>“Every phone has two operating systems,” explains Gary S. Miliefsky, CEO of SnoopWall, “One that connects to cellular networks, and one that interfaces with the consumer. Airplane mode may only disable features in the consumer facing operating system, such as Android or iOS, but not in the OS used between the phone and the carrier network. A phone may be giving out a ‘ping’ and you’d never know it.”
Surely that defeats the whole idea behind airplane mode. i.e. stop the phone from sending crap that (supposedly) messes with airplanes?
As an RF engineer who has tested frequency spectra and radiated powers of various consumer electronics including cell phones, I've never seen a cell phone (specifically an iPhone 5, A Nexus, a Samsung Galaxy S4, and a razr flip phone) transmit with airplane mode turned off.
It's not just airplanes that could be susceptable to cell phone emissions, but back in GSM days, the number of handoffs while in flight would effectively jam the cellular network in a 200mi radius. Nowadays cell phones are much smarter and don't do that, and the EMC risk in aircraft is extremely low.
>>I've never seen a cell phone (specifically an iPhone 5, A Nexus, a Samsung Galaxy S4, and a razr flip phone) transmit with airplane mode turned off.
I think you meant "on"? If airplane mode was on, RF emissions were a strict test case executed in the lab Faraday cages where we ran new terminals through their paces prior to launch rollouts.
Correct, typo. We were specifically testing the radiated and conducted (through its charging cable) emissions from the cellphone's processors, display, etc, and needed the radios off in a reverberation chamber.
No way to tell if it's listening though. It could be silent and still be processing every it can detect.
Who knows if there are secret commands that can be sent to it to override airplane mode settings, or instructions to do other nefarious things and broadcast once out of air plane.
Every radio has a signature that it's turned on by listening to its Local Oscillator. [0]
We weren't testing the presence of the LO, but instead characterizing the phone's radiated and conducted emissions from it's non-phone radio functions like its processors, displays, BMS, etc. There were discrete frequencies which were certainly from oscillators, but we didn't determine whether or not that was the receiver(s') LO(s) when airplane mode was on. There's probably a dozen other oscillators within phones for memory, CPU, displays, etc. So, you might be right, but this can be tested in the right lab.
However, that might be complicated with software defined receivers that don't have a typical receiver architecture, very low level signals, and very tiny PCB traces.
He means listening to the radio. A phone might have special baseband firmware that, e.g., turns on for a minute every hour and listens for a particular coded sequence (such as the date, and a mask of serial numbers, encrypted to a key in firmware etc), which would then cause the phone to do a number of things, such as turn on the radio for rx, or tx the RSSI of nearby towers, etc. All without telling the main CPU.
Colour me dubious. If the phone is in airplane mode then the carrier doesn't know where it is. Are you suggesting they broadcast this information on all their cell towers? Or that they have a secret system to predict/guess where a dark handset might be so they can target it? Either sounds extremely unlikely.
As to the practicalities, it wouldn't need to use the carrier network, just put it in a plane. Like the plane they have circling D.C. right now, or a drone. And your location is often known approximately.
Android does this routinely with wifi listening, if not GPS. It's a feature, and you can't turn it off. Haven't tested if GPS spoofing (a debug interface) overrides that.
Iphones now do this too, privacy violation by relay to nearby iPhones, over Bluetooth and possibly with the new mm wave RADAR too.
A while back, I experienced a technical problem with my carrier. As a result, my subscription stopped working. That meant that for everyday I used the internet connection, I was to be charged 4 euros.
The solution was obvious: airplane mode! You know what? It didn't help. They kept charging me 4 euros a day. Then I replaced the APN in the network settings with a fake one and suddenly the daily charges were gone.
Airplane mode didn't help, some byte was still passing through.
The phone was an android phone. The carrier refunded me right after fixing the problem (which took them a month and half).
How? I don't think there's any way a phone could know if someone has a spectrum analyzer looking at it's antennas, so it wouldn't be able to distinguish between a user enabling airplane mode because they want to vs. someone testing it.
Why? Airplane mode is a software feature right, you just don't enable whatever power transistors you use to amplify your transmission. However a receiver won't give measurable EMF, you could still listen and detect any abnormally low noise floor. You could probably even employ a heuristic like "only call home if the noise floor has been very high for at least one hour".
That would still be catastrophic for people trying to avoid tracking in demonstrations for example.
Your phone's (rootkit?) would have to passively measure the room before any remote action, that's true and reduces the utility. Still it would require accessing the sensors in the faraday cage which might make some noise.
Plenty of VM evasion stuff has been caught in the wild so it would up the game regardless, which is all you can really hope for against hackers and malicious parties. They almost always go for the easy targets who don't think of this stuff anyway.
From a friend that is an amateur radio enthusiest "It's because your phone connects to so many towers (50-100 at a time) at once that it's an issue versus bringing the plane down".
It isn't plausible that the baseband is routinely incorporating backdoors. However it is very plausible that nation states do lots of testing of baseband firmware, with an eye towards exploiting it. If baseband protocols were as easy to test as wifi we would probably see more vuln reports about them.
It is unlikely that they would be able to remotely update the baseband firmware though, especially on an iPhone. Also, an increasing number of baseband systems use highly verified kernels, such as sel4.
As to phones in flight mode routinely pinging, this is incorrect. It would easily be detected by standard tools and counter-surveillance equipment.
It isn't plausible that a modern phone would interfere with a modern jet IMO, but I still turn it to flight mode. Doesn't mean a passenger couldn't cause problems if they wanted too though -- turn on a GPS jammer and ADS-B/mode-S spoofer while onboard and watch everything go kooky.
