[DaiPlusPlus]

Baseband chipsets.

* For example, see https://news.ycombinator.com/item?id=10905937

* Mobile-phone baseband chipsets are proprietary and secret a.f. and part of that is down to the carrier's insistence.

* Baseband chipsets run software that the carrier ships OTA to the phone.

* While baseband chipsets are ostensibly part of the wireless modem and meant to simply provide a service to the rest of the phone it looks like they generally have some form of access to the phone's main memory bus (just like any other PCIe device in a PC) and so could read the framebuffer (assuming it's backed in RAM at all) - or at least the back-buffers of the screens of running applications.

* Even 6-7 years ago, there existed definite causes for concern in (at least) the 32-bit version of iOS - but I can't find any hard evidence that the baseband chip in Apple Silicon-era phones wouldn't have at least some access. See https://github.com/userlandkernel/baseband-research

[pvg]

The comment you linked doesn't support your argument, it pretty much says the opposite.

walled-off from the rest of the phone (somehow) from what I can tell it looks like

A useful search term here is IOMMU, the major phone platforms have readily available documentation describing the architecture and its security goals.

[autoexec]

Having nothing at all to go by except for the platform's documentation and if we're lucky a pinky promise that they'd never backdoor their chips or devices if the state strong armed them into it seems to require a whole lot of faith. It'd be a lot nicer to have verifiable/auditable hardware and software so that we could be reasonably confident what it was capable of and could see exactly what it was doing instead of having to trust the black box.

[tptacek]

You've given up the argument at this point. If you don't trust your phone's manufacturer not to backdoor their own chips, the baseband doesn't matter. If you're concerned about the Qualcomm baseband chips in an iPhone, you're talking about what is probably (depending on your phone) just a USB peripheral.

The baseband parts here are not, as message board C.W. would have it, top secret unknowable wizard hardware. You can get the part numbers and look them up.

There's a lot of weird mythology about these modem parts. The thread you linked to included someone claiming that basebands were DMA'ing into host memory --- you couldn't even do DMA over the HSIC USB the parts were using. Like, it wasn't even physically possible.

(I have no idea what a 5G Snapdragon Xwhatever can do today, but I assure you that Apple's security team does).

[pvg]

Having nothing at all to go by except for the platform's documentation and if we're lucky a pinky promise

We have way, way, way more than that. Both the GP and you are arguing about the security deficiencies of modern phones as you've imagined them, rather than as they are but that gap is trivial to close with relatively little reading.

[DaiPlusPlus]

> you are arguing about the security deficiencies of modern phones as you've imagined them, rather than as they are

I appreciate the strength of your conviction - but I'm not an phone industry insider, and have no access to the kinds of reading-material I assume you're pointing to - for example, Qualcomm put their docs behind a verify-your-employer-wall (which is outrageous): https://www.qualcomm.com/products/technology/modems/snapdrag...

...if Qualcomm's attitude towards openness and transparency is representative of the mobile comms industry in general then they have little hope of correcting any misinformation or misconceptions other technology folk like ourselves might have, let alone the general public.

[pvg]

No, this doesn't require access to internal documentation of anything, just googling a little. Like the sibling comment points out, the whole baseband thing is a bit of a messageboard trope and has been for about decade. This is one of these things you can sort of guess from first principles! I.e. how likely is it that this well-known problem (the potential security implications of DMA/memory mapped peripherals) has remained completely unmitigated and unaddressed by smartphone designers for 10+ years?

[DaiPlusPlus]

Can we have an IM conversation about this? If so, is StackOverflow Chat okay and at what time?