Is there a Phone Backdoor? (Pegasus, Simjacker, SS7)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in theory phones are supposed to be more secure than computers there are many more built-in protections in android and ios than the typical computer supposedly remember when jeff bezos iphone was hacked now suddenly we have thousands of cases where the newly discovered pegasus malware was used to hack phones of important people like journalists activists and world leaders mostly iphones many of these were categorized as no click attacks meaning no user interaction which is really scary since there's nothing factual to grab onto i will engage in conjecture to see if certain entities like state-sponsored organizations may be attacking us via secret backdoors known only to them our phone backdoors likely stay tuned i'm on the platform odyssey.com and now i'm one of the top creators on there just for insurance in case i get the platform please follow me there using the link in the description i have a vpn service bytes vpn my company also sells the google phones and vpn routers these products are made to make your identity disappear on the internet if you're interested in them they are on my apprax me the link is in the description some of you have asked me about the recently published pegasus attack pegasus is an intrusion package for phone spying and it's made by the israeli company the nso group you can read all the press reports about pegasus but the main drift is that someone got a hold of a list of 50 000 phone numbers that were being targeted by pegasus and it turns out that this target list was made up of activists journalists and many world leaders the customers of the nso group are agencies of nation states and these nation states were provided with the pegasus tool some of the phone attacks are categorized as no click attacks no click means no user interaction they target your device and bam they're spying on your activities phone calls photos files text messages and so on in this instance most of the non-click attacks were claimed to be on ios devices though pegasus was described as also able to target android it is not clear if this can be done with a no click attack as well this attack is particularly disturbing because security researchers have been studying operating systems like android and have concluded that it is very safe and these same researchers have come to me saying that ios is even safer yet with the jeff bezos hack and this new pegasus hack that target was an ios device according to what i read so far the premise stated is that the attacks used zero day flaws on site apps on an iphone like the photo app provided by apple however i really have doubt if this is the complete story i understand the security model of ios and android android for example is well insulated from getting root access to the device all apps run inside a virtual machine each app permission is closely limited by security rules set by the se linux security module the stuff is not 100 but it's very good it covers many known ways of attacking an android android is also open source the security parts of it are well documented in theory there are no secrets so attack entry points are closed up very quickly in contrast ios is closed source users base their trust of its security on apple's reputation and promises apple encrypts the phone storage and also limits the ability of an app to go beyond its sandbox area there's a special security chip on the phone to ensure that the generated encryption keys hidden on that phone only generally speaking regular hackers have a harder time hacking an iphone perhaps because of security by obscurity and yet ios got hacked curiously most hacks on the iphones are from state level players state level players meaning those with access to government resources are a different animal frankly i have no idea how to hack a phone with a no click attack usually a phone attack requires some sort of social engineering to get the user to click but why is it that certain types of attacks appear to cluster in certain areas and solutions aren't published for example this pegasus attack apparently originates from a no click imessage text let's talk about another similar phone attack from a couple of years ago this was called the sim jacker attack and the way this attack worked a state player sent hidden text messages to the phone and then the phone responded like a remote controlled robot and could then turn on the phone dial out send and receive sms messages all without the user knowing and once again with no click according to adaptive mobile security you discovered the sim jacker attack their research showed that this attack was being performed at the behest of a state player likely a three-letter agency another similar attack from even further back publicized several years ago was the ss7 attack in this approach there's an out-of-band command and control channel used by the carrier that's separate from the voice and data called ss7 and when that is intercepted in some way over the carriage network then phone text can be captured voice call spied on and so on similar to the sim jacker attack the difference is that ss7 is controlled at the carrier side not at the device level the device just knows to follow instructions authorization for doing ss7 and getting access likely requires insight information