1: Simply bringing it down. If tensions escalate and someone has the ability to cripple their adversary's communications, obviously it's a string they can only pull once, but knowing they can pull it when the time is right, is a big deal.
2: E2EE doesn't insulate you from baseband vulnerabilities. You can think of a modern phone as having two processors, though in practice it's many more, think of the Application Processor (AP) and the Baseband (BB). The AP is basically the CPU that user code runs on. The baseband (so called because it deals with the radio signals once they've been downconverted from their broadband modulations) is sort of like a NIC, it provides connectivity to the main CPU.
Now, if you're familiar with server NICs, imagine a server BMC that has god-level access to the hardware on which the application runs. That's roughly how the baseband is situated in the phone.
Obviously you'd only connect such a BMC to an internal management network that's only accessible to trusted parties, right? Not to one that your adversary controls?
YEahhhhh. If the adversary controls the cellular network and talks directly to the BB/BMC, it doesn't matter how secure the AP/CPU is, it's game over.
>2: E2EE doesn't insulate you from baseband vulnerabilities. You can think of a modern phone as having two processors, though in practice it's many more, think of the Application Processor (AP) and the Baseband (BB). The AP is basically the CPU that user code runs on. The baseband (so called because it deals with the radio signals once they've been downconverted from their broadband modulations) is sort of like a NIC, it provides connectivity to the main CPU.
The situation is somewhat better now. iPhone's modems are separated from the main CPU and communicates with it using some sort of serial link, and AFAIK tensor based pixels have modems isolated using IOMMU.
To be fair, the discussion here is not about baseband processors afaik but the infra that the baseband talks to. Of course you could use that as a hop point to infect all attached basebands because they suffer from a software monoculture and you could get a lot of them. Other less obvious attacks would be selectively downgrading the protocol phones can see the tower using to remove the encryption capabilities. This is similar to what Stingray base stations do.
Exactly. Control of the management/cellular network is not _precisely equivalent to_ control of every machine/phone attached to it, you still have to attack the BMCs/BBs.
But I think it's safe to assume there's always a BMC/BB vuln, especially if the firmware development for it takes place in that same adversary's country. Not having the adversary on your management network in the first place is probably sane.
Firstly E2E doesn’t protect the metadata. So a compromised backbone would still give you insight into who’s talking to whom which is what the NSA doubled down instead of trying to sift through raw data (they still do but social network monitoring is easier and can give more insights).
Secondly, if you made the infrastructure, you’re more likely to have attack capabilities that can take it down more easily. Probably helped US and Israel that Iran was using tech from Siemens which was easy for them to acquire and work on since it’s from an ally country. In the fog of war, being able to sow chaos into the home front is useful for disrupting the war operation. The actual message content is probably less valuable.
But the truth is we don’t actually know. There hasn’t been a war between major powers in the telecom age. From that perspective, it’s wiser to keep infrastructure decoupled to avoid surprises and mitigate risk because it looks like conflict may come sooner rather than later given how both sides have been building up and conflicts have been escalating globally.
2: E2EE doesn't insulate you from baseband vulnerabilities. You can think of a modern phone as having two processors, though in practice it's many more, think of the Application Processor (AP) and the Baseband (BB). The AP is basically the CPU that user code runs on. The baseband (so called because it deals with the radio signals once they've been downconverted from their broadband modulations) is sort of like a NIC, it provides connectivity to the main CPU.
Now, if you're familiar with server NICs, imagine a server BMC that has god-level access to the hardware on which the application runs. That's roughly how the baseband is situated in the phone.
Obviously you'd only connect such a BMC to an internal management network that's only accessible to trusted parties, right? Not to one that your adversary controls?
YEahhhhh. If the adversary controls the cellular network and talks directly to the BB/BMC, it doesn't matter how secure the AP/CPU is, it's game over.