) is called AMSS, built upon their own proprietary REX kernel, and is made up of 69 concurrent tasks, handling everything from USB to GPS. It runs on an ARMv5 processor.

Order by: Score:
Well...
by andrewclunn on Tue 12th Nov 2013 23:19 UTC
andrewclunn
Member since:
2012-11-05

... at least now we know how SkyNet takes over :-P

Reply Score: 13

It gets worse...
by tidux on Tue 12th Nov 2013 23:49 UTC
tidux
Member since:
2011-08-13

In every phone I'm aware of except the OpenMoko Freerunner (which uses RS-232), the baseband speaks to the "main" SoC through DMA. That's what really makes most smartphones impossible to truly secure.

Reply Score: 11

RE: It gets worse...
by informatimago on Tue 12th Nov 2013 23:55 UTC in reply to "It gets worse..."
informatimago Member since:
2013-11-12

It's by design of course. Just wait for another Snowden.

Reply Score: 7

RE[2]: It gets worse...
by ddc_ on Wed 13th Nov 2013 01:12 UTC in reply to "RE: It gets worse..."
ddc_ Member since:
2006-12-05

I hope it is by design, but Hanlon's razor might be more adequate here: careful design would produce one small vulnerability to exploit, or several redundant vulerabilities, but te vast number suggests carelessness and/or stupidity. Though one may easily fit on top of another...

Reply Score: 2

RE: It gets worse...
by shmerl on Wed 13th Nov 2013 00:52 UTC in reply to "It gets worse..."
shmerl Member since:
2010-06-08

So, basically that black box system has full access to the RAM of the device, while also being the main communication component? This is really nasty.

Reply Score: 6

Comment by shmerl
by shmerl on Wed 13th Nov 2013 01:23 UTC
shmerl
Member since:
2010-06-08

Aren't there 3 operating systems on many phones then? SIM card contains kind of an OS too.

Edited 2013-11-13 01:24 UTC

Reply Score: 3

RE: Comment by shmerl
by Lobotomik on Wed 13th Nov 2013 09:02 UTC in reply to "Comment by shmerl"
Lobotomik Member since:
2006-01-03

And Bluetooth, Wifi, GPS and touch chips have an internal processor too, running their internal software, which can be quite complex. They tend to use small ARM cores (M3, M0), and generally use an RTOS.

There are tons of RTOS for these applications, from tiny to titanic and from free to very expensive (and these axes are orthogonal): ThreadX, Nucleus, RTXC, pSOS, eCOS, RTMS...

So yes, in your cellphone there are a lot more than three operating systems running at the same time.

Reply Score: 6

RE[2]: Comment by shmerl
by pashar on Wed 13th Nov 2013 09:21 UTC in reply to "RE: Comment by shmerl"
pashar Member since:
2006-07-12

Add to that storage, which runs its own firmware, usually with an RTOS. And, if smartphone has an SD card slot, SD card runs its own firmware, too.

Reply Score: 2

RE: Comment by shmerl
by Tractor on Wed 13th Nov 2013 11:14 UTC in reply to "Comment by shmerl"
Tractor Member since:
2006-08-18

Indeed, SIM Card have their own OS too.
But they are more secure by design.

SIM Card don't accept "anything that comes from the air". Data must be properly encrypted, using industry standard algorithms (3DES or AES). Just this simple protection makes it immensely more secure than baseband OS.

Now, beyond that protection, these OS are software rubbish. They are safe mostly because they are extremely limited. Someone able to crack (or pass) the encryption layer protection would have no problem crashing the SIM card OS.
But stealing data from it ? nah, that's the hardest part. This is probably the only thing which has been properly designed in these OS.

Reply Score: 2

RE[2]: Comment by shmerl
by fuckregistration on Wed 13th Nov 2013 23:26 UTC in reply to "RE: Comment by shmerl"
fuckregistration Member since:
2013-11-13

Indeed, SIM Card have their own OS too.
But they are more secure by design.


