Hidden magic: a look at the secret operating system inside the iPhone
If you’ve spent some time in the Apple world, you’ve probably encountered the term “baseband” at least once—typically as part of a discussion on why jailbreaking seems to be so hard.
Despite those frequent mentions, however, this important component of every iOS device doesn’t often receive attention outside of highly technical realms. Most often, it is dismissed as little more than a curious piece of firmware responsible for blocking those who run afoul of Apple’s locked-down operating system, but there’s much more to it than that.
The man behind the curtain
At its most basic, the baseband is a combination of hardware and software responsible for managing some of the most fundamental functionality of a mobile device. It drives the radios that communicate with cellular networks, translating radio signals to and from data that the device can actually use, and validates your phone to ensure that it can be used with a specific provider (for example, through a SIM lock).
This may seem like a mundane, even boring task—the modern equivalent of the noisy modems that the old folks among us used to connect to bulletin board systems and early Internet providers. In reality, it’s a job of mind-boggling complexity, because cellular technology is a hodgepodge of specifications that have evolved over two decades and encompass thousands of protocols and other standards. To put things in perspective, the spec for 3GPP, which is the basis for 3G GSM networks, is made up of more than 2,000 documents—and that doesn’t even count more modern protocols like LTE or Verizon’s EVDO.
Because of their highly specialized nature, basebands are manufactured by only a handful of companies throughout the world. For its own mobile products, Apple has, so far, relied on two different providers: Early devices, all the way to the iPhone 3GS and iPad 2, were made by Infineon, a German company that was spun off in 1999 from its corporate parent Siemens. More recent iPhones and iPads have used hardware produced by Qualcomm, based in San Diego.
The other iOS
Given that its primary job is as an interface between software and hardware, the baseband firmware is a bit like the driver that makes it possible for a computer to communicate with a printer: It abstracts away all the complexity of the underlying specifications and provides iOS with a predictable protocol that can be used to exchange data with the phone network.
In reality, however, things are a bit more complicated. Unlike a printer driver, any kind of software that communicates with a cellular network must also be tested and certified by the FCC before being released to the public. It’s a process that, given the standards at play, is both time-consuming and extremely complex.
Thus, if the baseband were a simple add-on to iOS itself, Apple would be forced to recertify every new version of its own operating system—which, in all likelihood, means that we’d still be waiting for that missing cut-and-paste functionality everyone was complaining about five years ago.
The baseband, then, must work independently of iOS, and is, in fact, a completely separate operating system that runs alongside iOS. This means that every iPhone and iPad (just like every other smartphone and tablet on the market) actually runs two operating systems at the same time, each with its distinct ARM-based processor and set of responsibilities.
Cat and mouse
Due to the critical nature of many of its tasks, baseband software is very different from a typical operating system like iOS. In fact, it is actually a special “real-time operating system” (abbreviated as RTOS), designed to perform any particular task in a predictable amount of time. This ensures, for example, that the data that makes up a phone call gets the amount of attention required to prevent interruptions and delays that would make it difficult to speak with someone.
Because it’s a completely separate operating system, the baseband software is a prime target for hackers. Security flaws found in the baseband can be used to unlock a phone, tricking it into working on a network other than the one it was originally meant for. Thus, over the years, industrious security researchers have found a number of bugs in the various basebands in Apple products; those bugs could be used to cause a device to ignore its lock settings, leading to several software unlocking exploits.
Of course, Apple has been patching these bugs, making it harder and harder to unlock your phone without the permission of your cellular provider—to the point where the discovery of exploitable software flaws has slowed to a trickle on recent versions of the iPhone’s firmware. That’s just as well, because it turns out that, in addition to traditional methods that rely on a physical connection between a mobile device and a computer, the baseband can be exploited from outside your phone.
In a paper he wrote last year, researcher Ralf-Philipp Weinmann from the University of Luxembourg outlined a number of significant security issues in popular baseband software made by Intel and Qualcomm; those vulnerabilities could easily be exploited using a rogue cell tower to transmit a specially crafted data package to a vulnerable device.
This risk may sound like a farfetched problem, but the ability to create a “fake” cell tower has become increasingly easier in recent times, with the ready availability of cheap hardware and open-source software designed for just such a purpose. That makes over-the-air exploits a lot scarier, since all you would have to do to fall prey to them is find yourself within reach of a rogue radio station.
Of course, these flaws could be exploited simply to unlock a phone without the need for cables and specialized software. As appealing as this prospect sounds, however, the list of malicious attacks that can be crafted this way is also quite impressive, ranging from causing your phone to auto-answer a call without any user intervention to making unwanted phone calls.
This is not to say that we should toss our iPhones in the nearest incinerator and don our tin foil hats. The high-tech cat-and-mouse game that Apple and hackers keep playing shows that the company is as dedicated to security as it’s ever been, and it’s fair to say that basebands, while largely hidden from view, will continue to improve and play their crucial role in the proper functioning of our cellular phones and tablets.