[Community] auditing baseband code

kardan kardan at riseup.net
Tue Nov 19 16:26:29 CET 2013


Greetings,

On Mon, 18 Nov 2013 14:14:38 -0500 "Ryan de Laplante (personal)"
<ryan at ryandelaplante.com> wrote:

> On 13-11-18 02:05 PM, Sebastian Krzyszkowiak wrote:
> > I don't understand why people keep quoting this article like it was 
> > something interesting. It's all perfectly known, those are the
> > basics of how GSM (and other) modems work. However, not every
> > device communicates with the modem via shared RAM - and
> > Openmoko/OpenPhoenux devices don't. Despite of modem being closed
> > blackbox, you'll still be able to control what it does and what it
> > can do - see: http://neo900.org/faq#privacy But answering your
> > question: yes, you'll probably be able to order Neo900 without
> > modem on board, so you'll be able to solder your own by yourself or
> > just leave it unpopulated - it's up to you. 
> 
> It was news to me.  I knew they use closed firmware, but I didn't 
> realize that someone could send a 73 byte command to get remote code 
> execution.  I know that the modem chip is separate from the CPU in
> the Neo900 which is great. I'd like to go a step further since I
> don't need cellular access. I'm glad that this will be an option.

Some geeks somehow always knew for years, but we missed to propagate it
as the main (selling) reason for an open phone. It is the fault of "our"
campaign that this topic had no public focus (even if people on this
list may rightfully claimed they always stressed that point).

Still I miss some honest words in the current faq about vulnerabilities
which ARE actually there. I think it is our duty to be absolutely
honest and explain this topic as clear as possible to also non techies
to be heard and understood on this.

I cannot summarize on attack vectors as I am no GSM expert and would
like to invite people on this list to assist my approach, maybe adding
an example for a possible attack (without motivating to apply them). 8]

Current FAQ <http://neo900.org/faq#privacy> says:

Isn't a non-free baseband firmware a privacy issue?

We're going to address privacy concerns of non-free modem firmware by
ensuring that modem has access to no other data than absolutely
necessary, so it won't be able to spy on anything that's not already
available on carrier side. On Neo900 one can be sure that the modem is
actually turned off when requested, not just pretending to be.

Unlike some other smartphones do, Neo900 won't share system RAM with
the modem and system CPU will always have full control over the
microphone signal sent to the modem. You can think of it as a USB
dongle connected to the PC, with you in full control over the drivers,
with a virtual LED to show any modem activity.

*New proposal*

Isn't a non-free baseband firmware a privacy issue?

Yes it is. We are aware of privacy issues regarding GSM using
intentionally crippled [1] encryption to enhace life of law enforcers.
[2]

Additionally the protocal is heavily bugged and wide open for
exploits. On other phones malicious bytecodes can be used to
remotely install software updates or to control for example the
microphone. [3]

We're going to address privacy concerns of non-free modem firmware by
ensuring that modem has access to no other data than absolutely
necessary, so it won't be able to spy on anything that's not already
available on carrier side. On Neo900 one can be sure that the modem is
actually turned off when requested, not just pretending to be.

Unlike some other smartphones do, Neo900 won't share system RAM with
the modem and system CPU will always have full control over the
microphone signal sent to the modem. You can think of it as a USB
dongle connected to the PC, with you in full control over the drivers,
with a virtual LED to show any modem activity.

That means if somebody tries to attack your phone via GSM, the unfree
baseband processor cannot used to manipula the operating system. Still
the modem cannot be trusted.

Quoting Bob Ham, "I'm concerned because I have no idea what *is*
happening in the modem.  I'm concerned because I know the only real
limit to the abuse that can be done using the modem is the hardware
capabilities. If I don't have control of the binaries running on my
phone's modem, through access to the source code, then the modem is
wide open for abuse."

Additionally it is worth to mention that the base station your phone is
communicating with for most countries ny law is a eavesdropper and
furthermore as GSM by design has no session authentication no one
can verify if a third party is in business as well [4]. Therefor the
use of open source software for encrypted VOIP connections instead of
GSM calls is recommended [5].

"I believe, that we don't need GSM at all. When we use GSM we use
carrier services. Can we be sure that carrier does not track us, don't
record our calls etc? For instance, in my country "secret service" has
direct access to the carrier's switches, and can follow calls of any
person in real time. They also can write a paper and request this or
that person's locations from the carrier.
We don't use gmail, because we know they are watching us, then why do
we use carriers?
The way to be secure is to use trusted service providers, and carriers
are too big to be trusted." (Norayr Chilingarian)

[1] https://en.wikipedia.org/wiki/A5/1#cite_note-Ross94-3
/ https://en.wikipedia.org/wiki/Cellular_Message_Encryption_Algorithm
[2] gcomtech.com / spyzone.com
[3] http://www.wired.com/threatlevel/2013/04/verizon-rigmaiden-aircard/
[4]
http://blog.marinetelecom.net/2010/08/01/ham-radio-operator-chris-paget-kj6gcg-spoofs-as-900mhz-gsm-tower-and-15-phones-in-defcon-hacker-convention-log-onto-his-network/
[5] link to a user friendly reference, maybe
http://www.voipproviderslist.com/wiki/

Please also mention the closed baseband processor for the question
> What do you mean by "100% Free Software stack"?


