Google’s latest Pixel devices incorporate various safety measures to combat the escalating threat of baseband attacks.
The mobile baseband, also known as the modem, is a critical processor responsible for managing all connectivity aspects, including LTE, 4G, and 5G communication protocols, through a radio interface with a cell phone’s cell tower or base station.
“This inherent processing of external inputs, potentially originating from untrusted sources, is a fundamental aspect of our technology,” said Sherk Chung and Stephan Chen from Pixel, along with Roger Piqueras Jover and Ivan Lozano from the Android team, in a statement shared with The Hacker News.
Malicious actors can exploit false base stations to introduce fabricated or manipulated community packets into a network, thereby compromising its integrity and security. Protocols such as IP Multimedia Subsystem (IMS) enable remote execution from any international location through an IMS consumer.
What’s more, the firmware controlling the mobile baseband can potentially harbor vulnerabilities, allowing malicious exploitation that could compromise the system’s integrity, especially in situations where timely correction is crucial.
At a Black Hat USA conference in late August, a team of Google security engineers labeled the modem as both “fundamental” and “critical” components of smartphones, noting their direct access to sensitive data and ability to be controlled remotely using various radio technologies.
The notion that threats to the baseband are purely speculative is a myth. By October 2023, research conducted by Amnesty International uncovered that the Intellexa-led coalition, responsible for the Predator operation, had created a device exploiting vulnerabilities in Samsung’s Exynos baseband software used in its devices to deliver highly targeted malware attacks as part of a mercenary spyware scheme.
The operation involves secretly compelling a targeted device to establish a connection with a vintage 2G network using a cell-site simulator, after which a 2G base station transceiver (BTS) is employed to disseminate malicious code.
Google has introduced a novel security feature in Android 14 that enables IT administrators to enable support for 2G mobile networks on their managed devices. IntSan and BoundSan have effectively bolstered the robustness of the Android mobile baseband’s security by explicitly highlighting their role.
Earlier this year, Google collaborated with its ecosystem partners to introduce innovative methods for warning Android users when their mobile network connection remains unsecured, potentially exposing them to risks from fake cell towers or surveillance devices that can detect their device’s unique identifier using tools like IMEI or MAC address.
The corporation has also outlined measures to combat threat actors’ exploitation of cell-site simulators like Stingrays, which enables the injection of SMS messages directly into Android phones, commonly referred to as SMS Blaster fraud.
Google’s announcement in August revealed that this technique allows for message injection, effectively circumventing the service community and evading all network-based anti-spam and anti-fraud filters in the process. “Sophisticated SMS Blasters masquerade as legitimate LTE or 5G networks, but their sole purpose is to hijack users’ connections, degrading them to outdated 2G protocols.”
The Google Pixel 9 series introduces a range of security enhancements, including control-flow integrity (CFI) and automatic initialization of stack variables to prevent sensitive data leaks and potential code execution vulnerabilities.
Stack canaries are virtual “tripwires” set to detect unexpected changes in memory, ensuring that code runs as intended. When an attacker attempts to exploit a stack-based vulnerability, unaware of the embedded canary value, the canary’s presence causes it to “shift,” triggering the system’s defenses and indicating a potential attack.
While stack canaries and Control-Flow Integrity (CFI) share some similarities, the latter ensures that code execution is strictly limited to a specific set of predictable paths. If an attacker attempts to deviate from the approved set of execution paths, Control-Flow Integrity (CFI) triggers a modem restart instead of permitting the unauthorized execution path.
