[guardian-dev] signal without sim ?

Timur Mehrvarz timur.mehrvarz at riseup.net
Mon Jan 13 09:53:18 EST 2014


On 13.01.2014 10:02, coderman wrote:
> On Sun, Jan 12, 2014 at 2:21 PM, Georg Lukas <georg at op-co.de> wrote:
>> * Timur Mehrvarz <timur.mehrvarz at riseup.net> [2014-01-12 20:53]:
>>> I think Mr. Greenwald should be petitioned to query his document folder
>>> for the words "SIM" and "airplane mode". I really can't wait to learn
>>> the true nature of this.
>>
>> Take the time for http://www.youtube.com/watch?v=fQqv0v14KKY "All your
>> baseband are belong to us" and
>> https://www.usenix.org/conference/woot12/workshop-program/presentation/Weinmann
>> "Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular
>> Protocol Stacks". This shows that taking ownership of your smartphone
>> "over the air" is really easy for a determined attacker.
> 
> 
> this is a great presentation!
> 
> and to reiterate: airplane mode is intended to disable transmission of
> radio signals (it seems most chipsets do receive just fine, like wifi
> monitor mode, while adhering to stated airplane mode requirements.)
> 
> thus if you have an exploitable baseband open on a channel available
> to attackers your device can be then compromised, keys and data
> exfiltrated, etc.
>   all while indicating a "all clear airplane mode no transmit" status
> on your device as far as OS, system, and user apps monitoring device
> status are concerned.

The presenter merely says, that there is no way for him to know, whether
cellular is really being switched off in airplane mode - or not. Nobody
seems to know for sure. This is why some 1st hand info would be so valuable.

> the only reliable way to detect this is monitoring power draw and RF
> transmission (SDR) via external systems.  this has been in the threat
> model for high value targets many years now...

Instead of turning all radios off, airplane mode *could* switch cellular
to some very low-power pure listening mode. Power draw would be so low,
you would get the impression, that cellular has actually been turned
off. But the device would allow full cellular to be re-activated
remotely via some GSM command. The attacker could then do anythin, such
as turning on the microphone. Until such remote wake-up command comes
in, the device will itself not generate any RF activity. This mode of
operation would be hard to detect from the outside.

The device could even receive cell broadcasts and, say, store location
info in memory (for some period of time). It could then upload this
data, once back in full GSM mode.

- Is this why Snowden didn't ask the journalists to simply activate
airplane mode?
- How widespread is this implemented already?
- How long till all new phones "offer" such functionality?


More information about the Guardian-dev mailing list