or a god level security at the cell carrier which of course a government can demand of a carrier none of these attacks have any clear resolution just like pegasus like they're buried under the carpet and no one says anything further but again all of these attacks are at the state player level and all seem to be tied to the carrier and they're all connected to sms messaging in some way here's another instance that truly bugs me and no one mentions it particularly politicians the hares corporation has been making mobile phone spy devices that the government has been trying to hide for years for a long time law enforcement was using these devices without a warrant the first model was called stingray and it was able to intercept the 2g and 3g traffic from the phone many many years later stingray has been unraveled by security researchers and you can basically copy what stingray does on 2g and 3g the stingray attack is based on the device emulating a cell tower the original attack was over 2g and 3g 2g was unencrypted and on 3g the encryption could be turned off thus allowing the intercept security researchers have figured out that the only way to attack lte phones is by downgrading the service to 3g however harris corporation has released devices that can now break into lte 3g is not an option anymore in many networks in the usa lte is encrypted so this is a particularly difficult challenge yet they're able to do it how let me tell you another disturbing fact aside from the harris corporation there are youtube videos about law enforcement conventions where other companies are selling similar products that do attacks on phones and these capabilities are often used to spy on dissidents in many countries or perhaps opposition leaders and so on how do these players get information to attack our phones the pegasus attack by the way has been analyzed only from a behavior called signaling this means that although people don't know for sure how the phone got infected with the malware the phones themselves are confirmed to be infected with pegasus because the malware calls home to command and control servers in the case of pegasus there was also the insider list of phone numbers supposedly hacked from a server at the nso group amnesty international performed the research and contacted those phone numbers and then tested the phones they were able to collect they then discovered the consistent signaling being done between the phone and certain websites if this phone number list was never leaked in theory no one would have found out about pegasus and by extension of that logic it is quite likely that many more attacks are out in the wild and the phones being spied on would be unknown now if you've analyzed a common feature of all the attacks i mentioned here they all seem to be tied to a phone number and something i explained in other videos a phone number is tied to a unique mz international mobile subscriber identity in fact the stingray device is now generically called an mz catcher anyway i will connect the similarity of these attacks in a moment most of you think of your mobile phone as a single device but really it must be understood as being multiple devices in one package there's the computer side of it which is what most of us interact with when we are using the apps the internet and the user interface part of the phone the second part of the phone is called the cell baseband modem there are other parts of the phone that could race suspicion this is something you need to watch in my other video on hidden radios in iot devices this would relate to the wi-fi bluetooth module which is also responsible for gps and wi-fi triangulation this integrated chip is typically made by broadcom but i will skip that for this video i consider this a potential future threat so my main target issue for now is the cell baseband modem first of all the cell baseband modem has a lot of secrets its manufacturer is extremely controlled by two major players in the cell baseband motor market and that's qualcomm and mediatek mediatek is a taiwan based company the reason they hold control of the baseband market is because of patents basically these two companies own most of the patents generally speaking from what i know usa phones that deal with verizon and sprint required chips from qualcomm so basically the usa phone market uses qualcomm chips if someone brings in a gsm phone for international use i would assume that that would be using mediatek chips the point is there are two secretive companies making chips for all the baseband modems in the world the next interesting fact about these cell modem chips is that they are sold as socs which means system on a chip in case you've never heard of this lingo it basically means it's a full computer on a chip it runs its own operating system probably some version of linux it controls its own hardware it has a separate cpu it's an independent computing device and it sits next to the apple a14 or a whatever chip or arm snapdragon on android it is a side-by-side cpu the ios or android os really doesn't control what goes on in the qualcomm chip this is already proven by the hacking using the sim jacker attack first the cell baseband mode apparently can receive commands via sms text but the text can be hidden meaning not seen by the operating system remember all this is occurring via radio and ios