Google has revealed the assorted safety guardrails which were integrated into its newest Pixel gadgets to counter the rising risk posed by baseband safety assaults.
The mobile baseband (i.e., modem) refers to a processor on the machine that is chargeable for dealing with all connectivity, corresponding to LTE, 4G, and 5G, with a cell phone cell tower or base station over a radio interface.
“This operate inherently includes processing exterior inputs, which can originate from untrusted sources,” Sherk Chung and Stephan Chen from the Pixel workforce, and Roger Piqueras Jover and Ivan Lozano from the corporate’s Android workforce mentioned in a weblog submit shared with The Hacker Information.
“For example, malicious actors can make use of false base stations to inject fabricated or manipulated community packets. In sure protocols like IMS (IP Multimedia Subsystem), this may be executed remotely from any international location utilizing an IMS consumer.”
What’s extra, the firmware powering the mobile baseband may be weak to bugs and errors that, if efficiently exploited, may undermine the safety of the machine, significantly in eventualities the place they result in distant code execution.
In a Black Hat USA presentation final August, a workforce of Google safety engineers described the modem as each a “basic” and “important” smartphone part with entry to delicate information and one which’s distant accessible with numerous radio applied sciences.
Threats to the baseband aren’t theoretical. In October 2023, analysis printed by Amnesty Worldwide discovered that the Intellexa alliance behind Predator had developed a instrument referred to as Triton to use vulnerabilities in Exynos baseband software program utilized in Samsung gadgets to ship the mercenary spyware and adware as a part of extremely focused assaults.
The assault includes conducting a covert downgrade assault that forces the focused machine to hook up with the legacy 2G community by way of a cell-site simulator, following which a 2G base station transceiver (BTS) is used to distribute the nefarious payload.
Google has since launched a brand new safety function in Android 14 that permits IT directors to show off help for 2G mobile networks of their managed gadgets. It has additionally highlighted the position performed by Clang sanitizers (IntSan and BoundSan) in hardening the safety of the mobile baseband in Android.
Then earlier this 12 months, the tech big revealed it is working with ecosystem companions so as to add new methods of alerting Android customers if their mobile community connection is unencrypted and if a bogus mobile base station or surveillance instrument is recording their location utilizing a tool identifier.
The corporate has additionally outlined the steps it is taking to fight risk actors’ use of cell-site simulators like Stingrays to inject SMS messages instantly into Android telephones, in any other case referred to as SMS Blaster fraud.
“This technique to inject messages solely bypasses the service community, thus bypassing all the subtle network-based anti-spam and anti-fraud filters,” Google famous in August. “SMS Blasters expose a faux LTE or 5G community which executes a single operate: downgrading the person’s connection to a legacy 2G protocol.”
Among the different defenses the corporate has added to its new Pixel 9 lineup embody stack canaries, control-flow integrity (CFI), and auto-initialization of stack variables to zero to keep away from leakage of delicate information or act as an avenue to achieve code execution.
“Stack canaries are like tripwires arrange to make sure code executes within the anticipated order,” it mentioned. “If a hacker tries to use a vulnerability within the stack to alter the move of execution with out being aware of the canary, the canary “journeys,” alerting the system to a possible assault.”
“Much like stack canaries, CFI makes certain code execution is constrained alongside a restricted variety of paths. If an attacker tries to deviate from the allowed set of execution paths, CFI causes the modem to restart relatively than take the unallowed execution path.