Baseband Firewall

[SecUpwN]

Since I have been receiving numerous requests if AIMSICD could add such protection, I will open up this Issue for it to launch official discussion and development. Important Note: Implementation of this does not have a higher priority than the Issues we're already working on since we're up to delivering the App and protection measures that we promised to deliver in the first place. Do not expect this to be added any time soon. But that does not prevent development of this sort of protection here. Let's get it started.

This is what CryptoPhone says about their "CryptoPhone Baseband Firewall™":

Baseband Firewall: Based upon three years of cutting-edge research in baseband processor security, the new patent-pending GSMK CryptoPhone Baseband Firewall™ offers unique protection against over-the-air attacks with constant monitoring of baseband processor activity, baseband attack detection, and automated initiation of countermeasures. A global first, the CryptoPhone 500’s Baseband Firewall provides a revolutionary line of defense against over-the-air attacks not available on any other product.

Just to mention it here: I already sent an E-Mail with a friendly Introduction of our Project out to them months ago and never received a reply. Not surprising since they sell this stuff and our open-source project would likely cut their revenue. The interesting thing I wonder about though, is that they claim that all GSMK CryptoPhone products come with their full source code published for review and to ensure provable security. To everyone using their products and wanting to help us making their open-source more open-source (what a terrible way of saying this), send us a copy of that source code, please. :smiley_cat:

[E3V3A]

"Baseband Firewall" = Doesn't exist!

This is a terrible marketing propaganda trick, of the worst kind, from that company, and if they'd actually done 3 years of "research" it would have been published somewhere, and known elsewhere. This is total BS, unless they have illegally gotten the baseband firmware from somewhere, and managed to compile it into their own, which is highly unlikely. However, it is possible to observe what BP is sending from debug interface on certain BPs, as for example with xgoldmon for the Samsung GT-I9100. But this is only the information that the baseband firmware is showing. It could in principle do anything else, without you ever knowing. In addition a "firewall" is something with the ability to block certain RF transmissions, which could only be done by the 0-layer firmware of the RFE. This is extremely unlikely. I'd really like those guys to step up and come out of their closet about what they're trying to sell there... Putting people in danger in the process and sake of false advertising. If you don't know what I'm talking about, please move on and forget you ever heard about this.

I'll leave this issue open just so that people can see it.

[LMBscholarly]

Here is a link to the source from Schneier on Security:

"Here's a link to Cryptophone source code for those who don't want to give the main site your contact information: http://www.cryptlab.com/cryptophone/support/downloads/downloads.html"

From this blog: https://www.schneier.com/blog/archives/2007/11/gsmk_cryptophon.html

[He3556]

Patent US 20140004829 A1 - Mobile device and method to monitor a Baseband Processor in relation to the actions on an Application Processor. If they really modified the firmware they had to pay for a new certification - but it looks like they measure the chipset and check the behavior. Don't have the time right know to read it - have fun ;)

[SecUpwN]

@E3V3A, thanks for adding your opinion. It would actually be very interesting to see some sort of statement or even contributions to our Project of those developers here on GitHub - I will be bold today and invite them to our Project. @LMBscholarly, is that the "full source code" they've been talking about (including "Baseband Firewall")? @He3556, thanks for linking the patent. I will have a glance.

[E3V3A]

@LMBscholarly Thanks for useful patent link. I will read the whole thing more carefully, but from the initial skim-through, it is clear that they're simply monitoring the SMD interface between AP and BP. But this can never be used as a real firewall of the BP, because they're assuming an attack is originating from AP to BP, and not directly from the network to BP. In addition they mention some of the same test criteria for detecting fake BTS as we do in our app here, by monitoring the same interface. So nothing new there. Unfortunately for them, today you cannot patent lists of test criteria, so I'm surprised that this patent has gone through at all. Perhaps the EPO case handlers were just clueless, or friends. Who knows...