Oh yes? You might want to watch the talk of Karsten Nohl at OHM2013.

Reply Score: 2

RE: Comment by shmerl
by Carewolf on Wed 13th Nov 2013 16:52 UTC in reply to "Comment by shmerl"
Carewolf Member since:
2005-09-08

Beyond all those that run on their own chips for specific components there is also a low power operating system in most phones that run when the phone is powered off. Its main job is to react to power button key events.

edit: typos

Edited 2013-11-13 16:53 UTC

Reply Score: 3

Great article
by Berend de Boer on Wed 13th Nov 2013 01:38 UTC
Berend de Boer
Member since:
2005-10-19

Very relevant warning. What kind of phone does RMS use?

Reply Score: 2

RE: Great article
by Morgan on Wed 13th Nov 2013 01:46 UTC in reply to "Great article"
Morgan Member since:
2005-06-29

I would think even a modern "dumbphone" would have this nastiness in it. A modem is a modem, and even the most basic cellphone has baseband software, if I'm not mistaken. So much for going off the grid by abstaining from smartphones.

And this potentially affects much more than just cellphones. My wife's iPad and Kindle are both 3G versions, which means they have AT&T-connected modems in them. The iPad modem is "turned off" via iOS, but that doesn't necessarily mean it's off altogether. The Kindle's 3G is used every few days when she doesn't have a WiFi connection.

Beyond those devices, how many cars these days come equipped with onboard cellular connectivity? Here in the US it would be most if not all GM vehicles via OnStar, as well as Teslas. I wonder if every one of those devices have the same potential vulnerabilities as your average cellphone.

Reply Score: 4

RE: Great article
by shmerl on Wed 13th Nov 2013 01:46 UTC in reply to "Great article"
shmerl Member since:
2010-06-08

May be no mobile phones at all?

Reply Score: 2

RE: Great article
by Delgarde on Wed 13th Nov 2013 01:55 UTC in reply to "Great article"
Delgarde Member since:
2008-08-19

Tin can and string?

Reply Score: 4

RE: Great article
by Poseidon on Wed 13th Nov 2013 03:13 UTC in reply to "Great article"
Poseidon Member since:
2009-10-31

He doesn't use one. He doesn't like being tracked.

Reply Score: 3

RE: Great article
by glarepate on Wed 13th Nov 2013 09:01 UTC in reply to "Great article"
glarepate Member since:
2006-01-04

Very relevant warning. What kind of phone does RMS use?


So I googled it.

Cellular Phones

I see that cellular phones are very convenient. I would have got one, if not for certain reprehensible things about them.

Cell phones tracking and surveillance devices. They all enable the phone system to record where the user goes, and many (perhaps all) can be remotely converted into listening devices.

In addition, most of them are computers with nonfree software installed. Even if they don't allow the user to replace the software, someone else can replace it remotely. Since the software can be changed, we cannot regard it as equivalent to a circuit. A machine that allows installation of software is a computer, and computers should run free software.

Nearly every cell phone has a universal back door that allows remote conversion into a listening device. (See Murder in Samarkand, by Craig Murray, for an example.) This is as nasty as a device can get.

From the book Alone Together, by Sherry Turkle, I learned that portable phones make many people's lives oppressive, because they feel compelled to spend all day receiving and responding to text messages which interrupt everything else. Perhaps my decision to reject this convenience for its deep injustice has turned out best in terms of convenience as well.

When I need to call someone, I ask someone nearby to let me make a call. If I use someone else's cell phone, that doesn't give Big Brother any information about me.


He seems to know about this already. So he doesn't own one but he borrows them from others if he feels the need.

He doesn't seem to think that his voice can be matched by any listening system(s). GLWT Richard.