On Sat, 20 Apr 2013 22:30:25 +0200 Sven <openmoko at maricon.de> wrote:

> I can confirm that the modem that GD built into the GTA04A4 up to now 
> didn't show any malfunctions, at least none that I could notice. But
> I'm cocksure that this is only because the modem that GD uses
> obviously never had been designed to be used within private phones.
> It seems to be a modem dedicated to be used within wind power plants
> and such things. Only for this reason no efforts had been made to
> implement malware into it already by the manufacturer.

>> But my opinion is that it is not necessary as long as there are two
>> separate processors using some well known - and open - interface.
>> This allows to inspect for suspicious code and protect all the data
>> on the application processor against remote access. It is even
>> possible to disable the interface driver in your kernel or make it
>> do additional safety checks. So the firmware in the modem isn't more
>> harmful than things going on in the network. 
>
> Yes, indeed that helps in most cases affecting malware software. But
> up to now we haven't discussed any possibilities of malware hardware!


On Sat, 20 Apr 2013 11:00:05 +0200 "Dr. H. Nikolaus Schaller"
<hns at goldelico.com> wrote:

> I agree that it would be good and inspiring if we were able to take a
> look inside the code.
> 
> But my opinion is that it is not necessary as long as there are two
> separate processors using some well known - and open - interface.
> This allows to inspect for suspicious code and protect all the data
> on the application processor against remote access. It is even
> possible to disable the interface driver in your kernel or make it do
> additional safety checks. So the firmware in the modem isn't more
> harmful than things going on in the network.

Is this actually done or fantasy?

I assume in case of potential attacks at best the modem just crashes and
is automatically restarted without harming above applications / the
system. Are there still options to exploit the modem itself?

I was looking for kernel code and found a dead link to hw-validation on
http://projects.goldelico.com/p/gta04-kernel/ and
http://projects.goldelico.com/p/gta04-kernel/page/Sources/

Probably this is the current one:
https://gitorious.org/beagleboard-validation/linux/source/be152079b26269a25c792b8f31b3abb8fa7a6c69:firmware

To pick the right firmware one needs to know the vendor of the umts
chip, which is not mentioned.
https://shop.goldelico.com/wiki.php?page=GTA04&referer=

It seems to be a qualcom baseband processor but there is very few docs
http://projects.goldelico.com/p/gta04-main/page/FeatureList/
http://www.option.com/product/embedded-solutions/specifications
http://projects.goldelico.com/p/gta04-kernel/page/Mainline-Status/

Where can I find the actually used code?

> The final question about this article is if *we* (community/society)
> should really help suspects like those mentioned in the article to
> protect themselves against prosecution better than before. I think it
> is also in *our* interest that police can catch people doing e.g. tax
> fraud (and other bad crime). Otherwise we all have to pay *their*
> taxes...
As stated before we mustn't fall to arguments by paranoid
oppressors about encryption beeing a bad thing "as it could be used by
terrorists". Honestly terrorists are those who keep up legal options
for weapon trades and state funded crimes against humanity. Nobody
should be imprisoned because of not accepting the rules of their
enforced money games. Sorry if we can't agree on that.
 
> Just some thoughts and no solutions,
> Nikolaus
> 
> [1]: http://wireless.arcada.fi/MOBWI/material/CN_6_3.html
> [2]:
> http://de.slideshare.net/kirank29/gsm-and-umts-protocols-and-callflow
> [3]: http://www.3gpp.org/ftp/Specs/

Thanks!

-- 
Kardan <kardan at riseup.net>
Please encrypt emails to me. http://gnupg.org/documentation
Public GPG key 9D6108AE58C06558 at hkp://pool.sks-keyservers.net
fingerprint: F72F C4D9 6A52 16A1 E7C9  AE94 9D61 08AE 58C0 6558

Why?
* EU data retention since 2006 http://tinyurl.com/eu-data-retention
* NSA/GHCQ and others soak up all they can into their data centers
* orwell 2.0: http://knopfdoubleday.com/book/232010/the-circle/

EFF.org: Stop Watching Us! https://www.youtube.com/watch?v=aGmiw_rrNxk
> https://prism-break.org software for informational self protection

"everyone has the right to know who is knowing what about him at what
time." https://www.datenschutz.de/privo/recht/grundlagen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 620 bytes
Desc: not available
URL: <http://lists.goldelico.com/pipermail/community/attachments/20131119/b349236b/attachment.asc>


More information about the Community mailing list