Furthermore, regarding how they claim that their FW is available and "open source" , that is a shame in itself. The only source they provide is for the encrypted VoIP codec for an 2003 model Windows Phone, at a size of 1.5 MB. I can't see how they expect to be taken serious, when everyone can see that the CryptoPhone 500 seem to be a very common, but modified Samsung Android phone. Whose total firmware size would be at well over 300 MB. Don't they have to comply to EC consumer protection laws in Germany?

This is the kind of BS they write:

"Verifiable Source Code GSMK CryptoPhones are the only secure mobile phones on the market with full source code available for independent security assessments. They can be verified to be free of backdoors, free of key escrow, free of centralized or operator-owned key generation, and they require no key registration."

[SecUpwN]

As mentioned by @andr3jx, there is more marketing on another CryptoPhone website:

"Introducing a back door into a crypto system does not even require active cooperation of the manufacturer of the equipment. All it takes is one bribed programmer to compromise an entire product. We prevent this by allowing anyone to review our source code. And even if you do not understand the source code yourself you may find some comfort in the knowing there is a large academic community that likes a challenge, and will try to tackle our product. So any back door or programming error can (and will!) be found by eager students or security enthusiasts. Of course we tried our very best to write the code as well as we know how to. On top of this we have asked some of the world’s leading security consultants to look at critical parts of it. The conclusions of these ongoing evaluations are publicly accessible. So in theory you would not need to trust us at all, because you could verify everything yourself. This public review process is also the only reliable method for us to make sure that we are the only one paying our developers ;-)."

I begin to be a little sick of all these polished words and will step up to get in touch with those folks. @He3556, more marketing in German: "Weltweit einzigartiger Schutz durch die Baseband Firewall"

[frankrieger]

This is Frank Rieger, I am the CTO of GSMK and responsible for all the tech-related topics in the company.

Dear SecUpwN, I am a little bit astonished by your rather immature tone and demanding attitude. You sound like we owe you anything. What for? Because you started out on an catcher-catcher-project without even the most basic knowledge of the subject? Because you apparently did not even bother to read or understand the relevant academic papers on the subject? Because you haven´t even bothered to read what GSMKs "published source"-policy relates to (hint: only verifiability of the cryptographic functions)? Because you spammed my developers with your half-digested and inconsistent e-mails?

Since I don´t like to assume that you are stupid, I must assume that you are either very young or very inexperienced. So here is three pieces of advice:

First: nearly everything that we do in our baseband protection products is outlined in the patent application that He3556 linked. Sit down, take a day or three and try to understand the real meaning of it, just "taking a glance" will not bring you forward. Once the patent is confirmed, we will post a community license that makes its use free for all non-commercial open-source projects.

Second: look what other researchers in the field have been doing, read their papers, read their code until you have really understood it. There are at least 6 different catcher-catcher-projects under way that I am aware of and probably a handful more that haven´t been published yet. Not all the relevant techniques and tricks are public yet, but they will certainly within a short timeframe.

Third: start out with xgoldmon (can be found here on github), which is a tool that one of GSMKs researchers implemented on company time for the community and that is open source and free for all.

I wish you luck with your endeavours, but please refrain from spamming me or my company further.

Thanks.

Frank

[E3V3A]

@frankrieger

Dear Frank,

Thank you very much for getting back to us. I'm taking the liberty of answering your post as addressed to @SecUpwN, primarily because my function in this project is the equivalent as yours, a CTO, whereas SecUpwN work as a contact person,project maintainer and developer headhunter etc.

So let me start of with saying that our attempts to contact you and your organization/company have been met with complete silence, until this moment. So whatever it is you think is spam, has been in the best of our interest and efforts in getting some clarity in the products you sell and advertise. And really, as our common interest in providing this kind of anti-tracking technology, should be encouraging, this has not been the case when we try to analyze your product descriptions and advertisements, in your absence.