Reply Score: 5

RE[2]: Great article
by theosib on Wed 13th Nov 2013 19:15 UTC in reply to "RE: Great article"
theosib Member since:
2006-03-02

What’s ironic is that RMS really does have nothing to hide. He wants everything Free and out in the open, with the exception of personal things that SHOULD be private. He wants his personal privacy not because he’s doing anything illegal (well, maybe he smokes a little pot, but only fascists care about that), but because he believes in the inalienable right of personal privacy.

Basically, as the leader of the “Free” world, RMS is the ideal counter-argument to “if you have nothing to hide."

Reply Score: 4

But not in Symbian
by Antartica_ on Wed 13th Nov 2013 07:50 UTC
Antartica_
Member since:
2012-12-28

But not that not all smartphone operating systems have this architecture; not Symbian, at least.

One of the differentiating points of Symbian is that it doesn't need a separate baseband processor, as the GSM stack runs on symbian; it runs on the application processor (it is mostly a cost-cutting measure, as it means the device doesn't need a separate processor for the baseband).

Reply Score: 4

RE: But not in Symbian
by JAlexoid on Wed 13th Nov 2013 15:33 UTC in reply to "But not in Symbian"
JAlexoid Member since:
2009-05-19

Not true. Symbian requires a baseband processor. However a lot of Nokia dumbphones would not have two systems, just one.

Reply Score: 3

RE[2]: But not in Symbian
by Antartica_ on Wed 13th Nov 2013 17:07 UTC in reply to "RE: But not in Symbian"
Antartica_ Member since:
2012-12-28

AFAIK, Symbian 9 is shown in the official documentation as to be paired with a baseband processor, as in

http://developer.nokia.com/Community/Wiki/Symbian_OS_Internals/02._...

But Symbian 8 was single-chip capable (i.e. with no separate baseband processor); not sure if that capability was maintained in Symbian 9. See

http://www.theregister.co.uk/2006/02/14/symbian_news/

Reply Score: 3

RE[3]: But not in Symbian
by fuckregistration on Wed 13th Nov 2013 23:36 UTC in reply to "RE[2]: But not in Symbian"
fuckregistration Member since:
2013-11-13

AFAIK, Symbian 9 is shown in the official documentation as to be paired with a baseband processor, as in

http://developer.nokia.com/Community/Wiki/Symbian_OS_Internals/02._...

But Symbian 8 was single-chip capable (i.e. with no separate baseband processor); not sure if that capability was maintained in Symbian 9. See

http://www.theregister.co.uk/2006/02/14/symbian_news/


It's of course the other way around.
Symbian phones lack a seperate application processor, the UI runs on the baseband processor.
How can you do radio without a processor that runs it?
Think before you type.
But anyway, how does that matter? One processor or two, the baseband firmware is closed.

Reply Score: 0

RE[4]: But not in Symbian
by oiaohm on Thu 14th Nov 2013 00:16 UTC in reply to "RE[3]: But not in Symbian"
oiaohm Member since:
2009-05-30

But anyway, how does that matter? One processor or two, the baseband firmware is closed.


How does it matter is in fact the critical question. If everything is in the one processor and their is a breach in any part the complete system could be breached.

Now some phones will be more safe than others.

Like baseband and gps can be sharing same processor/memory for their baseband operations. Great for emergency services and person tracking.

Symbian 8 loads the baseband firmware. So the baseband firmware is a driver under Symbian 8.

So the old Symbian 8 was a Application Processor with a Software-defined radio connected. Basically a PC does not cease to be a PC because you connect a Software defined radio or win-modem either.

What defines if it a baseband processor or an application processor is what starts first. Symbian 8 devices it is Symbian 8.

Yes this did disappear in Symbian 9. Also you would not get what was Symbian 8 style past FCC any more. You might be able to get single processor past using arm trusted extensions but the baseband would have to be starting first. Over all it simple to get past regulators with decanted baseband processor with decanted ram. There have been issues with phones sharing baseband and application space.

Yes there is a open source baseband firmware issue is legally using it. http://bb.osmocom.org

Yes FCC and other regulator approvals are required to transmit to your standard telephone carriers.

