What is a zero-click baseband exploit?

A zero-click exploit targets the baseband processor through malformed over-the-air messages. The victim doesn't need to click anything, open an app, or interact with their phone — simply being connected to a cellular network within range of a IMSI catchers is enough for the attack to execute. The malformed message is processed by the baseband's protocol parser before any user-level software is involved.

Can airplane mode protect against baseband attacks?

Yes, airplane mode completely disables the cellular radio and therefore the baseband processor cannot receive OTA messages. However, on some devices, the baseband firmware remains loaded in memory even in airplane mode, and the radio can be re-enabled without a full processor restart. For maximum security in high-risk environments, physically disabling the radio (Faraday bag) is recommended.

Are iPhones vulnerable to baseband attacks?

Yes. iPhones use Qualcomm or Intel basebands (and Apple's own modem starting with iPhone 17). The baseband firmware is equally opaque and subject to the same class of OTA vulnerabilities. Apple does apply stronger sandboxing between the baseband and AP processors (via IOMMU and the Secure Enclave), which can limit the impact of a modem compromise but does not prevent the initial baseband exploitation.

What equipment do I need for baseband fuzzing?

At minimum: a USRP B210 SDR, a compute node running srsRAN, a Faraday cage for RF containment, and programmable SIM cards. For firmware analysis, you'll need Ghidra or IDA Pro and vendor-specific diagnostic tools (QXDM for Qualcomm, Shannon tools for Samsung). See our complete lab setup guide for the full hardware procurement list.

How do vendors patch baseband vulnerabilities?

Baseband patches are delivered through firmware updates, typically bundled with monthly Android security bulletins or iOS updates. The patch cycle averages 60-90 days from report to deployment. Unlike application patches, baseband updates require carrier certification in many regions, which can add additional delays. This extended exposure window makes zero-day baseband vulnerabilities exceptionally valuable to attackers.

What is the relationship between IMSI catchers and baseband exploitation?

IMSI catchers (rogue base stations) serve as the delivery mechanism for baseband exploits. The IMSI catcher forces the target UE to connect by broadcasting a stronger signal, then delivers malformed protocol messages during the pre-authentication phase. Without a rogue base station or compromised legitimate infrastructure, remote baseband exploitation over the air is significantly more difficult.

Baseband Exploitation Modern Smartphones

title: "Baseband Exploitation in Modern Smartphones" description: "TelcoSec research on smartphone baseband exploitation: attack surfaces, Shannon/MediaTek firmware analysis, OTA fuzzing methods, and zero-click vulnerabilities." date: "2024-03-04" lastModified: "2026-05-15" author: "Ruben F. Silva" authorName: "TelcoSec Research" category: "MOBILE_SECURITY" severity: "CRITICAL" image: "/images/articles/baseband-exploitation-hero.webp" imageAlt: "Baseband Exploitation - Smartphone Modem Security Analysis" readingTime: 22

The baseband processor — the modem chip that handles all cellular communication — is arguably the most security-critical component in any smartphone. It operates below the application processor (AP), runs its own Real-Time Operating System (RTOS) with full access to the radio hardware, and processes untrusted over-the-air (OTA) messages before any authentication occurs. A vulnerability in the baseband grants an attacker full control of the modem, enabling silent call interception, location tracking, and in many cases, escalation to the application processor and the Android/iOS operating system itself.

This makes baseband exploitation the holy grail of mobile offensive security: a single vulnerability can enable a zero-click, zero-interaction remote code execution attack against any device within radio range. No phishing link, no user action — just a crafted radio message.

CLASSIFIED

// CONTENT UPGRADE AVAILABLE

RESOURCES: Baseband Attack Surface Map

Download the complete baseband vulnerability taxonomy and fuzzing framework reference for Samsung Shannon, Qualcomm, and MediaTek chipsets (PDF).

GET ATTACK MAP [→]

Baseband vulnerabilities represent the most critical class of mobile security flaws. They are reachable over-the-air without user interaction, execute in a privileged context with direct hardware access, and often bypass all application-layer security measures. Unlike application vulnerabilities that require user interaction, baseband bugs are exploitable by anyone with a IMSI catchers within radio range.

KEY TAKEAWAYS:

Zero-click, over-the-air exploitation — no user interaction required
Pre-authentication attack surface: NAS, RRC, and paging messages processed before security mode
Samsung Shannon, Qualcomm, and MediaTek basebands are prime research targets
Private lab infrastructure is essential for safe OTA fuzzing
Baseband-to-AP escalation can compromise the entire device

I. Baseband Architecture: The Hidden Computer Inside Your Phone

Every smartphone contains two processors: the Application Processor (AP) running Android/iOS, and the Baseband Processor (BP) running a proprietary Real-Time Operating System (RTOS) that handles all cellular protocol processing. These two processors share a communication channel (typically shared memory or a PCIe bus) but run completely independent software stacks.