A more realistic security problem is that of phones listening to wifi when turned off for geolocation purposes. Just the listening is exposing the stack to some degree.
> It isn't plausible that the baseband is routinely incorporating backdoors.
Intel and AMD effectively incorporate a back door into every processor, one that they refuse to document or give the keys for (but which likely some government agencies have, whether provided willingly or not). Why is it implausible that basebands incorporate something similar?
Features like Intel ME were actually requested by major IHVs, like Dell/HP etc. VISA is a debug system you need ring 0 access to use.
In contrast, Qualcomm/Intel clients like Apple are very concerned to not have magic backdoors (Apple bought Intel's bandband IP and team recently, supposedly to make their own 5G chip). In any case, there are plenty of garden variety vulnerabilities in bandband chips, no need for NSA voodoo.
Intel ME could have been used as a backdoor in a circumstance where they knew it wouldn't be analyzed, but that is a small percentage of jobs. Really only when you know a JDAM is coming through the roof soon after, or it's a no fail type of mission, i.e. taking over NK ground control during a missile launch. It isn't going to be wasted trying to hack the Kremlin, where everything gets logged.
For baseband chips, I haven't heard of Qualcomm having these types of interfaces at all. Fleet management happens via MDM at the iOS/Android level. I don't think NSA would be able to coerce Qualcomm to introduce a huge feature like ME in secret, and besides that isn't their MO, there would be a standards process etc. I really don't think something like that could be kept completely under wraps, and then as soon as you used it once it would be burnt.
Chinese chipsets not so sure. So far Huawei has so many bugs in everything they have implausible deniability. Like dozens of level 10, full RCE exploits. That's a good reason to ban them.
JFYI, at least on iOS 13, airplane mode disables only the mobile connection, while WiFi and Bluetooth remain on. This is not hidden in any way, the buttons remain active in Control Center.
I assume that only mobile signal has enough power to be considered dangerous. Maybe someone can explain what's the reasoning behind this choice.
I feel like this aligns with what "airplane" mode should be. I find it annoying when I turn on airplane mode and it disables my bluetooth and I have to re-enable it (Android X/Api 29 and below)
The reasoning is that airlines used to ban all wireless communication during flight. Now they permit Bluetooth and WiFi but still forbid cellular. The iOS behavior is calibrated to the air travel rules.
I believe iPadOS/iOS 13 by default will leave Bluetooth on while in airplane mode (likely for watches and headphones). If you turn bluetooth off while in airplane mode, it remembers that as a preference.
It's been like that for a while if you have your wifi/Bluetooth on when airplane mode is on, it will do it the same way next time you turn on airplane mode. I used that frequently on my 5S, spare 6, and iPhone X.
The reasoning was so that WF on flight, and BT/WF peripherals like AirPods, Apple Watch, and (for the iPad) the pencil, connected keyboards, and so on, can continue to work.
Phones affecting airplanes is already not that much of a risk (even if indeed existing), and besides, as the article claims, the phone might still just sent a periodic ping, which is going to be practicable unnoticeable for any equipment.
UTC 0830
Smart devices mimic what they hear around them so they can blend in. For example, for wifi using the same MAC address and IP info as something transmitting frequently. You'd have to check the sequence numbers or use multi-directional gear to detect it reliably.
Conceivably it would use a different waveform with lower energy when transmitting clandestinely, but that would be insanely expensive to achieve, probably need to add a separate chip, and it wouldn't work for people who change phones regularly.
I'm reminded that a while back the Shin Bet modified a phone to have a chunk of plastic explosive, used to kill a Hamas bomb maker. It was detonated remotely with a non-phone protocol (as the phone channel was in use by the target).
Meta data from regular operation, combined with data from apps, and OS telemetry is probably be such a treasure trove that backdooring the baseband processor is probably overkill in most cases, and while I suspect there are phones backdoored in this manner the real threat will not likely be government agencies for most people; it's the risk that non-government actors discovers it and abuses it for criminal purposes.
I suspect various alphabet agencies are perfectly aware of this, and that they're actively avoiding such measures unless they're considered strictly neccesary. After all, imagine the media shit-storm if some North-Korean hacker group managed to start mining bitcoin with 2 billion Android devices and it turns out that NSA put in the back door that allowed it.
Notably, appeals to not having your phone on in an airplane and airplane mode are more due to the extensive reach of an airborne cellphone and the effect this has on cells and hand-over protocols, as the phone connects to a plethora of cell towers in rapid succession, by this seriously harming available capacity. So this is intended more to protect the earthbound infrastructure than the cockpit electronics. I'd guess, subverting any countermeasures by means of the baseband system would be contrary to the interest of those involved and profiting from this.
"stopping the phone from sending crap that (supposedly) messes with airplanes" was never the goal of airplane mode. If phones could bring down an airplane they would have never been allowed on board.
The technical problem was always that planes cross cells at speeds for which the gsm handover protocol was not designed. The business problem was phones would eat into the juicy onboard services turnover.
>“Every phone has two operating systems,” explains Gary S. Miliefsky, CEO of SnoopWall, “One that connects to cellular networks, and one that interfaces with the consumer. Airplane mode may only disable features in the consumer facing operating system, such as Android or iOS, but not in the OS used between the phone and the carrier network. A phone may be giving out a ‘ping’ and you’d never know it.”
Surely that defeats the whole idea behind airplane mode. i.e. stop the phone from sending crap that (supposedly) messes with airplanes?