If you were to ask the entirety of people who know me what is one attribute that stands out about myself, they will say that, without a shadow of a doubt, I am the most paranoid person they know — and for good reason. Since I can remember using a computer, I was always figuring out new ways to break things from a security perspective. This tendency never ended, although now I work from a white hat perspective. My philosophy of “if it can be broken, it must” didn’t stop at a digital boundary. Physical security matters just as much to me and the lines have blurred much in the last decade, a great deal in part thanks to our reliance on cellphones. As I will explain below, there is not a single cellphone on the market that can be trusted. And so, I set out to build my own, with a design that makes security the highest priority. For the time being, I plan on using and extending the Rust OS, Redox.
If It Can Be Broken, It Must
I’m not going to bore with a CV of prior exploits. In fact, almost all of my security work has been performed through private disclosure to software vendors, or at my place at employment, both of which do not leave much for a public trail. Even so, it’s not news to anyone that the technological infrastructure of our modern world is incredibly fragile, a byproduct of two incredibly mistaken beliefs:
First, the reliance on open source in that it merely being open means all the eyes that look at it have the best intentions, and of those that do, their intention is to hone in on the potential vulnerabilities that lie within. OpenSSL has in recent history proven this multiple times, enough to induce a major fork — LibreSSL.
Second, and conversely, that the iron-clad guarantees of commercial support better guarantee the security of enterprise proprietary solutions. This too has had its fair share of recent incidents, such as the Equation Group leak.
And this only covers the software side. What about hardware? With respect alone to the baseband processor (BP) in every cellphone, there are innumerable reports about the concerning state of affairs. To save you a click or two, the problem in BPs boils down to this: the myriad of technologies required to properly handle all the communication standards for cellphones for even a single provider is complex, patent encumbered, and expensive. Every BP provider must have their hardware and software certified by the FCC, which in of itself is prohibitively expensive for any open solution to emerge (at the very least, legally). No manufacturer wants to lose what little edge their incremental developments gain them, so both the software and hardware remains closed, and as sourced above, ripe for the picking of hackers, especially on the state level.
So here we are, in a situation where every BP is a fragile black box, where only those willing to break the law (or in some cases, are above the law) are the ones able to truly avoid it, or take advantage of it. Worse still, we not only blindly trust these providers, we fully accept that they include these processors in a single chip solution that merges the application processor (AP) with it, with varying degrees of largely unauditable levels of separation. Assuming (which is probably safe, despite my own paranoia saying otherwise) that manufacturers are honest about how they separate BPs from APs in SoC offerings, most of them are using a form of USB which resides inside the chip: HSIC. For simplicity, assume it is the same thing. The problem with USB is that while all versions of USB prior to 3.1 do not support DMA directly, it is entirely possible through faulty design that such a possibility does exist where the USB controller could be hacked, which resides at a level where DMA could be performed, meaning that even with best intentions and industry standard levels of separation, it is entirely possible for the best-engineered SoC AP/BP solutions to allow for BP access to memory not intended to be seen by the BP. That scares me, and it should scare you too.
With no visibility to the actions or actual communications with a BP from cell networks, and their sheer willingness to connect to whatever will talk to it (else, Stingrays would not be effective), from a security-minded perspective where if it can be broken, it must, a stark, disturbing reality emerges: no modern cellphone is safe, and you can (and should) assume that any interface, camera, microphone, GPS, storage, memory, etc. can be accessed remotely by the BP without your knowledge at any time.