[IgorBog61650384]

I don't think this should surprise anyone. The FBI has multiple methods for accessing locked phones: using physical exploits like those provided by Cellbrite, or through baseband attacks - i.e. first attacking the cellular modem and from there using an exploit to get to the main ARM cpu, or through exploits or backdoors in any app the phone had that do background refresh through the web while the phone is locked. I think the current status of infosec means that anyone that is the target of a nation state intelligence agency or counter intelligence agency can be hacked. The question if that is actually done or not depends on how interesting they are and the lawfulness of the action and not on technical capabilities.

[lawnchair_larry]

Your understanding of baseband attacks is not correct. Having a baseband exploit would not facilitate this. Nor would exploits/backdoors in any particular app.

[sprayk]

Why couldn't a baseband attack facilitate this? It was shown at least as far back as 2017[0] that a program on a baseband could affect the memory of the application processor, and in 2018[1] that a specially crafted message can achieve an RCE on a baseband. Since then, cell modems have gotten even more integrated with APs.

[0] https://comsecuris.com/blog/posts/path_of_least_resistance/ [1] https://i.blackhat.com/us-18/Thu-August-9/us-18-Grassi-Explo...

[xoa]

>Why couldn't a baseband attack facilitate this?

Because this is about the iPhone, where the baseband is just a USB peripheral. There simply is no DMA. iPads and Macs have DMA controls in place as well. There are other iPhone attacks for sure, but they have been fairly conscious about keeping the baseband isolated for a good long while. So it's less likely to be the vector. Apple didn't spend a ton of money on a custom security processor and OS stack just to let a 3rd party vendor firmware walk all over it. From page 41 of their old iOS Security Guide:

>"To protect the device from vulnerabilities in network processor firmware, network interfaces including Wi-Fi and baseband have limited access to application processor memory. When USB or SDIO is used to interface with the network processor, the network processor can’t initiate Direct Memory Access (DMA) transactions to the application processor. When PCIe is used, each network processor is on its own isolated PCIe bus. An IOMMU on each PCIe bus limits the network processor’s DMA access to pages of memory containing its network packets or control structures."

You'll notice in those papers you link, that "iPhone" and "Apple" do not appear as subjects of the paper. Cellebrite and the like are probably doing other things.

[IgorBog61650384]

Exploits are possible even without DMA. Windows had a slew of USB stack exploits, ranging from the serial and modem drivers to HID device and more. There have also been in the past (and probably still exist) exploits over serial lines, over I2C and SMBus, etc'. Not having DMA makes it much, much harder, but not impossible.

So having the modem connected by USB does not make attacking through it impossible - how can you tell there are no bugs in the iOS USB stack?

[lxgr]

As far as I understand, the isolation between basebands and the main SoC has also been improved (using IOMMUs etc.)