WiFi Calling 0-Day in Androids

If you’re still using an android (Samsung or Pixel), best to disable WiFi calling. Here’s an ars technica link, but its all over the internet if you search.

3 Likes

… disable WiFi calling and VoLTE … which in some countries will mean that no calls are possible at all.

And (at least on some iPhones under some combination of circumstances) it is no longer possible to disable VoLTE i.e. that control simply doesn’t exist on the user interface any more. (It may be that by jailbreaking it is still possible to disable VoLTE.)

1 Like

I have Calyx on a pixel 7 and don’t see the option to turn off volte. This article says google has fixed it for my device, but I’ve seen my model listed elsewhere and the last system update didn’t mention the vulnerability (calyx is pretty good about describing what each update does). Hopefully I’m not low-hanging fruit.

Q: If the L5 modem were similarly vulnerable, would Purism’s current precautions offer an effective prophylaxis?

Both cards do not use PCI to avoid giving them easy access to the main CPU and memory. Generally, the blobs running in the WiFi and cell modems are already assumed to be hostile. Of course, there might be additional vulnerabilities that could be used to get the main CPU. One thing that was learned by trying to replace the cell modem’s firmware with a Linux kernel is that the RAM and storage on the cell modem are extremely limited, so if there were an infection, it would not support a large viral payload, and I would not be surprised if an infected modem starts behaving like it has bugs. What I would be interested in is how to reset the card back to its uninfected state. And maybe detecting that it changed.

2 Likes

Well I guess a total compromise of the modem card would mean that someone could intercept your voice calls and intercept any insecure data connections - which could lead to a wider compromise, even though the main CPU and memory remain safe.

Such data interception could still be useful to an attacker because you can’t assume that all attackers can directly intercept insecure data connections. (Sure, your government can, your ISP can, but a random hacker in “Russia” would find it harder to intercept along the route and it may therefore be beneficial to attack the endpoint directly.)

However

is a major hypothetical as far as the actual vulnerability goes.

1 Like

Granted, just war-gaming. image

1 Like

Yes, my preferred solution is to not use any of the calling and texting functions on the cell modem and just use end-to-end encrypted services for those needs, except for emergency services. Then, an infected modem would not change much besides potentially less reliable service. I have been keeping an eye on what can do both calls and texting, especially with normal phone numbers. SRTP works for SIP and can be used with Purism’s Calls application and modern SIP providers, but for both calls and texting Dino and JMP may some day be a good combination.

1 Like

Operate killswitch…
Remove modem…

Yeah, I think those check out.
:wink:

2 Likes

Well yes but perhaps the assumption behind the question, particularly for a 0-day, is that you don’t know that e.g. a deliberately malformed packet has remotely compromised the modem.

For some people’s use of the Librem 5, it may involve routinely operating the modem kill switch - and that will certainly kill any modem compromise dead (and may even remove the compromise if the attacker has no way of persisting the compromise i.e. it has to be done to the running modem).

But the way I use my Librem 5 is as an actual phone and that means that the modem is very rarely killed (whereas I routinely kill the WiFi when going out). I want people to be able to call me 24x7.

(I understand that if you are going somewhere and you don’t want that trip to be surveilled by your mobile service provider and by the government then it might be completely legitimate to operate the modem kill switch - or you never want to be surveilled by your MVNO / government - but so far I haven’t had that need. It’s good to know it’s there for when I need it.)

2 Likes