In March 2023, Google's Project Zero reported something alarming: 18 zero-day vulnerabilities in Samsung's Exynos cellular modems. Four of them were "internet-to-baseband" remote code execution bugs. An attacker who knew your phone number could take over your device. No links to click. No attachments to open. No user interaction at all. Just a phone call - or not even that. [1]

The vulnerabilities affected Samsung's flagship Galaxy phones, Google's own Pixel 6 and 7, and dozens of other Android devices. Google withheld disclosure on the four worst bugs because they were so dangerous - reliable, remotely exploitable, and trivial to weaponize.

This wasn't the first time. It won't be the last. The baseband processor - the cellular modem in your phone - is one of the most vulnerable attack surfaces in modern computing. And you have no way to secure it.

What Is a Baseband Processor?

Every smartphone contains two separate computers. The application processor (AP) runs your operating system - iOS or Android - and all your apps. The baseband processor (BP) handles everything cellular: voice calls, SMS, mobile data. [2]

These are physically separate chips with their own:

  • CPU: Usually ARM-based, running at hundreds of MHz to over a GHz
  • RAM: Isolated memory the application processor can't directly access
  • Operating system: Real-time OS like ThreadX, proprietary kernels from Qualcomm (AMSS) or Samsung (Shannon)
  • Radio: Direct control of cellular antennas and RF circuits

The baseband implements the entire cellular protocol stack - 2G/GSM, 3G/UMTS, 4G/LTE, 5G/NR. This includes physical layer modulation, MAC scheduling, RLC retransmission, PDCP encryption, and RRC signaling. It's a complete networking stack running independently of your phone's main OS. [3]

Why Basebands Are Dangerous

The architecture that makes cellular radios work is the same architecture that makes them dangerous.

Always Listening

Your baseband is powered on whenever your phone has cellular service. It continuously receives and processes radio signals from cell towers. Unlike apps that you launch, the baseband never stops running. It's processing potentially malicious data 24/7.

Remote Attack Surface

Anyone who can transmit on cellular frequencies - which includes governments, well-funded attackers, and researchers with SDR equipment - can send data to your baseband. A rogue cell tower (IMSI catcher) can force your phone to connect and start processing attacker-controlled signals. [4]

Proprietary Code

Baseband firmware is entirely proprietary. Qualcomm, Samsung, MediaTek, Intel (formerly) - none publish source code. Independent security audits require reverse engineering, which is difficult, time-consuming, and may violate licensing agreements. Most baseband code has never been examined by anyone outside the manufacturer.

Direct Memory Access

On many devices, the baseband has DMA - direct memory access to the application processor's RAM. A compromised baseband can read your messages, steal your keys, and modify running code. The isolation between "your" phone and the cellular modem ranges from weak to nonexistent. [5]

Some devices connect the baseband via USB bus (no physical connector), which prevents DMA. The Neo900 project specifically chose this architecture for security. But most mainstream phones don't make this choice.

Missing Security Basics

When security researchers examine baseband firmware, they consistently find missing protections that have been standard in application software for decades. One 5G modem audit found no stack cookies - a basic buffer overflow mitigation. No ASLR. No CFI. It's like the 1990s never ended. [6]

Major Baseband Vulnerabilities

Samsung Exynos (2023)

Google Project Zero's 18 vulnerabilities affected Samsung Exynos modems used in Galaxy S22, Pixel 6/7, Galaxy A series, and wearables. The four worst bugs allowed remote code execution via internet-to-baseband attack vectors. [1]

Attack requirements: Know the victim's phone number. That's it. No user interaction. The attacker sends specially crafted data over the cellular network, exploits a memory corruption bug, and gains code execution on the baseband processor.

Google's advisory: "We believe that skilled attackers would be able to quickly create an operational exploit." They delayed public disclosure to give Samsung time to patch - an unusual step indicating exceptional severity.

CVE-2023-41111 and CVE-2023-41112

Taszk Labs researchers examining Samsung's Shannon baseband found vulnerabilities in Layer 2 radio protocols - an area previously considered too low-level to attack remotely. CVE-2023-41112 is a heap overflow during packet reassembly. CVE-2023-41111 enables reaching the vulnerable code path. [7]

These bugs demonstrated that even the lowest layers of cellular protocols - previously assumed safe because of their complexity and obscurity - are vulnerable to remote exploitation.

