[Replicant] Samsung Galaxy S6 Edge baseband exploit

[Denis 'GNUtoo' Carikli]

On Fri, 13 Nov 2015 00:31:58 +0100
Moritz Bandemer <replicant at posteo.mx> wrote:
[...]
> > Anything Replicant can or does do to guard against this kind of
> > attack?
> > -john
[...]
> Source: http://www.theregister.co.uk/2015/11/12/mobile_pwn2own1
As I understand it, only the baseband is concerned.

Theses kind of attacks have nothing to do with Replicant:
We try to protect the CPU running Replicant against the baseband itself
by choosing phones that have "isolated baseband".

Given that most[3] baseband run (only?) non-free software, we consider
the baseband as already compromised.

So we have the main SOC/CPU where Replicant runs, and a baseband.
If the baseband and the main SOC are connected in a way that doesn't
allow the baseband to take control of the main SOC, and that no
peripherals are connected to the baseband we call it isolated.

Non-isolated baseband:
----------------------
If the baseband and the CPU/SOC share the same RAM, then we consider it
as bad.
Some mechanisms do exist to still secure the CPU/SOC against the
baseband in such configuration, but it's way easier to choose a good
isolation than to asses if such mechanism really work.
In Replicant we also tend to use modified vendor Linux kernels, so
making sure such mechanism work would really be too much work.

An example of such mechanism is the IOMMU. On Intel platform there was
many attacks to bypass it.
I've no idea if it's fixed on recent Intel architecture.

Some baseband also have access to the microphone because they are also
the "sound card".

Many baseband have a GPS builtin. When it's not the case, we are often
unable to check if there is some hardware link between the standalone
GPS and the baseband. It could be useful for getting GPS fixes faster
or for RRLP. 

Replicant goals, baseband, and other attacks:
---------------------------------------------
* The Modem isolation is a hardware characteristic, so Replicant tries
  to focus work on phones that have it and try to work on phones that
  can be the freest. At the beginning such phones were not available.
  Check the Replicant website to find out which phones are OK in that
  regard and which aren't.
* The code running on the baseband is non-free, you can therefor not
  trust the baseband, regardless of if it is affected by security
  issues or not. So why couldn't a baseband redirect calls? It's runs
  code and we don't know what that code does.
* The baseband and the SIM card uses a protocol to communicate, if you
  look at terminal-profile[1] you then learn what the SIM can ask the
  baseband to do, that includes redirecting calls.
* The network can redirect calls too, and the core protocol supports
  it[2]. Some operators blocks some suspicious requests from other
  countries. The modem could also be able to detect some of the
  requests. That might be possible with osmocomBB or some of its
  forks/applications meant to detect exactly that (and other strange
  network behavior).

References:
-----------
[1]https://terminal-profile.osmocom.org/
[2]https://en.wikipedia.org/wiki/Signalling_System_No._7#Protocol_security_vulnerabilities
[3]See http://bb.osmocom.org/ for free software to run on basebands.
   The issue is that I stopped to work on the Nuttx port due to the
   lack of time.
   This would have added the foundations necessary to have all GSM
   layers running on the baseband and not on a GNU/Linux computer.
   Practically speaking, for feature phones, that means that they would
   have become standalone.
   For the Openmoko smartphones, that would mean more than 3 or 4 hours
   of battery life (you could then put the main CPU in standby while
   having the the baseband still running).

Denis.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.osuosl.org/pipermail/replicant/attachments/20151118/dc9f359e/attachment.asc>