- Other
- SEE MORE
- classical
- general
- talk
- News
- Family
- Bürgerfunk
- pop
- Islam
- soul
- jazz
- Comedy
- humor
- wissenschaft
- opera
- baroque
- gesellschaft
- theater
- Local
- alternative
- electro
- rock
- rap
- lifestyle
- Music
- como
- RNE
- ballads
- greek
- Buddhism
- deportes
- christian
- Technology
- piano
- djs
- Dance
- dutch
- flamenco
- social
- hope
- christian rock
- academia
- afrique
- Business
- musique
- ελληνική-μουσική
- religion
- World radio
- Zarzuela
- travel
- World
- NFL
- media
- Art
- public
- Sports
- Gospel
- st.
- baptist
- Leisure
- Kids & Family
- musical
- club
- Culture
- Health & Fitness
- True Crime
- Fiction
- children
- Society & Culture
- TV & Film
- gold
- kunst
- música
- gay
- Natural
- a
- francais
- bach
- economics
- kultur
- evangelical
- tech
- Opinion
- Government
- gaming
- College
- technik
- History
- Jesus
- Health
- movies
- radio
- services
- Church
- podcast
- Education
- international
- Transportation
- kids
- podcasts
- philadelphia
- Noticias
- love
- sport
- Salud
- film
- and
- 4chan
- Disco
- Stories
- fashion
- Arts
- interviews
- hardstyle
- entertainment
- humour
- medieval
- literature
- alma
- Cultura
- video
- TV
- Science
- en
What your phone wont tell you (37c3)
Your phone\u2019s internal communication contains precious data. It can be analyzed to detect fake base stations used in cellular attacks. For that, we reverse-engineered a proprietary communication channel between the phone\u2019s OS and modem.\n\nConnecting to cellular networks around the world is a highly complex task. iPhones contain a baseband chip (also referred to as a modem) for that purpose. It communicates via a high-level interface with the smartphone\u2019s application processor running iOS. So far, Apple hasn\u2019t been able to build such basebands in-house. Instead, starting from the iPhone 12, they exclusively rely on Qualcomm basebands.\n\nQualcomm\u2019s basebands use a proprietary protocol for external communication, the Qualcomm MSM Interface. We reverse-engineered its iOS implementation and built a framework to extract the protocol\u2019s packet structures from iOS firmware. Our iOS Wireshark dissector uses these packet structures and enables us to monitor the flow of packets between the baseband and iOS. This allows us to gain new insights into the iPhone\u2019s wireless communication infrastructure, including its satellite connectivity. Our tooling also provides a novel way to directly interact with the baseband chip in jailbroken iPhones, bypassing iOS and unlocking hidden capabilities of the baseband.\n\nFake or Rouge base stations can be set up by individuals using readily available software-defined radios. Adversaries can utilize them to capture IMSIs of nearby smartphones, track their location, or exploit vulnerable basebands. iPhone users usually don\u2019t notice such attacks, and there are (almost) no protection mechanisms implemented in iOS.\n\nDuring our research, we discovered Apple\u2019s internal cell location database, which is intended for determining approximate positions. Our CellGuard iOS app combines this database with the QMI analysis framework to monitor various parameters of connected cells, verify their authenticity, and alert users in case there\u2019s suspicious activity. The app even works on non-jailbroken iPhones. We evaluated the app in a lab environment with SDRs and real-world tests since February 2023 and are steadily improving it for a release next year.\nabout this event: https://events.ccc.de/congress/2023/hub/event/what_your_phone_won_t_tell_you/