[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor on Android

To: tor-java@xxxxxxxxxxxxxx
Subject: Re: Tor on Android
From: Jacob Appelbaum <jacob@xxxxxxxxxxxxx>
Date: Fri, 18 Sep 2009 15:52:20 -0400
Delivered-to: archiver@xxxxxxxx
Delivered-to: tor-java-outgoing@xxxxxxxx
Delivered-to: tor-java@xxxxxxxx
Delivery-date: Fri, 18 Sep 2009 15:52:31 -0400
In-reply-to: <D8933CA4-A172-48A4-A7B0-0250D98AA8E1@xxxxxxxxxxxxxxxx>
Openpgp: id=9D0FACE4; url=http://www.appelbaum.net/gpg.asc
References: <4AB07511.7030605@xxxxxxxxxxxxx> <1253102841.3970.26.camel@maxwell> <20090916125029.GA15977@xxxxxxxxxxxxx> <55158e530909160956l795d62c6jfa68493431fffeab@xxxxxxxxxxxxxx> <D8933CA4-A172-48A4-A7B0-0250D98AA8E1@xxxxxxxxxxxxxxxx>
Reply-to: tor-java@xxxxxxxxxxxxxx
Sender: owner-tor-java@xxxxxxxxxxxxxx
User-agent: mutt

Chris Palmer wrote:
> 
> What about the baseband (that is, it owns the Android OS' CPU)?
> 

It's basically a lost cause to try to secure any phone that uses the
(HTC style) dual CPU architecture.

The baseband OS is a giant nightmare from a security standpoint. It's
probably not worth diving in too deep to this topic but it's certainly
worth mentioning...

For a phone to be reasonably secure, the baseband radio/CPU/device
*must* be entirely independent from the so called application CPU. This
can possibly be accomplished if the baseband is only connected via a
serial link. The attack surface for the phone becomes much lower when
it's just a serial link. As I understand the hardware architecture for
the iPhone, this is how the iPhone is designed.

But wait, I can hear some people asking, "how does it currently work?"
Sadly, most (all?) Android handsets are designed in a way that has a
master/slave relationship between the baseband OS and the actual Android
OS. The phone holds the application CPU in reset until the baseband OS
is loaded and has setup various protections. This means that the
baseband OS can flip bits or read/write flash memory in the Android
portion of the device. A single bug in the baseband can lead to an
attacker having the capability to reflash a phone. Sadly, it doesn't go
both ways. The baseband CPU is the master of memory/CPU protection
faults. So even if you root your phone, you can't peek into memory on
the "baseband side" of the phone. You'll almost certainly *have* to find
a bug and exploit the baseband OS. To make matters worse, despite the
fanfare from Google (and everyone else), the actual "phone" part of
Android is this closed source blob known as the baseband radio image.
There aren't too many of the images, so one bug can really be used to
compromise a lot of phones. Additionally, without a gold card, you're
going to have a hard time re-flashing a modified baseband OS.

It's a very depressing state of affairs and there are only two ways
forward that I can see. The first is to wall of the baseband, using a
serial link, installing a hardware switch for the microphone, etc. The
second is to rewrite or reverse the baseband OS as Free Software and
hope you don't make a single mistake... I'm guess anyone interested will
want to try both.

Best,
Jacob

Attachment: signature.asc
Description: OpenPGP digital signature

Follow-Ups:
- Re: Tor on Android
  - From: Chris Palmer

References:
- Tor on Android
  - From: Jacob Appelbaum
- Re: Tor on Android
  - From: Connell Gauld
- Re: Tor on Android
  - From: Lexi Pimenidis
- Re: Tor on Android
  - From: Nathan Freitas
- Re: Tor on Android
  - From: Chris Palmer

Prev by Author: Non-member submission from [Andriy Panchenko <andriy.panchenko@xxxxxxxxxxxxxxxxxxx>]]
Next by Author: Re: Tor on Android
Previous by thread: Re: Tor on Android
Next by thread: Re: Tor on Android
Index(es):
- Author
- Thread