So instead of getting too personal and upset, why don't you provide some back-up, to at least some of the claims we pointed out above? (Yes, we read the patent paper, and it is what I already explained above. Unfortunately, the marketing material you provide also seem to be a deliberate attempt to exploit the ambiguity of the term "firewall", which has a specific meaning on a normal PC, but overly extrapolated when used on the baseband processor, since there are two different access channels, one from the cellular network and from AP. So if you still want to call it a "firewall", it is really only half of it.)

But equally important, where is all that source code you claim to have available? And where exactly can we find the "publicly accessible" evaluations "of the world’s leading security consultants"?

And since there are at least 3 eager academics, and possibly >2 students in our team, we would very much like to assess the security of your source code. So all that we are asking is that you stand by your words, nothing more.

Finally, we still feel that if you can provide us with adequate references to available literature, code sources and backup-your previous statements, we will be more than happy to promote your products to those people or organizations, who want a more professional product, than what we can offer for free here, with our non-existent budget.

E:V:A

[frankrieger]

Dear E3V3A,

I take the liberty of reacting to tone of communications. And so far all you have been communicating is "we don´t have a clue, lets see if we can cajole GSMK into helping us out". No, you cant. We have been working with the wider mobile phone reverse engineering and baseband research community for many years and this is always a mutual exchange, a fruitful give and take and cooperation on equal terms among people who know what they are doing and share their insights.

As part of that exchange, we publish source of tools that we develop, from time to time as we see fit, like XGoldMon, which is the base of most currently running catcher-catcher projects and quite a few other tools for mobile reverse-engineering like the IDA-Plugin for Hexagon, which you might find useful once you want to understand what basebands really do.

CryptoPhone products on the other hand are not "open source" in any GNU, BSD or Apache sense. We have our own license to give code to people under very restrictive terms for the sole purpose to enable them to check the cryptographic integrity of our voice and message communication products. It is our discretion to whom we give what code. The baseband stuff is not part of the auditable crypto-code anyway. Since we previously have had some serious issues with people using our source to produce knock-off products under their own brands and damage us in the marketplace, we now really like to know whom we are talking with and what their true intentions are.

Certainly posting stuff like "To everyone using their products and wanting to help us making their open-source more open-source (what a terrible way of saying this), send us a copy of that source code, please. :smiley_cat:" does not create a warm fuzzy feeling regarding your projects intentions and shows that you don´t want to evaluate our cryptographic security but are just looking for a shortcut to get your currently rather non-impressive project up and running. You may understand that we have no interest to support that approach. To get a general impression on how CryptoPhone works, the older code you find on the website is just fine. The crypto has stayed the same.

Regarding the naming of the Baseband Firewall: technically it is a "Mobile Network and Baseband Processor Behaviour Anomaly Detector", but try to explain that term to a customer who barely has an idea what an baseband processor is. So yes, it is a marketing name created for sales brochures for a product that does a lot of different things to make over-the-air attacks against our mobiles harder. Still, if you wan´t to know what it does technically, go understand the patent.

Btw: My initial willingness to help you out a bit with providing links to papers and contacts to relevant public catcher-catcher projects has just reached zero, so you unfortunately have to do your own work.

Good luck,

Frank

[peterclemenko]

With all due respect Frank, I think you're misreading the people involved. Fuck the code, at least provide some documentation that proves your work has been peer reviewed and actually works. You're marketing a phone to people who could very well get killed if your product doesn't work as advertised. The least you could do is prove that it's more than snake oil. Also, for the record, if you guys are serious about being taken seriously, maybe you should do what Blackphone is doing, and go to hacker conferences and offer a bug bounty to those who can exploit the phone. Your security can't be taken seriously when it's only marketing materials at this point.