and android rely on the baseband modem to tell it what's going on on the radio side if the radio chooses to not let the operating system know what it's sending or receiving then the os is docked the sim jacker attack also apparently gets instructions from the sim card so basically some part of the code for interpreting commands are in the sim card itself and clearly the baseband modem has some software that can interpret the commands in the sim card the sim card receives data from the cell carrier via radio and that has to be tied to a cell subscription in the cell mz identifier makes sense then that this attack requires a phone number i'm going to presume then based on this information that the radio does not listen to the cell network if there's no sim card so that's an important takeaway in my opinion the fact that the sim jacket attack pegasus and ss7 tags all use a phone number and texting tells me that the target is the cell baseband modem now according to some researchers the commands used in the sim jacker attack was based on some old programming instructions that are no longer used and left on the sim card not sure if i can believe that in case you didn't know the largest sim card manufacturer in the world is gemalto and they make billions of these and they didn't know that there was some hidden code in there yeah right and that's not to say this hidden code is even necessary it could just be a high-level interface there could be a low-level interface still available in the baseband modem directly now let me tell you something else interesting about the baseband modem apparently the baseband modem has a direct bus access to the full memory of the phone now security researchers have been told that the direct access to memory is limited between the baseband modem and the phone main cpu by some sort of security locking intermediary again do we know the whole story if someone on the inside at qualcomm gemalto broadcom and so on have knowledge of how to access memory through some back door you now have a potential way for the baseband modem to directly attack the main cpu of the phone to pass malware remember the memory is electrically wired together with the main cpu and the baseband modem soc the company purism claimed they understood this potential risk and installed the baseband modem separately from the main phone in the librium 5 phone that they are making the interaction between the main cpu and the baseband is then solely through a usb connection so no direct access of memory the pine phone did the same thing by connecting the modem only via usb and in theory you can make a raspberry pi phone also putting the base band on usb so the two new phones have the potential for limiting this baseband risk unfortunately both phones which are linux phones have not dissolved all the software issues and are still floundering today too bad because they might have been more immune to these types of attacks i have the pine phone and that's closer to being useful i have not yet received the librium 5 phone from purism my order is closing in on two and a half years ago i really hope they succeed because these two linux phones are the only products that can theoretically stop or limit a baseband modem attack if you've been following the story let's go back to the list of players did you notice that there are few it seems like a company like harris corporation didn't have to go very far if they wanted to get secret access to create some new version of stingray for 5g and authorized by the government the short list qualcomm mediatek gemalto and maybe include broadcom if you want to hit the wi-fi bluetooth chip you can even skip mediatek if you're focused only on the usa qualcomm broadcom are usa companies gemalto is based in the netherlands gemalto likely makes most of the chips for most of our credit cards so they are very reliant on the usa market so basically these few companies control the security of every single human with a phone is it theoretically possible that state-sponsored players like harris corporation nso and others could have been given secret access to data which would have allowed them a backdoor to the baseband model if i recall even cisco inserted a backdoor to cisco routers they called it the lawful intercept backdoor and let's never forget the intel ime the back door to every intel computer supposedly for corporate use it is not uncommon for programmers to put backdoors in their products i have to admit that i have put back doors and proprietary software i built in the past so this is not a new concept to me and for the older folks have watched the movie war game from the 80s you will remember the back door in the whopper at this moment there are just too many intersections of hacking issues with the cell based fan modem and states sponsored so it's beginning to quack like a duck by the way in the usa there's a law called kalia communications assistant for law enforcement act basically carriers are required by law to allow call interception or wiretapping to be built into the network now usually the wiretapping is done on equipment at the carrier side but someone could interpret the laws being required on the user device side as well is someone invoking this law to force a back door let me tell you some other interesting little quirks with baseband modems have you ever received a carrier update