Baseband Attack
What is Baseband Attack?
Baseband AttackAn exploit against the cellular modem (baseband processor) of a phone, abusing protocol parsing bugs in 2G, 3G, 4G, or 5G stacks to gain code execution before the application OS sees the traffic.
The baseband is a separate processor running closed-source firmware from vendors such as Qualcomm, MediaTek, Samsung Exynos modem, and Intel/Apple modems. Because it processes raw radio packets, a malformed message from a rogue base station can trigger memory corruption and lead to remote code execution without the user clicking anything. Google's Project Zero and BlackHat researchers including Ralf-Philipp Weinmann have published over-the-air baseband exploits on Exynos and Qualcomm modems; Apple has shipped baseband firmware updates for similar issues. Defences are limited to vendor patches, isolating the baseband from the application processor by IOMMU, and turning off legacy 2G when targeted attacks are likely.
● Examples
- 01
Project Zero disclosed Samsung Exynos baseband CVE-2023-24033 and related issues allowing over-the-air RCE on Pixel and Galaxy phones.
- 02
Apple's baseband security updates address remote LTE/5G parsing bugs in iPhone modems.
● Frequently asked questions
What is Baseband Attack?
An exploit against the cellular modem (baseband processor) of a phone, abusing protocol parsing bugs in 2G, 3G, 4G, or 5G stacks to gain code execution before the application OS sees the traffic. It belongs to the Mobile Security category of cybersecurity.
What does Baseband Attack mean?
An exploit against the cellular modem (baseband processor) of a phone, abusing protocol parsing bugs in 2G, 3G, 4G, or 5G stacks to gain code execution before the application OS sees the traffic.
How does Baseband Attack work?
The baseband is a separate processor running closed-source firmware from vendors such as Qualcomm, MediaTek, Samsung Exynos modem, and Intel/Apple modems. Because it processes raw radio packets, a malformed message from a rogue base station can trigger memory corruption and lead to remote code execution without the user clicking anything. Google's Project Zero and BlackHat researchers including Ralf-Philipp Weinmann have published over-the-air baseband exploits on Exynos and Qualcomm modems; Apple has shipped baseband firmware updates for similar issues. Defences are limited to vendor patches, isolating the baseband from the application processor by IOMMU, and turning off legacy 2G when targeted attacks are likely.
How do you defend against Baseband Attack?
Defences for Baseband Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Baseband Attack?
Common alternative names include: Modem exploit, Cellular baseband exploit.
● Related terms
- vulnerabilities№ 1263
Zero-Day Exploit
Working exploit code for a vulnerability that the vendor does not yet know about, or for which no patch is available — extremely valuable to attackers.
- mobile-security№ 520
IMSI (International Mobile Subscriber Identity)
A 15-digit identifier stored on the SIM or eSIM profile that uniquely identifies a subscriber on a cellular network, made of MCC, MNC, and MSIN fields.
- mobile-security№ 517
IMEI (International Mobile Equipment Identity)
A 15-digit number that uniquely identifies a mobile device on a cellular network, allocated by the GSMA and used by carriers to block stolen handsets.
- mobile-security№ 550
iOS Malware
Malicious software targeting Apple iPhones and iPads, including supply-chain attacks on app developers, mercenary spyware, and threats specific to jailbroken devices.
- mobile-security№ 047
Android Malware
Malicious software that targets the Android operating system, typically distributed through sideloaded APKs, dropper apps on Google Play, or compromised third-party stores.