As for code, if your code isn't open, people can't audit it for back doors and flaws. Taking you for your word is not an option when you are marketing a phone to people who's lives could be very well in danger because your phone didn't work as advertised. Frankly though, just providing proof that it's been peer reviewed and actually demonstrating that it does what it says on the tin would be a good start, regardless of code. Instead of attacking people who could very well help you make your product better, maybe you should be more willing to work together with people, rather than just acting like a person with a stick up his ass who gets offended every time people want to see proof of concept.

In other words: POC||GTFO

[peterclemenko]

Also, for everyone here, a good reminder, see 7 and 8: https://www.schneier.com/crypto-gram-9902.html

On Sun, Sep 28, 2014 at 8:34 PM, Peter C. th3flyboy@gmail.com wrote:

With all due respect Frank, I think you're misreading the people involved. Fuck the code, at least provide some documentation that proves your work has been peer reviewed and actually works. You're marketing a phone to people who could very well get killed if your product doesn't work as advertised. The least you could do is prove that it's more than snake oil. Also, for the record, if you guys are serious about being taken seriously, maybe you should do what Blackphone is doing, and go to hacker conferences and offer a bug bounty to those who can exploit the phone. Your security can't be taken seriously when it's only marketing materials at this point.

As for code, if your code isn't open, people can't audit it for back doors and flaws. Taking you for your word is not an option when you are marketing a phone to people who's lives could be very well in danger because your phone didn't work as advertised. Frankly though, just providing proof that it's been peer reviewed and actually demonstrating that it does what it says on the tin would be a good start, regardless of code. Instead of attacking people who could very well help you make your product better, maybe you should be more willing to work together with people, rather than just acting like a person with a stick up his ass who gets offended every time people want to see proof of concept.

In other words: POC||GTFO

[E3V3A]

Dear Frank,

Thanks again for taking the time to register to GitHub to promote your product in our GitHub issue thread. We are doing our homework to the best of our varied abilities, while maintaining our families and real life jobs, so that we can better serve and protect humanity, or what's left of it. We do admit that trying to contact you and your company for advice, help or collaboration, may have been a great mistake, and that we hope to have learned an important lesson from it. We also made the mistake thinking that your source code was published as open-source for public scrutiny, our bad. In the meantime, until you get your company PDF reference library online, feel free to link to ours.

Looking forward to see the future development of your products and services.

Best wishes,

• The AIMSICD Team

---

@aoighost Please refrain from swearing and name-calling.

[peterclemenko]

Understood, I just get worked up a bit about certain things, and treating people badly because they ask to do peer review is one of them.

On Sun, Sep 28, 2014 at 9:27 PM, E:V:A notifications@github.com wrote:

Dear Frank,

Thanks again for taking the time to register to GitHub to promote your product in our GitHub issue thread. We are doing our homework to the best of our varied abilities, while maintaining our families and real life jobs, so that we can better serve and protect humanity, or what's left of it. We do admit that trying to contact you and your company for advice, help or collaboration, may have been a great mistake, and that we hope to have learned an important lesson from it. We also made the mistake thinking that your source code was published as open-source for public scrutiny, our bad. In the meantime, until you get your company PDF reference library online, feel free to link to ours https://github.com/SecUpwN/Android-IMSI-Catcher-Detector/tree/master/PAPERS.

Looking forward to see the future development of your products and services.

Best wishes,

• The AIMSICD Team

---

@aoighost https://github.com/aoighost Please refrain from swearing and name-calling.

— Reply to this email directly or view it on GitHub https://github.com/SecUpwN/Android-IMSI-Catcher-Detector/issues/124#issuecomment-57108159 .

[Linuzifer]

Dear Team,

I am really disappointed in your communication style. First, you start an unprovoked rant against GSMK, bragging your "open-source project would likely cut their revenue", then you accuse them of advertising their products in their response (an ingenious marketing strategy, that will bring them millions of revenue), then you seriously call not only "POC||GTFO", but even "You're marketing a phone to people who could very well get killed if your product doesn't work as advertised." A brief comparison of your code base with your promises leaves me unable to comment on that. I honestly do not believe that publicly displaying such behavior will get you any support from the mobile network security research community.

