Google has revealed the various security guardrails that have been incorporated into its latest Pixel devices to counter the rising threat posed by baseband security attacks.
The cellular baseband (i.e., modem) refers to a processor on the device that’s responsible for handling all connectivity, such as LTE, 4G, and 5G, with a mobile phone cell tower or base station over a radio interface.
“This function inherently involves processing external inputs, which may originate from untrusted sources,” Sherk Chung and Stephan Chen from the Pixel team, and Roger Piqueras Jover and Ivan Lozano from the company’s Android team said in a blog post shared with The Hacker News.
“For instance, malicious actors can employ false base stations to inject fabricated or manipulated network packets. In certain protocols like IMS (IP Multimedia Subsystem), this can be executed remotely from any global location using an IMS client.”
What’s more, the firmware powering the cellular baseband could also be vulnerable to bugs and errors that, if successfully exploited, could undermine the security of the device, particularly in scenarios where they lead to remote code execution.
In a Black Hat USA presentation last August, a team of Google security engineers described the modem as both a “fundamental” and “critical” smartphone component with access to sensitive data and one that’s remote accessible with various radio technologies.
Threats to the baseband are not theoretical. In October 2023, research published by Amnesty International found that the Intellexa alliance behind Predator had developed a tool called Triton to exploit vulnerabilities in Exynos baseband software used in Samsung devices to deliver the mercenary spyware as part of highly targeted attacks.
The attack involves conducting a covert downgrade attack that forces the targeted device to connect to the legacy 2G network by means of a cell-site simulator, following which a 2G base station transceiver (BTS) is used to distribute the nefarious payload.
Google has since introduced a new security feature in Android 14 that allows IT administrators to turn off support for 2G cellular networks in their managed devices. It has also highlighted the role played by Clang sanitizers (IntSan and BoundSan) in hardening the security of the cellular baseband in Android.
Then earlier this year, the tech giant revealed it’s working with ecosystem partners to add new ways of alerting Android users if their cellular network connection is unencrypted and if a bogus cellular base station or surveillance tool is recording their location using a device identifier.
The company has also outlined the steps it’s taking to combat threat actors’ use of cell-site simulators like Stingrays to inject SMS messages directly into Android phones, otherwise called SMS Blaster fraud.
“This method to inject messages entirely bypasses the carrier network, thus bypassing all the sophisticated network-based anti-spam and anti-fraud filters,” Google noted in August. “SMS Blasters expose a fake LTE or 5G network which executes a single function: downgrading the user’s connection to a legacy 2G protocol.”
Some of the other defenses the company has added to its new Pixel 9 lineup include stack canaries, control-flow integrity (CFI), and auto-initialization of stack variables to zero to avoid leakage of sensitive data or act as an avenue to gain code execution.
“Stack canaries are like tripwires set up to ensure code executes in the expected order,” it said. “If a hacker tries to exploit a vulnerability in the stack to change the flow of execution without being mindful of the canary, the canary “trips,” alerting the system to a potential attack.”
“Similar to stack canaries, CFI makes sure code execution is constrained along a limited number of paths. If an attacker tries to deviate from the allowed set of execution paths, CFI causes the modem to restart rather than take the unallowed execution path.
