Why couldn't a baseband attack facilitate this? It was shown at least as far back as 2017[0] that a program on a baseband could affect the memory of the application processor, and in 2018[1] that a specially crafted message can achieve an RCE on a baseband. Since then, cell modems have gotten even more integrated with APs.
Because this is about the iPhone, where the baseband is just a USB peripheral. There simply is no DMA. iPads and Macs have DMA controls in place as well. There are other iPhone attacks for sure, but they have been fairly conscious about keeping the baseband isolated for a good long while. So it's less likely to be the vector. Apple didn't spend a ton of money on a custom security processor and OS stack just to let a 3rd party vendor firmware walk all over it. From page 41 of their old iOS Security Guide:
>"To protect the device from vulnerabilities in network processor firmware, network interfaces including Wi-Fi and baseband have limited access to application processor memory. When USB or SDIO is used to interface with the network processor, the network processor can’t initiate Direct Memory Access (DMA) transactions to the application processor. When PCIe is used, each network processor is on its own isolated PCIe bus. An IOMMU on each PCIe bus limits the network processor’s DMA access to pages of memory containing its network packets or control structures."
You'll notice in those papers you link, that "iPhone" and "Apple" do not appear as subjects of the paper. Cellebrite and the like are probably doing other things.
Exploits are possible even without DMA. Windows had a slew of USB stack exploits, ranging from the serial and modem drivers to HID device and more.
There have also been in the past (and probably still exist) exploits over serial lines, over I2C and SMBus, etc'. Not having DMA makes it much, much harder, but not impossible.
So having the modem connected by USB does not make attacking through it impossible - how can you tell there are no bugs in the iOS USB stack?
Because this is about the iPhone, where the baseband is just a USB peripheral. There simply is no DMA. iPads and Macs have DMA controls in place as well. There are other iPhone attacks for sure, but they have been fairly conscious about keeping the baseband isolated for a good long while. So it's less likely to be the vector. Apple didn't spend a ton of money on a custom security processor and OS stack just to let a 3rd party vendor firmware walk all over it. From page 41 of their old iOS Security Guide:
>"To protect the device from vulnerabilities in network processor firmware, network interfaces including Wi-Fi and baseband have limited access to application processor memory. When USB or SDIO is used to interface with the network processor, the network processor can’t initiate Direct Memory Access (DMA) transactions to the application processor. When PCIe is used, each network processor is on its own isolated PCIe bus. An IOMMU on each PCIe bus limits the network processor’s DMA access to pages of memory containing its network packets or control structures."
You'll notice in those papers you link, that "iPhone" and "Apple" do not appear as subjects of the paper. Cellebrite and the like are probably doing other things.