Hacker News new | past | comments | ask | show | jobs | submit login

> So they stand between you and the tower and sift through the transmission first. This means they can now intercept data on that transmission. I don’t know what they can do with it, and there is no real clear information on what data they can get. They do say metadata and access the cellphones internal storage, so that is enough to want to block the Stingray.

Cellphones internal storage? Seriously?




"Service update" SMS messages can write certain things to the SIM card and other aspects of the phone without user interaction.

(this machinery is rather hard to google for and I'm not sure if it has a better name in the official GSM documents)


That's interesting, it sounds like something that was being repeatedly sent to my Motorola flip phone in China in 2007. I had the ability to reject this SMS/MMS thankfully.


No, that was most likely spam. You cant even see service updates(OTA), just like silent sms(type0) they are invisible to the user.

https://github.com/CellularPrivacy/Android-IMSI-Catcher-Dete...


I do not know the specifics of the Stingray, but I can tell you more similair "lawfull interception" devices exist. These devices "talk" with your Baseband; the radio in your phone that runs it's own OS. Many of these can do DMA to with the memory of your "phone" / ordinary soc. Theoretically, a exploited baseband could allow the lawfull interception device to read and write to your internal storage and more. I have not read about this happening in the wild yet.


I can't speak for Google devices but per Apple's iOS security whitepaper (page 41) [1]:

"To protect the device from vulnerabilities in network processor firmware, network interfaces including Wi-Fi and baseband have limited access to application processor memory. When USB or SDIO is used to interface with the network processor, the network processor can’t initiate Direct Memory Access (DMA) transactions to the application processor. When PCIe is used, each network processor is on its own isolated PCIe bus. An IOMMU on each PCIe bus limits the network processor’s DMA access to pages of memory containing its network packets or control structures."

[1]: https://www.apple.com/business/site/docs/iOS_Security_Guide....


PS4 PCI-E accesses were protected with an IO MMU too, but they managed to screw it up. So that doesn't necessarily mean that it's safe.


Indeed even Apple's MMU was bypassed by Google Project Zero [1], but it still significantly increases the cost of exploitation.

[1]: https://googleprojectzero.blogspot.com/2017/10/


Oh, totally. It's an important part of modern defense in depth. 'Just because they said they turned on the IOMMU doesn't make it bulletproof' is all I'm saying.


It does mean that SDIO or USB-only access is safe.

Of course, it's not 100% safe, but the lack of DMA moves the control over safety from the modem firmware to the application processor.


You'd be surprised how unsafe those are too, even though they aren't RDMA protocols. USB and SDIO stacks aren't really designed with malicious input in mind; it's like the 90s all over again if you think of those as the network protocols they are.


That's right, any kind of communication opens up some form of attack surface. Eliminating DMA is still worthwhile by reducing its total size, and shifting more of the implementation to the softare stack gives the device owner (hopefully the user) more control over the attack surface.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: