Google has revealed the various security fences that have been built into its latest Pixel devices to counter the growing threat posed by mainstream security attacks.
A cellular baseband (such as a modem) refers to a processor on a device that is responsible for handling all connections, such as LTE, 4G, and 5G, to a mobile cell tower or base station over a radio interface.
“This feature inherently involves handling external input that may come from untrusted sources,” said Sherk Chang and Stefan Chen of the Pixel team, as well as Roger Piqueros Jover and Ivan Lozano of the company’s Android team. blog post shared with The Hacker News.
“For example, attackers can use fake base stations to inject forged or manipulated network packets. In some protocols, such as IMS (IP Multimedia Subsystem), this can be done remotely from any global location using an IMS client.”
Moreover, the firmware that powers the cellular backbone can also be vulnerable to bugs and errors that, if successfully exploited, can undermine the security of the device, especially when they lead to remote code execution.
In a Black Hat USA presentation last August, Google’s security engineering team described modem as a “fundamental” and “critical” component of a smartphone with access to sensitive data and accessible remotely using various radio technologies.
Baseband threats are not theoretical. October 2023 research published by Amnesty International found that the Intellexa alliance behind Predator has developed a tool called Triton to exploit vulnerabilities in the Exynos baseband software used in Samsung devices to deliver mercenary spyware in highly targeted attacks.
The attack involves performing a stealthy downgrade attack that forces the target device to connect to a legacy 2G network using a cellular network simulator, after which a 2G base station transceiver (BTS) is used to distribute a nefarious payload.
Google since then introduced a new security feature in Android 14 that allows IT administrators to disable support for 2G cellular networks on their managed devices. It also emphasized the role played by Clang Disinfectants (IntSan and BoundSan) in enhancing cellular baseband security on Android.
Then earlier this year the tech giant revealed it’s working with ecosystem partners to add new ways to alert Android users when their cellular connection is unencrypted and when a rogue cellular base station or surveillance tool records their location via device ID.
The company also outlined the steps it is taking to combat threats using cell site simulators such as Stingrays to inject SMS messages directly into Android phones, otherwise known as the SMS Blaster scam.
“This message injection method completely bypasses the operator’s network, thus bypassing all sophisticated network filters to combat spam and fraud,” Google. noted in August. “SMS Blasters Expose a Fake LTE or 5G Network That Does One Function: Downgrade a User’s Connection to the Legacy 2G Protocol.”
Among other protections that the company has added to its new Pixel 9 line canary stackcontrol flow integrity (CFI), as well as automatically initializing stack variables to zero to avoid leaking sensitive data or act as code execution opportunities.
“Stack canaries are like ropes created to ensure that code executes in the expected order,” it says. “If a hacker tries to use a vulnerability in the stack to change the flow of execution without being aware of the canary, the canary will ‘trip’, alerting the system to a potential attack.”
“Like stack canaries, CFI ensures that code execution is restricted to a limited number of paths. If an attacker tries to deviate from the allowed set of execution paths, CFI forces the modem to restart instead of following the disallowed execution path.