Of course this is not a issue when you are your own carrier out side the normal phone network. Understanding baseband to make sim cards is in fact critical to open source GSM stations like openbts.

Reply Score: 4

RE[5]: But not in Symbian
by fuckregistration on Thu 14th Nov 2013 08:54 UTC in reply to "RE[4]: But not in Symbian"
fuckregistration Member since:
2013-11-13

"But anyway, how does that matter? One processor or two, the baseband firmware is closed.


How does it matter is in fact the critical question. If everything is in the one processor and their is a breach in any part the complete system could be breached.

Now some phones will be more safe than others.
"

The application part is completely irrelevant when it comes to the telephony functionality.
The microphone and speaker are connected to the BB processor.
A breached BB has the effect of somebody else listening to your calls, reading your SMS.
Nobody cares about the appliation side.
The stuff on the application processor is just a PDA, if you have a modem in the same case does not matter.

Like baseband and gps can be sharing same processor/memory for their baseband operations. Great for emergency services and person tracking.

Symbian 8 loads the baseband firmware. So the baseband firmware is a driver under Symbian 8.

That's just your definition, nothing accepted by the general public.

So the old Symbian 8 was a Application Processor with a Software-defined radio connected. Basically a PC does not cease to be a PC because you connect a Software defined radio or win-modem either.

Those phones do the demodulation in a DSP which is connected to the (BB-) processor.
The modulation is even done without the DSP involved.
Your definition of a SDR is different than the definition of the rest of the world.

What defines if it a baseband processor or an application processor is what starts first. Symbian 8 devices it is Symbian 8.

Again, just your gentleman definition.

Reply Score: 2

Comment by OsQar
by OsQar on Wed 13th Nov 2013 09:51 UTC
OsQar
Member since:
2013-11-13

I'm not a security expert at all, but I've been working on mobile radio access technologies for several years, so I feel quite confident to say that some or your claims are wrong. E.g:

"The standards that govern how these baseband processors and radios work were designed in the '80s, ending up with a complicated codebase written in the '90s - complete with a '90s attitude towards security."
Well, GSM's baseband was developed from late 80's to early 90's, UMTS' from late 90's to early 00's, and LTE's can be now be considered almost finished. I know that GSM is not secure at all now (it was when it was released, but now it has been cracked), but I'm not so sure about UMTS (CDMA is very hard to demodulate, so cracking is even worse) and LTE (OFDMA is quite a headache).

"What makes it even worse, is that every baseband processor inherently trusts whatever data it receives from a base station (e.g. in a cell tower). Nothing is checked, everything is automatically trusted."
This is NOT TRUE. At all. Even from GSM times. Handheld devices run a bunchload of ID checks to know what basestation is sending data; and basestations also carefully allocate and check mobile ID's. This is especially true in UMTS (where you have to discriminate interferring users by using pseudorandom codes) and LTE (where you even need angle-of-arrival information to reach more users).

So, I'm not claiming that mobile basebands are inherently secure, but they're definitively not based on 80's security technology.
On the other hand, I agree with your viewpoint that the closed implementations and the huge standards are not the best way to allow the community to check for security bugs. But manufacturers are the main supporters of actual standardization bodies, so it's quite complicated to fight against it.

Reply Score: 7

RE: Comment by OsQar
by fuckregistration on Wed 13th Nov 2013 23:25 UTC in reply to "Comment by OsQar"
fuckregistration Member since:
2013-11-13

So, I'm not claiming that mobile basebands are inherently secure, but they're definitively not based on 80's security technology.


No? Where does that claim come from?
GSM is a set of standards written in the 80s. Go to the ETSI website and look it up.
UMTS and LTE are newer, but that's a different topic.

