There are so many vulnerabilities in the baseband that it's not even funny
Are you saying these are remotely exploitable, as in over-the-air?
It seems only the complexity of the protocols involved are what stops the majority of attackers, and perhaps the illegality of broadcasting on licensed spectrum (although illegality never really stopped anyone...)
I looked at the 3GPP specs before and the amount of complexity in them is overwhelming.
And having separate baseband and userspace processors doesn't protect you, because the baseband processor is usually the master, and the app processor is a slave. In fact, the paper in my previous post exploits an iPhone 4 and HTC dream -- both of which have separate baseband and app processors.
Here's a quote from the first link in my previous post:
The insecurity of baseband software is not by error; it's by design. The standards that govern how these baseband processors and radios work were designed in the '80s, ending up with a complicated codebase written in the '90s - complete with a '90s attitude towards security. For instance, there is barely any exploit mitigation, so exploits are free to run amok. What makes it even worse, is that every baseband processor inherently trusts whatever data it receives from a base station (e.g. in a cell tower). Nothing is checked, everything is automatically trusted.
baseband processor is usually the master, and the app processor is a slave
For the Mediatek platforms I don't think this is true - the AP is the one that boots up first and loads firmware into the baseband, and at least for the MT6589/6582 the AP can enable protection so that the baseband processor(s) can't access anything outside of the configured ranges. You can look at https://github.com/varunchitre15/MT6589_kernel_source/blob/m... which is the code that initialises the baseband modems by loading their firmware (there are two CPUs in the baseband since this is a dual-SIM SoC), and see the enable_mem_access_protection function at line 863. The table there also shows that properly set up, MD0 and MD1 can only access their respective areas and the small amount of shared memory they use to communicate with the AP.
I haven't looked at them in detail but I'm guessing Qualcomm and Infineon's systems are very different from this?
I only know of many 'local' vulnerabilities, but those include remote exploits of Android that turn into local radio exploits.
Keep in mind that given my skills at the time, I was looking for the "easy" wins like boundary-checks and logic errors rather than what I would consider more advanced ones like double-free, use-after-free etc.
Given what I've seen of the QCOM assembly that faces userspace, I would say the likelihood that there are low-hanging fruit vulnerabilities in the protocol-facing side of the radio code is near 100%.
To answer your question, yes, "the complexity of the protocols" is what is stopping the majority of attackers IMO.
Are you saying these are remotely exploitable, as in over-the-air?
It seems only the complexity of the protocols involved are what stops the majority of attackers, and perhaps the illegality of broadcasting on licensed spectrum (although illegality never really stopped anyone...)
I looked at the 3GPP specs before and the amount of complexity in them is overwhelming.