But the world's moved on since those reports were made. It's FUD: https://www.reddit.com/r/CopperheadOS/comments/6wtul0/on_sen...
We're already in a world were we can't quite trust our CPUs, so why trusting baseband chips?
If it does make the design more complicated, it may also reduce the potential attack surface.
an increase in complexity would rule out reduction of attack surface. in fact attack surface would be guaranteed to increase
General design failures/bugs from assumed acting-in-good-faith silicon/sw designers vs not-acting-in-good-faith silicon/sw designers.
Assuming the radio's are the primary threat to privacy then I'd prefer a design from a privacy activist company who explicityly designs the hw so that the less trustable parts are forced behind physcial and defined interface "firewalls".
On the other hand, the baseband processor is mostly unknown, black box hardware, running unknown black box software, that completely controls the transmission of cellular data. Of course it would be horrible if there was no separation between the CPU and baseband. You shouldn't trust that setup. But as it turns out, separation does exist!
As a counter-example -- removing all of Linux's privilege checking would make the code a lot less complicated, but the attack surface would increase a million-fold. In this case, the Librem 5's separation of the baseband such that communication is done over USB (a protocol which doesn't have DMA) is a security improvement over giving the baseband DMA access.
> Complex parts like the cellular modem or the WiFi can access the very same RAM that is used at runtime to store your most private data, but at the same time they are controlled by binary-only firmware that no one except the manufacturer of that chip has access to.
For the cellular modem, in your run-of-the-mill iPhone or Android phone nowadays, it is simply false that the cellular modem can access arbitrary data in RAM. Can't tell you about WiFi, but I expect a similar situation.
There's a lot of room for improvement in secure smartphone architectures, but the "baseband can read your photos" trope is simply false.
The baseband is permanently attached to a public network. Not having control over whether that connection actually is up is a huge security hole. The entire baseband software stack runs in supervisor mode. There are no non-executable pages, there's no stack protection.
EDIT-1: Qualcomm baseband chips have location tracking baked in. Even with a clean OS and no tracking apps, the baseband does it. The tracking data is commercially available: https://web.archive.org/web/20180514003056/https://www.qualc...
if the security boundary is baked into the code or the design of the system, and also assuming it doesn't introduce more bugs, then I agree[1]. Security controls that get introduced on top do risk an increase in attack surface. An additional interface is by definition a an additional "surface", the question is if it can be attacked.
[1] you could still argue that more lines of code always means more bugs (but let's assume it's very close to bullet-proof)
I have no experience with PCIe so maybe it's harder with USB to abuse the host system, than with PCIe these days.
You can think of USB as being similar to using a TCP/IP protocol between multiple machines capable of executing code, and having to execute code to handle higher level protocols, like HTTP or whatnot. If there's a code execution bug anywhere, the USB capable device will be able to exploit it.
And by default, there's a code-execution bug on all normally configured Linux machines. If you'll not create a USB "firewall", modem can just create a virtual keyboard and kernel will happily accept all input from it, for example. So modem can just type whatever it wants to your shell. It will be obvious, but, it's still device->host RCE.
My understanding is that integators buy the baseband module (with FCC and other licenses) and add it to their device so as to not incur the patent fees and oversight required by developing the radio device into every regional handset.
The article you linked to says: "There can be an IOMMU with very tight restrictions providing proper isolation or a setup where the IOMMU is effectively not doing anything and permits access to all of the memory. Determining that requires real research."
So it sounds more like separation might or might not exist and you're not likely to find out if it does on your particular device.
Modern Android/Qualcomm phones have pretty sophisticated security architectures that do indeed isolate the baseband, partly because exploiting baseband bugs was such a common source of phone unlocks in the past. If an app is using SSL then the baseband can't read what's happening.
If the chips are tightly integrated propriatary black boxes like on most hw then from my POV its _physcially_ possible for them to read anything regardless of what the designers/industry say because I do not trust them.
You trust your sources that say "..simply false that the cellular modem can access arbitrary data in RAM". I don't. Even if you claim to have personally designed, fabbed and shipped that silicon I still have no practical reason to trust.