Wednesday, May 28, 2014

No, you can't remotely turn on phones

In the NBC interview, Snowden confirms that the NSA can remotely turn on Brian William's phone. This isn't true. Just because the NSA can hack into a lot of phones doesn't mean it can hack a specific model of phone at all.

The NSA has a lot of power over phones, but it's not omnipotent. There are limitations.

The basic hack Snowden is describing is hacking the "baseband processor". A phone is actually two computers: a low-power computer that managed communications with the cell tower, and a high-power compute that manages the screen. Right now, when your phone is in your pocket, that high-power computer is off, but the low-power baseband processor is still running, talking to the tower.

The code in baseband processors is crap. It's relatively easy to find vulnerabilities that can be used to take control of the baseband processor, either by reviewing the code, or setting up a hostile cell tower (like using OpenBTS) and fuzzing. The code is so fragile it's hard not to find a bug in it.

With that said, there are many different baseband processors. There's a good chance that when a vendor ships a new phone, the NSA doesn't have an 0day exploit yet for the new processor that comes with the phone. Also, while they can exploit most phones, there are some phones for which they never find a robust exploit.

Also, once they get into the baseband processor, they then have to get into the main phone system (Android or Apple). That requires a whole new set of exploits, which sometime won't work. That's what recent news about a debug feature in Samsung phones was so important -- because it created a "backdoor" allow a baseband processor to take control of the phone.

Snowden saw programs that were widely successful at getting intelligence from phones, but he doesn't understand the details. Yes, there may be a model of phone out there where the NSA was able to "remotely turn it on" (probably because a baseband processor was never truly off), but that doesn't mean that when you turn off your iPhone that the NSA can do anything with it. Your iPhone, or Brian Williams' phone, is safe from "remote turn on".  On the other hand, if you have an iPhone, the NSA is doing its best to find 0day vulnerabilities, in the baseband, in IOS operating system, in the browser, in apps, and so on. You are in danger -- but still, they aren't omnipotent over your phone.



Update: There has been some discussion about "implants" and how this changes the story. I'm not sure it does.

An "implant" is when the NSA intercepts your phone and installs hardware or software on it. Usually this is because they intercepted a shipment, snuck into your hotel room, or ran a remote exploit (via the Internet or via the baseband). Yes, an implant gives the NSA full control over your phone -- but it's difficult getting the implant on your phone in the first place.

Once the NSA installs an implant, then of course they can remotely "power on" your phone, because it's not really powered off -- even when you think it is.

But the question was Brian Williams holding a phone asking what the NSA could do to it -- in the future (power it on). He wasn't asking what they'd done to it in the past (install an implant).

My point is simply this: the NSA isn't omnipotent. They can't do everything. They can do a lot of things, and they've been very successful at doing a lot of things, but they aren't God, and they can't do Magic.



Update: The question whether the NSA can technically control a phone is often confused with whether they can legally control your phone.

In theory, the NSA can't operate in the United States -- so the department that'd be hacking your phone would be the FBI.

And what they can do legal is .... I just don't know anymore. I'd've said in the past that they'd need a warrant, but apparently police departments are hacking phones without warrants.


8 comments:

Steve Phillips said...

> Just because the NSA can hack into a lot of phones doesn't mean it can hack a specific model of phone at all.

Certainly. But for what percentage of phones does the NSA have a backdoor into the baseband? I hope we found out soon, and I'd bet it's more than you seem to think.


> Snowden saw programs that were widely successful at getting intelligence from phones, but he doesn't understand the details.

Why do you say he doesn't understand the details? He knows just about as many details as anyone on the planet, does he not?


> Yes, there may be a model of phone out there where the NSA was able to "remotely turn it on" ...

_A_ model?! You just made it clear that baseband software is swiss cheese from a security perspective. Again, I don't know why you're so confident that the NSA, with all their resources and the lengths we now know they're willing to go, haven't hacked, say, most basebands. They could even pressure OEMs to include backdoors from the beginning. Or maybe they hack into whatever firmware installing machines exist in Asia where the phones are flashed...

Al Wojs said...

"They could even pressure OEMs to include backdoors from the beginning. Or maybe they hack into whatever firmware installing machines exist in Asia where the phones are flashed..."
Excatly. I'm not specialist, but case with the routers shows that it could also happen with the phones and maybe keep them on in super low power state or something

Vincent Blackshear said...

Since the signing of the 1996 telecommunications act by Bill Clinton. All cell phones had to be made to be remotely operated. Read the Bill, pass it along. If you can't remove the battery. Then you can never turn off the phone.

Patrik Bubák said...

I would definitely trust Ed Snowden's judgement over some tech expert's, as he's worked for the NSA, he knows definitely a lot more than anybody else and it's never enough to stay caucious.

Unknown said...

Mat Solnik's giving a pretty good talk about this at BlackHat this year:

https://www.blackhat.com/us-14/briefings.html#cellular-exploitation-on-a-global-scale-the-rise-and-fall-of-the-control-protocol

theblamee1 said...

Why is the main critique of Edward Snowden claim that the NSA cannot turn Brian William's phone on remotely main that the NSA is not "omnipotent"?

Of course the NSA is not "all knowing". Who would make that type of claim?

The issue should be one of intentionality, or the degree of power that the NSA either claims for itself or wants you (the lowly sheeple) to believe it has claimed for itself.

There is a big difference between "omnipotence" and "being all knowing" and "being all powerful".

I for one trust Snowden. He's a patriot. Brian Williams cannot be trusted. Brian is either "Big Brother" or a government troll.

akronyiko said...

"There's a good chance that when a vendor ships a new phone, the NSA doesn't have an 0day exploit yet for the new processor that comes with the phone."

What makes you believe any vendor exists that isn't compromised internally?

Todd said...

The ability to turn cell phones on is inherent in the 3GPP technical specifications for GSM, specifically those for "Radio Resource Control." This ability to turn on a switched-off phone is actively employed for earthquake and tsunami warning broadcasts in Asia. GSM phones have a 1% battery usage standby mode called "paging channel" where all it does is listen for a polling call to wake it up. When you think you are turning your phone off, you are really putting it into this standby mode. The only way to ensure your phone is fully off is to remove the battery (good luck iPhone users).