Google today detailed how it has “significantly increase[d] Pixel 9’s resilience to baseband attacks” and cellular modem vulnerabilities.
A cellular baseband is the processor responsible for managing LTE, 4G, and 5G communications. Vulnerabilities with cellular baseband firmware “pose a significant concern due to the heightened exposure of this component within the device’s attack surface.”
This function inherently involves processing external inputs, which may originate from untrusted sources. For instance, malicious actors can employ false base stations to inject fabricated or manipulated network packets.
For example, Google in late 2022/early 2023 uncovered severe Exynos modem vulnerabilities that could be used to “remotely compromise a phone at the baseband level with no user interaction.” The recommendation was to disable VoLTE and Wi-Fi calling until the issue was patched.
Despite the high risk, “most basebands lack exploit mitigations commonly deployed elsewhere and considered best practices in software development,” though Google acknowledges the tight performance constraints of these processors that make “security hardening difficult.”
Mature software hardening techniques that are commonplace in the Android operating system, for example, are often absent from cellular firmwares of many popular smartphones.
Over the years, Google has incorporated protections that can restart the modem or alert the system of potential attacks. As of the Pixel 9, 9 Pro, 9 Pro XL, and 9 Pro Fold (Exynos 5400), the following measures are in place:
- Bounds Sanitizer: Buffer overflows occur when a bug in code allows attackers to cram too much data into a space, causing it to spill over and potentially corrupt other data or execute malicious code. Bounds Sanitizer automatically adds checks around a specific subset of memory accesses to ensure that code does not access memory outside of designated areas, preventing memory corruption.
- Integer Overflow Sanitizer: Numbers matter, and when they get too large an “overflow” can cause them to be incorrectly interpreted as smaller values. The reverse can happen as well, a number can overflow in the negative direction as well and be incorrectly interpreted as a larger value. These overflows can be exploited by attackers to cause unexpected behavior. Integer Overflow Sanitizer adds checks around these calculations to eliminate the risk of memory corruption from this class of vulnerabilities.
- Stack Canaries: Stack canaries are like tripwires set up to ensure code executes in the expected order. If a hacker tries to exploit a vulnerability in the stack to change the flow of execution without being mindful of the canary, the canary “trips,” alerting the system to a potential attack.
- Control Flow Integrity (CFI): Similar to stack canaries, CFI makes sure code execution is constrained along a limited number of paths. If an attacker tries to deviate from the allowed set of execution paths, CFI causes the modem to restart rather than take the unallowed execution path.
- Auto-Initialize Stack Variables: When memory is designated for use, it’s not normally initialized in C/C+ as it is expected the developer will correctly set up the allocated region. When a developer fails to handle this correctly, the uninitialized values can leak sensitive data or be manipulated by attackers to gain code execution. Pixel phones automatically initialize stack variables to zero, preventing this class of vulnerabilities for stack data.
In all, Google says that these measures “significantly increase Pixel 9’s resilience to baseband attacks.”
FTC: We use income earning auto affiliate links. More.