message on your iphone that is obviously some programming being sent to the phone is that data being recorded to the sim card the sim card is carrier specific so it would suggest that the target of the carrier software update is the sim card i don't really know by the way android phones perform carrier updates quietly they don't alert the user i've learned in the past to be extremely wary of carrier updates someone told me that his phone gets a carrier update message when he drives by certain locations in fort meade maryland obviously that's the location of a three-letter agency i didn't experience it firsthand but any carrier update specific to a certain location would be suspicious another interesting detail as it turns out i found some cryptic documentation on the internet that the cell baseband modem can be updated on the air or ota so there were some specific instructions to the effect do you understand the implications of that the idea of flash memory on socs is nothing new many devices come now with fbga field programmable gate array this is a specific standard on modifying code on a chip so a chip can be reprogrammed after manufacture in the field of course only the insiders would know this to be a fact but if an soc contains a programmable flash memory then it could be theoretically possible to change the behavior of a modem and i already discussed that talking to a cell baseband modem can be done out of band using the cell radio independent of the os now the late john mcafee himself discussed the issue just before he died that it is virtually impossible to spot a back door inserted into hardware or software by a software engineer that is a foreign intelligence agent or even a domestic intelligence agent this is something i've implied in my recent antivirus video the cocky cyber security professional will assume he's covered because he's using the latest edge security modules from sofos or checkpoint and the reality is that you may not be able to protect against a back door built into software or hardware even software we commonly use i personally am not cocky about this i'm imagining what i could do as a software engineer and what i could hide and mcafee is right it would be impossible to spot so clearly it is highly probable that a back door exists in cell phones and possibly available to state level players likely highly protected information and used primarily against enemies of the state whether done by some planted software engineer or deliberately provided by a company we would never know john mcafee said he didn't use a cell phone although i recall when i talked to him that i saw some sort of phone so i'm figuring he may have had a phone with no sim card librarian fives or pine phones have hardware switches that can turn off the cell baseband modem plus they isolate the interface to usb they would have been the best choices for this threat if they were ready for prime time alternatively maybe having a side phone with no sim card and just using wi-fi with an app like signal might be useful i want to make clear that the security threat that i'm exposing here are apparently state level capabilities it is not likely a threat for the common person to me the average person's threats are more along privacy lines meaning big tech would be the adversary however it is still disturbing that someone at will can just turn on a switch and choose to spy on any target phone i hope you find my videos of value if you do please hit that subscribe button and the notification bell so you get more of this content you can support the cause by joining us on patreon or checking out our vpn vpn routers and the google phones in my store brax dot me thank you for watching you
Info
Channel: Rob Braxman Tech
Views: 39,420
Rating: undefined out of 5
Keywords: internet privacy guy, internet privacy, tech privacy, privacy, backdoor, lawful intercept backdoor, cisco backdoor, intel management engine, ime, vpro, ime backdoor, intel backdoor, phone backdoor, cell baseband modem, librem 5, pinephone, purism, is there a phone backdoor, cybersecurity
Id: FSA__oMUeHo
Channel Id: undefined
Length: 21min 33sec (1293 seconds)
Published: Thu Jul 29 2021
Related Videos
Long Range RFID Tracking
Rob Braxman Tech
90K
Supercharge Your Privacy with these 10 Tips! All FREE
Rob Braxman Tech
15K
The World’s Most Terrifying Spyware | Investigators
VICE News
1.2M
"I Don't Care About De-Gooogled Phones" + Q&A
Rob Braxman Tech
5.9K
FREE Security Tools EVERYONE Should Use
All Things Secured
49K
The Big Antivirus Lie in 2021
Rob Braxman Tech
179K
How to Defend Against Pegasus Spyware Explained
Technology Leadership
4.1K
How to Get Rid of the Microsoft Account in Windows 11
Rob Braxman Tech
32K
Google Changes Access of 3rd Party Trackers
Rob Braxman Tech
10K
The Browser URL - Dystopia Revealed - Part 1
Rob Braxman Tech
9.6K
Passwordless Passkey Logins 2023 - Are they Safe for Privacy?
Rob Braxman Tech
9.4K
Do you like being watched (on the Internet)? + Q&A
Rob Braxman Tech
5.3K
Time to Dump the Raspberry Pi!
Rob Braxman Tech
64K
Geofencing: How Your Location Data is Abused by Big Tech
Rob Braxman Tech
6.9K
How do SIM Cards work? - SIMtrace
LiveOverflow
1.2M
Intel IME Problems Haunting Us 7 Years Later!
Rob Braxman Tech
17K
Cell Spy Catcher: IMSI Catcher (Stingray) Defense App
🥷 RTP Tech Tips 📡
20K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.