CVE-2025-26782

In 2025, researchers found a denial-of-service vulnerability in Samsung Exynos RLC (Radio Link Control) implementation. Affects Exynos 2400 and 5400 - Samsung's latest flagship chipsets. A malformed radio packet can crash the modem, forcing disconnect from the cellular network. [8]

Qualcomm Vulnerabilities

Qualcomm's baseband (used in most Android phones) has its own history:

  • CVE-2024-43047: Use-after-free in FastRPC driver, CVSS 7.8, confirmed under active exploitation. Google's Threat Analysis Group and Amnesty International's Security Lab flagged it. [9]
  • CVE-2024-23385: Part of the LLFuzz research, affects 90+ Qualcomm chipsets
  • CVE-2025-21477: Discovered by KAIST researchers, patched in 2025
  • CVE-2025-47372: Compromises secure boot process via use-after-free during memory operations

Check Point Research found vulnerabilities in Qualcomm MSM allowing attackers to unlock the modem, access call history, SMS, and audio. [10]

UNISOC Vulnerabilities

UNISOC makes budget chipsets powering two-thirds of phones in Africa and Asia. Check Point Research found vulnerabilities allowing remote access via the modem. Budget phones, minimal security investment, massive deployment - bad combination. [11]

Apple Baseband

iPhones aren't immune. CVE-2024-27870, discovered by KAIST's LLFuzz research, affects Apple's baseband implementation - the same vulnerability class as Qualcomm's CVE-2024-23385. Apple patches baseband bugs through iOS updates, but the firmware remains proprietary. [12]

How Baseband Attacks Work

Cellular protocols are complex. The attack surface is vast.

Layer 1 (Physical)

The raw radio signal. Modulation, frequency handling, timing. Attacks here require specialized RF equipment (SDR) and target signal processing code. Bugs in demodulation can crash or compromise the baseband before any "data" is even extracted.

Layer 2 (Data Link)

MAC (Medium Access Control), RLC (Radio Link Control), PDCP (Packet Data Convergence Protocol). These handle scheduling, retransmission, and basic packet handling. [7]

Key insight from KAIST's research: "The lower layers of smartphone communication modems are not subject to encryption or authentication, creating a structural risk where devices can accept arbitrary signals from external sources." [12]

Translation: At Layers 1 and 2, your phone trusts whatever the cell tower sends. There's no cryptographic verification that the tower is legitimate. A rogue base station can inject malicious data directly into your baseband's parsing code.

Layer 3 (Network)

RRC (Radio Resource Control), NAS (Non-Access Stratum). Call setup, mobility management, authentication. This is where most previous baseband research focused, but it turns out the lower layers are equally vulnerable.

Attack Progression

Typical baseband exploit chain:

  1. Force connection: Rogue cell tower broadcasts stronger signal than legitimate towers; phone connects
  2. Trigger vulnerability: Send malformed packet targeting known bug in protocol parsing
  3. Gain code execution: Overflow buffer, corrupt memory, redirect execution to attacker payload
  4. Persist: Install rootkit in baseband firmware or pivot to application processor
  5. Exfiltrate: Capture calls, SMS, data; track location; activate microphone

Real-World Exploitation

These aren't theoretical attacks. They're in active use.

Pegasus

NSO Group's spyware has used baseband exploits. Once Pegasus compromises the baseband, it can persist through factory resets, intercept all communications, and remain invisible to mobile security software. Targets have included journalists, activists, and politicians worldwide. [13]

IMSI Catchers / Stingrays

Government agencies worldwide use fake cell towers to intercept communications. These devices exploit the fact that phones will connect to the strongest nearby signal without authentication. Once connected, the IMSI catcher can inject malicious data targeting baseband vulnerabilities. [4]

State-Level Actors

National intelligence agencies almost certainly have zero-day baseband exploits. The attack surface is too valuable, the code too unaudited, and the access too complete. If you're a target of state-level surveillance, assume your baseband is compromised.

Research Efforts

LLFuzz (KAIST)

In July 2025, KAIST researchers published LLFuzz - an over-the-air fuzzing framework for cellular baseband lower layers. They tested 15 commercial smartphones from Apple, Samsung, Google, and Xiaomi. Found 11 memory corruption vulnerabilities: 3 in PDCP, 2 in RLC, 5 in MAC, 1 in RRC. Seven received CVE assignments. [12]

LLFuzz represents a shift in baseband security research - systematically targeting Layer 2 protocols that were previously considered too obscure to attack but turn out to be full of bugs.