Reply Score: 1

RE[2]: Comment by OsQar
by benytocamela on Thu 14th Nov 2013 19:31 UTC in reply to "RE: Comment by OsQar"
benytocamela Member since:
2013-05-16

Uh? He gave a concise reason regarding some of the newer basebands.

Reply Score: 1

Heh
by twitterfire on Wed 13th Nov 2013 09:55 UTC
twitterfire
Member since:
2008-09-11

I'd recommend HackRF if you want to easily mess with baseband. http://www.kickstarter.com/projects/mossmann/hackrf-an-open-source-...

Reply Score: 3

RE: Heh
by fuckregistration on Wed 13th Nov 2013 23:31 UTC in reply to "Heh"
fuckregistration Member since:
2013-11-13

I'd recommend HackRF if you want to easily mess with baseband. http://www.kickstarter.com/projects/mossmann/hackrf-an-open-source-...


It's amazing how many people here in the comments claim to have a clue about GSM basebands.
Nobody, even the author of the original article mentioned osmocombb. You may want to look it up.
What you need is a 15$ phone, not a fucking expensive SDR. Just because you know some random piece of hardware does not put you in the position to recommend anything to anybody. If the people reading the comments here are as dumb as you they will waste hundreds of $.

Reply Score: 4

RE[2]: Heh
by twitterfire on Thu 14th Nov 2013 07:53 UTC in reply to "RE: Heh"
twitterfire Member since:
2008-09-11


It's amazing how many people here in the comments claim to have a clue about GSM basebands.
Nobody, even the author of the original article mentioned osmocombb. You may want to look it up.
What you need is a 15$ phone, not a f--king expensive SDR. Just because you know some random piece of hardware does not put you in the position to recommend anything to anybody. If the people reading the comments here are as dumb as you they will waste hundreds of $.


That thing is only usable for GSM. With a SDR you can mess with CDMA, UMTS and LTE. Not only that, but you can do much, much more beside hacking phone networks.

Also, that piece of software is only usable as a baseband software for your own stupid phone. You can't impersonate a base staion with it with ease.

Better think before posting stupid comments and embarass yourself.

Edited 2013-11-14 07:54 UTC

Reply Score: 1

RE[3]: Heh
by fuckregistration on Thu 14th Nov 2013 08:35 UTC in reply to "RE[2]: Heh"
fuckregistration Member since:
2013-11-13

That thing is only usable for GSM. With a SDR you can mess with CDMA, UMTS and LTE. Not only that, but you can do much, much more beside hacking phone networks.

There is no usable code released for anything other than GSM.
Implementing a stack for UMTS takes man years (given a programmer who is experienced in that field already).
This is unrealistic, only a purely theoretical possibility.

Also, that piece of software is only usable as a baseband software for your own stupid phone.

Not true. There are quite a lot of applications for osmocombb, not only 'mobile', which is the normal MS functionality.
Of course a general purpose SDR has more possibilities, but that's well out of scope of this discussion.

You can't impersonate a base staion with it with ease.

Yes you can.
http://bb.osmocom.org/trac/wiki/Software/Transceiver
That's not any more complicated than running 'mobile'.

Reply Score: 2

based on OKL4
by przpgntx on Wed 13th Nov 2013 10:49 UTC
przpgntx
Member since:
2013-11-13

"As far as I know, this baseband RTOS is always entirely proprietary."

Not "entirely" proprietary. Qualcomm's AMSS is based on OKL4, whose source code is available: http://wiki.ok-labs.com/

I remember being able to download the sourcecode from the same OKL4 version on which the AMSS of a phone of mine was based.

The OS is only a small portion of the code that runs in the baseband, though.

Reply Score: 2

RE: based on OKL4
by fatjoe on Wed 13th Nov 2013 13:56 UTC in reply to "based on OKL4"
fatjoe Member since:
2010-01-12

No, OKL4 is closed source. The old "academic" open source version on their site is nothing like the current "commercial" version running on phones.

Also, OKL4 is just a tiny tiny part of the baseband software, the rest was/is/will be closed as always.

