Three Letter Agency & Modem Baseband


With Librem 5 kill switches gaining popularity amongst highly privacy focused users, I have became aware of existence of baseband firmware inside cell modems. In theory what level of access a three letter agency can have to a device via possible baseband modem backdoors, not Librem 5 specifically?

Can a backdoored modem baseband firmware enable remote access to:

  1. Mobile Phone Microphone
  2. Mobile OS RAM to access decrypted private keys
  3. View what is on screen

Thanks very much

1 Like

I think it is impossible to answer that without reference to a specific hardware implementation (not being the Librem 5). In addition, even if you nominated a specific hardware implementation, there may be insufficient public information about the internals to answer the question. In most mainstream spyphones, there is a high level of integration across the whole SoC and we would just be guessing as to the nature of the access that the baseband modem has to the rest of the system.

All that said, I would guess that memory contents would be most vulnerable - and that means potentially private keys and screen contents (and an awful lot of other stuff).

However since you asked about TLAs, they can also directly compromise the core operating system. Doing it via the baseband modem firmware may be unnecessarily complicated.

Doing it via the baseband modem firmware is kind of cute though if the modem supports update via Firmware Over-The-Air (FOTA).

1 Like

I guess one of the use cases that is most viable is locating the user.
Because modems have afaik own GPS capabilities so the modem alone could in theory locate you and then send your location without even bothering other components of the smartphone.

1 Like

True but that means that you don’t need to be a TLA since it is already built-in to the modem … :rofl:

1 Like

Meh, root.

BTW you’ll get 504 agencies, if you increase to Four Letter Agencies you get a couple thousand more (without calculating exactly.) Even more if your agency uses a Cyrillic alphabet.


For this to work you would need to open the Librem 5 phone and switch the position of the antenna cables on the modem.


However the OP did write “not Librem 5 specifically”. Who knows how or whether that vulnerability applies to a randomly chosen spyphone.

1 Like

Precisely. I was talking about the general case on any random smartphone.
Still interesting to hear that the antenna cabling in the Librem 5 plays a role.

1 Like

In the Librem 5 the GNSS antenna is connected to the dedicated GNSS chip and not to the mobile modem, with a view to frustrating any rogue, or otherwise, firmware in the mobile modem.


How imprecise is the GPS without an antenna connected?

I have very dated knowledge for multiple chip designers that this was an acceptable level of accurate in 2008 without anything connected, using a piece of a paperclip increased performance over 100x yet that cost was higher than the phone manufacturers these chip designers were dealing with so the phones were shipping with no antenna connected, much to the dismay of the chip designers.

I’m inclined to believe that this is not likely to have regressed meaningfully and as such I’m not inclined to trust that just not connecting an antenna would be sufficient.