BaseSAFE (Comsecuris)

Comsecuris demonstrated baseband-to-application-processor escalation on MediaTek devices. They found custom AT commands that could capture keystrokes, screenshots, and camera output - triggered remotely by carriers. [5]

Project Zero

Google's security team continues to audit basebands. Their Samsung Exynos research revealed that even flagship chipsets from major vendors have internet-exploitable bugs.

Protection Strategies

You can't fully protect against baseband attacks. The firmware is proprietary, the radio is always on, and patching depends entirely on manufacturers. But you can reduce exposure:

Update Everything

Baseband patches come through system updates. For Android, that's monthly security bulletins. For iPhone, iOS updates. Don't skip them. Known vulnerabilities are more dangerous than theoretical ones.

Airplane Mode

Airplane mode disables the cellular radio, stopping over-the-air attacks. The baseband processor still exists and runs briefly during mode changes, but it's not processing external signals.

Limitation: You lose cellular connectivity. Not practical for daily use.

Hardware Kill Switches

Phones like the Librem 5 and PinePhone have physical kill switches that cut power to the cellular modem. When the switch is off, the baseband is electrically disconnected - no firmware exploit can survive because there's no power.

Faraday Bags

A Faraday bag blocks all radio signals. Your phone can't connect to cell towers, so attackers can't reach the baseband. Useful for high-security situations when you need the phone but not connectivity.

Assume Compromise

Design your security model knowing the baseband could be compromised:

  • Use end-to-end encrypted messaging (Signal) for sensitive communications
  • Don't store secrets that only need to exist temporarily
  • Compartmentalize - dedicated devices for sensitive activities
  • Consider that call metadata (who you called, when, for how long) is always visible to the carrier and potentially to baseband attackers

The Structural Problem

Baseband insecurity isn't accidental. It's structural.

Cellular protocols were designed decades ago when "security through obscurity" seemed reasonable. The specifications assume trusted base stations. The code assumes well-formed input. Adding security would require redesigning protocols that billions of devices rely on.

Manufacturers have no incentive to open-source baseband firmware. They'd face competitive exposure, regulatory complications (FCC requires certified software stacks), and liability concerns. Keeping it closed is easier.

There's no feasible open-source baseband. OsmocomBB exists but only supports ancient 2G hardware. Modern LTE and 5G basebands require massive engineering effort and access to specifications that vendors guard carefully.

The result: every smartphone ships with a separate computer running code you can't audit, accepting signals you can't control, with access to everything on your device. This is the foundation of modern mobile communication. It's also the foundation of mobile insecurity.

Related Articles

References

  1. Google Project Zero. "Multiple Internet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems." March 2023. security.googleblog.com
  2. Wikipedia. "Baseband processor." wikipedia.org
  3. FuzzingLabs. "Breaking Down The Baseband - Shannon In A Nutshell." fuzzinglabs.com
  4. EFF. "Cell-Site Simulators / IMSI Catchers." eff.org
  5. Comsecuris. "Path of Least Resistance: Cellular Baseband to Application Processor Escalation." comsecuris.com
  6. Black Hat USA 2021. "Over The Air Baseband Exploit: Gaining Remote Code Execution on 5G Smartphones." blackhat.com
  7. Taszk Labs. "Unburdened By What Has Been: Exploiting New Attack Surfaces in Radio Layer 2." July 2024. taszk.io
  8. ZeroPath. "Samsung Exynos RLC AM Denial of Service (CVE-2025-26782)." zeropath.com
  9. CyberScoop. "Android warns of Qualcomm exploit in latest security bulletin." November 2024. cyberscoop.com
  10. Check Point Research. "Security probe of Qualcomm MSM data services." 2021. checkpoint.com
  11. Check Point Research. "Check Point Research unveils vulnerability within UNISOC baseband chipset." checkpoint.com
  12. KAIST. "LLFuzz: An Over-the-Air Dynamic Testing Framework for Cellular Baseband Lower Layers." USENIX Security 2025. github.com
  13. Amnesty International. "Forensic Methodology Report: How to catch NSO Group's Pegasus." amnesty.org