Reply Score: 4

RE: based on OKL4
by fuckregistration on Wed 13th Nov 2013 23:32 UTC in reply to "based on OKL4"
fuckregistration Member since:
2013-11-13

"As far as I know, this baseband RTOS is always entirely proprietary."

Not "entirely" proprietary. Qualcomm's AMSS is based on OKL4, whose source code is available: http://wiki.ok-labs.com/

I remember being able to download the sourcecode from the same OKL4 version on which the AMSS of a phone of mine was based.

The OS is only a small portion of the code that runs in the baseband, though.


Great. That's the same relationship as with Darwin and Apple iOS. That gets you absolutely nothing, it's just a microkernel.

Reply Score: 2

iPhone details
by gerwitz on Wed 13th Nov 2013 12:04 UTC
gerwitz
Member since:
2013-11-13

Anyone reading this comment thread might find what's known about the iDevices interesting:

http://theiphonewiki.com/wiki/Baseband_Device

Reply Score: 2

What about QNX
by dsmogor on Wed 13th Nov 2013 13:04 UTC
dsmogor
Member since:
2005-09-01

It's an RTOS and is perfectly capable of running basband and radio on the same SOC.
BlackBerry could possibly design a cheapest smartphone ever if they exploited their gem fully.

Reply Score: 1

RE: What about QNX
by zima on Tue 19th Nov 2013 23:25 UTC in reply to "What about QNX"
zima Member since:
2005-07-06

Some Symbian devices already had that architecture, it didn't really result in major enough cost savings.

Reply Score: 2

Comment by vrypan
by vrypan on Wed 13th Nov 2013 15:37 UTC
vrypan
Member since:
2013-11-13

[...] "While we can sort-of assume that the base stations in cell towers operated by large carriers are "safe" [...]


Well... If things are as described, I wouldn't trust base stations, in every country I visit.

Reply Score: 2

Real-Time Linux
by robbrowsing on Thu 14th Nov 2013 03:04 UTC
robbrowsing
Member since:
2009-08-26

Perhaps this is tangential, but I just read this article on the decline of Real-Time Linux. https://lwn.net/Articles/572740/

It would be nice if you could have "one kernel to rule them all" - i.e. nearly all functions in a phone handled using the Linux kernel. But I don't think that will ever happen or would be desirable/feasible in any case?

I don't think RT Linux would ever be a good fit for Mobile Phones but it's still a great project for other uses, so its loss would be sad. Maybe somebody more knowledgeable would like to disagree with me?

Reply Score: 2

In Ericsson cell-phones ...
by DeepThought on Thu 14th Nov 2013 11:29 UTC
DeepThought
Member since:
2010-07-17

did run ENEA OSE (www.enea.com) besides the Ericsson OS.
But this was in the past.
But I am pretty sure, the iPhone 5s has at least 3 OSes:
iOS, the baseband-OS and the OS running inside the Cortex-M3 (motion controller).

Reply Score: 2

RE: In Ericsson cell-phones ...
by benytocamela on Thu 14th Nov 2013 19:34 UTC in reply to "In Ericsson cell-phones ..."
benytocamela Member since:
2013-05-16

I think the term OS may be a bit overextended when applied to systems which are basically rudimentary executives.

Reply Score: 2

DeepThought Member since:
2010-07-17

I think the term OS may be a bit overextended when applied to systems which are basically rudimentary executives.


What makes an OS and OS? Can we call DOS and OS? Or does an OS needs at least virtual memory? Or even a (G)UI?

Granted, the average woman/man on the street will use the term OS for Windows (and maybe Linux).
Nowadays even iOS or Android come to mind. But to me these a GP(general purpose)OS'es.
For example, QNX. This is the OS even claims to be an RTOS. But the executive is Neutrino, the µkernel.

So to me, any SW which handle resource management, offers some kind of IPC and supports multiple tasks is an OS.

Reply Score: 2