Hacker News new | ask | show | jobs
by cartoonworld 122 days ago
fyi a Cell Site Simulator can masquerade as the legitimate telco operator and push type 0 messages to the handset.

What that means is they can push malicious settings and configurations (Definitely) and probably malicious firmware to the handset at will. They don't need to code this, they buy the software packages from the usual suspects. Adversary simply needs to put a drt box or a hailstorm or what-not close enough to the handset to do the work.

The baseband can do a lot, it has dma (if I recall correctly) and can almost certainly screen look, and extract information from some but not all base bands. This varies.

GrapheneOS cannot really influence this, but hardened_malloc could conceivably help. What would be great is a bench firmware re-flash, but I don't want to do this every single day.
2 comments
ylk 122 days ago
> The baseband can do a lot, it has dma

There's an IOMMU:

> Is the baseband isolated? > Yes, the baseband is isolated on all of the officially supported devices. Memory access is partitioned by the IOMMU and limited to internal memory and memory shared by the driver implementations. [...]

https://grapheneos.org/faq#baseband-isolation

> GrapheneOS cannot really influence this, but hardened_malloc could conceivably help.

They can and do, see above. But I don't see how hardened_malloc is related to the baseband doing DMA.

link
cartoonworld 122 days ago
Thanks, this is very good information!

To answer your question, I thought it might just be slightly harder to extract secrets or exploit a running process directly. Thats all I was saying.

link
evolve2k 122 days ago
I don’t have the source (I’ll have to try find it), but I read that the cell site simulators can work on 4G and earlier but don’t work on 5G. So one thing folks can do is set ur phone to use 5G networks only (unless ur stuck and then u can make it looser but be aware your less protected at that time).

I do this on iOS I’m sure it’s do-able on GrapheneOS and hopefully on Android too.

link
cartoonworld 122 days ago
5G CSS is harder yes, but keep in mind that most 5G is the 5G_NSA variety, and is really just riding on the same cell bands, no mmwave here. You probably notice that your phone often slips out of 5g, or you inhabit different modes here.

Essentially, 5G is sort of a lie. Phones spend a lot of time exchanging information via 4g/lte, and just like 2g/3g and 3g/4g, there are simply downgrades that can be performed in the field, without getting too far into the weeds.

5G matters not for this.

link