You have 2 free member-only stories left this month.

Sign up for Medium and get an extra one

Structure of a Smartphone
You may have the illusion of control.

David Allen Burgess Follow

Jun 28 · 5 min read

Photo by Jorge César on Unsplash

A typical smartphone has at least three independent computer systems inside it, each
running its own operating system and each one of them programmed by a different
community of developers working in a different segment of the industry.

1. The “application processor”. This is the computer that runs Android or iOS. It is
the part you interact with. It is where your apps run. When you think of your
 smartphone, you are probably thinking of the application processor.

2. The “baseband processor”. This is the computer that manages the cellular radio
part of the phone. And by cellular, we mean actual cellular technologies like LTE,
5G, etc., not WiFi. This computer connects and releases phone calls, connects and
releases cellular data sessions, handles SMS, and performs other functions in the
cellular network, including functions like “mobility management” that are normally
invisible to you.

3. The SIM. The SIM contains a full computer system (processor, memory, and
filesystem) running its own OS and its own set of applications. When you install a
SIM, it becomes an integral and active part of your phone.

As a smartphone user, you may have the illusion that you control your phone. In reality,
the functions of your phone are controlled by the software in these three computer
systems, only one of which is directly accessible to you.

How did it get like this? Historically, we started with “feature phones”, which had a
baseband processor and a SIM and a very simple microcontroller running a keypad and
screen. Then, in a separate line of evolution, we had PDAs. Remember PDAs? The
smartphone is a fusion of these two products, and there is still a very clear line between
the “phone” part (baseband + SIM) and the “PDA” part (application processor).

The Application Processor

Typically, this processor runs Google Android or Apple iOS. It is the only processor
where you can directly install software yourself, in the form of “apps”. The other
processors are completely locked down, even in a “rooted” or “jail-breaked” phone. From
a security standpoint, the application processor is a large and rich “attack surface”, and
most discussions of mobile device security are limited to this part of the device.
However, this blog is about telecom, and very little telecom happens in the application
processor, so we will move on.

The Baseband Processor

This processor performs all of the telecommunications functions of the phone, like
connecting and releasing telephone calls, connecting and releasing data sessions,
sending and receiving SMS, and mobility management functions that allow the cellular
network to find the phone as it moves around from cell to cell. The baseband processor is
a closed system, usually running a proprietary operating system with no publicly-
available development tools. Security research on baseband processors requires more
complex equipment and deeper knowledge than for application processors, and so there
is much less publicly-available information about their security shortcomings. This does
not mean that these shortcomings do not exist. In particular, there are known bugs in
some baseband processors that can be exploited with IMSI-catchers or malicious
IMS/VoLTE clients for remote code execution or denial of service attacks. (The public
work of German hacker Ralf-Philipp Weinmann stands out in this area, although every
handset vendor does have a baseband security team.)

Between the application processor and the baseband processor, we have the “AT”
command set, which is called “AT” because nearly every command starts with the letters
“AT”. The AT command set is inherited from old dial-up modems and formally defined
for cellular use in the GSM 07.07 specification. In the AT protocol, the application
processor is the master, and sends commands and queries to the baseband processor.
Typical commands are things like “scan for available networks”, “select this particular
network”, “send this SMS”, “start a telephone call”, or “start a data session”. The actual
content of the data session is of no interest to the baseband processor. It does not care
what your apps are chatting about or what you are browsing.

The industry has some justification to keep the baseband processor closed and locked
down. The design of the cellular network places the basestation firmly in control of the
radio environment, and for this design to work, every baseband processor in every
handset must follow the rules strictly. A “rogue” handset that does not do as it is told can
disrupt service for an entire cell.

I used terms like “closed” and “locked down” several times, but this does not mean that
the cellular operator and baseband vendor cannot update the software of the baseband
processor remotely. So-called OTA (over-the-air) updates are usually delivered by SMS,
using cryptographic techniques to (supposedly) insure that they come from a trusted
source.

Note that WiFi connections are usually not handled by the baseband processor, but by a
much simpler radio connected directly to the application processor. WiFi and cellular data
are different technologies, even though they may appear the same at the application layer
and sometimes get lumped together under the catch-all term “wireless”.

The SIM
The SIM is a standard ISO/IEC smart card, with some software extensions. Most SIMs
are made by Gemalto, a Dutch company that holds about 50% of the market, or
Oberthur, a French company that holds about 25% of the market. Like many modern
smart cards, the typical SIM can be programmed with “applets” written in Java. These
applets can usually be installed and updated over-the-air with SMS.
 The baseband processor and the SIM communicate over a serial line using two layers of
protocol:

1. the generic smartcard protocol, defined in ISO/IEC 7816, and

2. SIM-specific functions, originally defined in GSM 11.11, but extended many times in
3GPP 51.011 and 3GPP 31.102. This interface is also called the “SIM Toolkit
Application Programmer’s Interface”, or “STK API”.

Here, the baseband processor is the master, and initiates all communication. However, a
feature of the STK called “proactive SIM” also allows the SIM to send commands to the
baseband processor using a “polling” arrangement. In this arrangement, the baseband
processor polls the SIM every 30 seconds or so, asking it, “Do you need me to do
anything?” At that point, the SIM can answer with a command, and the power that the
proactive SIM can have over the baseband processor is impressive, actually beyond that
of the application processor. In particular, the SIM can send SMS, start USSD sessions,
and control supplementary services, like call forwarding. And nearly all of the SIMs in
the market today are proactive.

There is no direct communication between the application processor and the SIM. Some
baseband processors can relay information between the application processor and the
SIM, but this is not common. The SIM acts directly through the baseband processor
without any involvement of the application processor, meaning that, without special test
equipment, the user may have no way to know what the SIM is doing.

Conclusion
The smartphone is a complex system, and may not be what you expect. What you see on
the screen is like the surface of a deep, murky pool. If smartphone behavior is an issue in
your work, it is best to find an expert with the experience and tools to examine and
analyze the evidence and help you correctly interpret the situation.

Mobile Network Cell Phones Smartphones Infosec

About Write Help Legal

Get the Medium app