Google has revealed the varied safety guardrails which were included into its newest Pixel gadgets to counter the rising risk posed by baseband safety assaults.
The mobile baseband (i.e., modem) refers to a processor on the gadget that is accountable for dealing with all connectivity, corresponding to LTE, 4G, and 5G, with a cell phone cell tower or base station over a radio interface.
“This function inherently involves processing external inputs, which may originate from untrusted sources,” Sherk Chung and Stephan Chen from the Pixel staff, and Roger Piqueras Jover and Ivan Lozano from the corporate’s Android staff stated in a weblog publish shared with The Hacker Information.
“For instance, malicious actors can employ false base stations to inject fabricated or manipulated network packets. In certain protocols like IMS (IP Multimedia Subsystem), this can be executed remotely from any global location using an IMS client.”
What’s extra, the firmware powering the mobile baseband is also susceptible to bugs and errors that, if efficiently exploited, may undermine the safety of the gadget, notably in situations the place they result in distant code execution.
In a Black Hat USA presentation final August, a staff of Google safety engineers described the modem as each a “fundamental” and “critical” smartphone element with entry to delicate knowledge and one which’s distant accessible with varied radio applied sciences.
Threats to the baseband usually are not theoretical. In October 2023, analysis printed by Amnesty Worldwide discovered that the Intellexa alliance behind Predator had developed a instrument referred to as Triton to use vulnerabilities in Exynos baseband software program utilized in Samsung gadgets to ship the mercenary spyware and adware as a part of extremely focused assaults.
The assault entails conducting a covert downgrade assault that forces the focused gadget to connect with the legacy 2G community by way of a cell-site simulator, following which a 2G base station transceiver (BTS) is used to distribute the nefarious payload.
Google has since launched a brand new safety characteristic in Android 14 that permits IT directors to show off help for 2G mobile networks of their managed gadgets. It has additionally highlighted the position performed by Clang sanitizers (IntSan and BoundSan) in hardening the safety of the mobile baseband in Android.
Then earlier this 12 months, the tech big revealed it is working with ecosystem companions so as to add new methods of alerting Android customers if their mobile community connection is unencrypted and if a bogus mobile base station or surveillance instrument is recording their location utilizing a tool identifier.
The corporate has additionally outlined the steps it is taking to fight risk actors’ use of cell-site simulators like Stingrays to inject SMS messages immediately into Android telephones, in any other case referred to as SMS Blaster fraud.
“This method to inject messages entirely bypasses the carrier network, thus bypassing all the sophisticated network-based anti-spam and anti-fraud filters,” Google famous in August. “SMS Blasters expose a fake LTE or 5G network which executes a single function: downgrading the user’s connection to a legacy 2G protocol.”
Among the different defenses the corporate has added to its new Pixel 9 lineup embody stack canaries, control-flow integrity (CFI), and auto-initialization of stack variables to zero to keep away from leakage of delicate knowledge or act as an avenue to achieve code execution.
“Stack canaries are like tripwires set up to ensure code executes in the expected order,” it stated. “If a hacker tries to exploit a vulnerability in the stack to change the flow of execution without being mindful of the canary, the canary “journeys,” alerting the system to a potential attack.”
“Much like stack canaries, CFI makes certain code execution is constrained alongside a restricted variety of paths. If an attacker tries to deviate from the allowed set of execution paths, CFI causes the modem to restart relatively than take the unallowed execution path.
