On Wednesday I went to a mobile cyber security conference held at the National Museum of Scotland organised by the Scottish Business Resilience Centre. One of the most interesting talks was given by Odd Helge Rosberg (@ohrosberg). Odd talked about the multiple operating systems (OS) in smartphones; which at first I was surprised at, but actually makes a lot of sense. You have your “smart” operating system – iOS, Android, etc, but the SIM card has a small embedded OS and the phone’s modem has an OS too. This real-time modem OS is stored in firmware, and controls everything radio related (texts, calls, etc). Unfortunately, these proprietary, closed software OSes are poorly understood. The standards around how the radio signals work were designed in the 1980s and 1990s, and were not designed to be secure.
Odd mentioned Hayes commands – this is a command language for modems designed in 1981, and it still works on modern baseband processors found in smartphones today (!!). Hayes commands can: remotely turn on microphones & cameras; make calls and send texts, and even brick the phone. They are sent via AT command service texts that are not seen by the user. Here’s a pretty comprehensive AT command reference guide. You can buy fake cell towers pretty easily these days: imagine a small one placed on a drone flying above a sensitive area; it sends a special service text to all smartphones connected and now can remotely listen in to all the phones underneath. Further details and some code to do it here.
There is little you can do about this if a nation state is determined to access your phone. Using throw-away phones in foreign countries and turning phones off during airport and other border controls will help. Don’t allow anyone else physical access to your phone and certainly don’t jailbreak or root them. The paranoid can buy a mini faraday cage for phones when not in use. Scary stuff!