Critical Security Boundary

The baseband processor handles all protocol parsing for untrusted over-the-air messages. It processes NAS (Non-Access Stratum), RRC (Radio Resource Control), and lower-layer radio messages — many of which arrive BEFORE mutual authentication is established. This means the baseband must parse attacker-controlled data in an unauthenticated context, creating a vast pre-authentication attack surface.

Major Baseband Platforms

Vendor	Chipset Family	RTOS	Devices	Research Accessibility
Samsung	Shannon (Exynos Modem)	Samsung Proprietary RTOS	Samsung Galaxy (Exynos variants), Google Pixel 6/7/8	High — most researched, ASAN support available
Qualcomm	Snapdragon Modem (X55/X65/X75)	QuRT (Qualcomm RTOS)	Most Android flagships (Snapdragon variants), iPhones 12-15	Medium — heavily obfuscated, some research published
MediaTek	Helio/Dimensity Modem	Nucleus RTOS	Budget-to-mid-range Android devices	Medium — growing research community
Intel	XMM (discontinued)	ThreadX RTOS	iPhones 7-11	High — well-documented post-discontinuation
HiSilicon	Balong	LiteOS	Huawei devices	Low — restricted access

Vendor Architecture Deep-Dive

> Qualcomm MSM

Powers the majority of Android devices globally. Firmware extracted via QFIL or EDL mode. The QuRT RTOS uses a microkernel architecture with hardware-enforced memory isolation between tasks. However, the cellular protocol handlers share a flat memory space, making intra-modem lateral movement trivial after initial exploitation.

> Samsung Shannon

Used in Samsung Exynos-based Galaxy devices and Google Pixels. Notable for multiple RCE vulnerabilities discovered by Google Project Zero in 2023-2024. Samsung has since added ASAN (AddressSanitizer) to Shannon firmware builds, making it the first baseband with runtime memory safety instrumentation.

> MediaTek

Dominant in budget and mid-range devices across emerging markets. The Nucleus RTOS runs a monolithic architecture where all tasks share the same address space. Less publicly researched but equally susceptible to firmware vulnerabilities — and deployed on billions of devices worldwide.

The Pre-Authentication Attack Surface

The critical insight for baseband exploitation is that a significant portion of the cellular protocol stack must be processed before mutual authentication is established. When a UE (smartphone) encounters a new cell, the following messages are processed without any cryptographic protection:

MIB (Master Information Block): Broadcast on the Physical Broadcast Channel (PBCH) — contains basic system parameters
SIB (System Information Blocks): Broadcast on the DL-SCH — contains cell configuration, PLMN identity, access control
Paging Messages: Addressed to specific UEs to notify them of incoming calls/data — processed in idle mode
RRC Setup/Reconfiguration: Initial RRC connection establishment — occurs before NAS security is activated
NAS Identity Request: Pre-authentication identity queries (IMSI request in 4G, SUCI in 5G)
NAS Authentication Request: The 5G-AKA challenge — malformed authentication vectors can trigger parsing bugs
NAS Security Mode Command: Activates encryption/integrity — but the message itself is received before protection is active
Tracking Area Update (TAU) Reject: Used to force devices off a network or into a different radio access technology

DIAGRAM::BASEBAND EXPLOIT CHAINAIR TO USER LAND

Pre-Authentication Message Flow

        UE (Baseband)                                    gNB/eNB
  |                                                |
  |<--- MIB (PBCH broadcast) ----------------------|  ← UNAUTHENTICATED
  |<--- SIB1-SIB9 (DL-SCH broadcast) -------------|  ← UNAUTHENTICATED
  |<--- Paging (if applicable) --------------------|  ← UNAUTHENTICATED
  |---- RRC Setup Request ---------------------->  |  ← UNAUTHENTICATED
  |<--- RRC Setup --------------------------------|  ← UNAUTHENTICATED
  |---- RRC Setup Complete (+ NAS Registration) ->|  ← UNAUTHENTICATED
  |<--- NAS Identity Request (optional) ----------|  ← UNAUTHENTICATED
  |---- NAS Identity Response ------------------->|  ← UNAUTHENTICATED
  |<--- NAS Authentication Request ---------------|  ← UNAUTHENTICATED
  |---- NAS Authentication Response ------------->|  ← UNAUTHENTICATED
  |<--- NAS Security Mode Command ---------------|  ← INTEGRITY PROTECTED
  |---- NAS Security Mode Complete -------------->|  ← ENCRYPTED + INTEGRITY
  |================================================|  ← ALL SUBSEQUENT = PROTECTED

RESOURCES: Baseband Attack Surface Map

Critical Security Boundary

WAS THIS ARTICLE HELPFUL?