I have been advising Secupwn from time to time, explaining to him what a baseband is, encouraging the use of our publicly documented detection rules and open source code – and the use of xgoldmon, which currently is the ONLY open source tool out there that enables building an IMSI-catcher-catcher and, by coincidence, was developed and released by GSMK, the guys you are now attacking for whatever reason.

On a personal level, I must say that I am disappointed.

[E3V3A]

Hi @Linuzifer,

Thanks for joining the discussion and adding your thoughts. Let me respond.

First of all, @aoighost is not a member of our core team. So we cannot answer to comments on his behalf, nor are we responsible for his opinions or behavior, although we will moderate future name-calling etc.

Second, the link you refer to as "promises" is clearly labelled "Goals (please read carefully!)", and you also seem to have missed the fact that our app is in WIP-Alpha stage. I.e. basic functionally is extremely limited and unstable.

Third, we're not attacking anyone here. We only opened an issue in search to understand what a "Baseband Firewall" is, since we have been contacted and have had requests to implement one, and did not receive any response to any of our previous inquiries from its authors. In doing so we find a huge amount of inconsistencies, one of which is, a highly ambiguous claim from the company attempting to Trade Mark the "Baseband Firewall". So please read this thread again from OP and then you can tell us who's being attacked here.

We can now summarize all our findings and experience in regard to the "Baseband Firewall™":

It is not a true "baseband" firewall, in the commonly understood sense, since it is not located in the Basband FW, but in the AP ROM. It's an AP firewall that filters the in/out to/from the baseband processor (BP), and blindly trusts it's debug output and using it to monitor that there is activity on the other Um interface, without knowing exactly what. Since data on this interface can neither be filtered, nor verified, it cannot be considered a firewall.

Thus it is at best half a firewall, with the perfect functional analogy of:

A PC with 2 Ethernet interfaces, both connected to internet with 2 different IPs. Where you have put a firewall on one interface, but only measuring that electricity is used on the other, to indicate that it is used for something.

BUT, regardless of the unfortunate discussion above. The research done related to the patent link above, is very important. Because even if we're stuck with only half a firewall, at least we have that, which is a hell of a lot better than before, when we had nothing. The problem appears from a network security perspective. Where this firewall probably could not detect, nor prevent any carefully crafted network-originated malicious attacks on the BP itself. This is especially true for devices using other BPs, than the Intel XMM based ones, which are the only ones supported by Xgoldmon and Baseband Firewall.

I hope this help clarify the issues we have.

[E3V3A]

I'm locking this issue from further inflammable discussions, also since the issue itself has been resolved.

If anyone else from the baseband research community want to communicate with us in a civilized manner, please send us email and don't use our GitHub issues as a discussion forum. We have other channels for that, and are happy to invite you there.

[SecUpwN]

I'm locking this issue from further inflammable discussions, also since the issue itself has been resolved.

@E3V3A, one thing I have not told you yet: I have been sending an apology written in German to @frankrieger via his website several months ago because the choice of my (inappropriate) words in this Issue quickly let people to escalate on the matter. I felt this would be just an honest and fair thing to do. Although I never received another response from him (and I am not expecting one), the base question remains: Are we going to be able to craft some sort of true open source "Baseband Protection"?

I mean, of course this would ultimately be something we'd be working on once all detection algorithms and features have been implemented. If you see a way of crafting a "Baseband Protection", we can let this Issue stay open - otherwise we may consider closing it for good. What do you think, @He3556?

[E3V3A]

@SecUpwN That would be a different project for people who know how to build RTOS in baseband. So the answer is no. The closest we have gotten to BP isolation is what's provided by Replicant, but it only isolates AP from BP and not the network originated transmissions, and is obviously impossible for SoCs where AP and BP are combined, like on most recent MTK and Qualcomm devices. So I'm closing this.