23Sha-ger That is plain simply wrong. You are oversimplifying the threat model and significantly underestimates the feasibility of Wi-Fi-based attacks — especially when targeting Pixel devices in the real world. First, proximity-based attacks are not as difficult to carry out as you claim. Police is actively using WiFi Pineapple against phones at them moment. People bring their phones everywhere. To cafés, airports, hotel lobbies, co-working spaces, conferences, etc.
Second, claiming that cellular attacks are easier because they can be done remotely via IMSI or IMEI tracking completely ignores the reality of cellular stack complexity. Exploiting the baseband is significantly harder and more expensive. You’d need to run a fake BTS (base station), which requires SDR hardware (like a LimeSDR or USRP), LTE stack software (e.g., srsRAN or Amarisoft), and have extremely rare knowledge of the protocol layers (RRC, NAS, L1, etc.). Add to that the fact that Google has enforced strict isolation of the modem using IOMMU and pKVM — making memory access to the Android system impossible or at least very hard from the modem — and it becomes clear that targeting the cellular layer is a task reserved for nation-state level attackers or APTs with millions in budget. You could use a telco also, but it is still the same expense.
The cellular modem is integrated as a separate block on the SoC, it communicates via shared memory and a custom interface. IOMMU is enabled and enforced between the modem and application processor. On Pixels, the Trusty TEE + hypervisor layer (pKVM) enforces isolation. Google emphasizes this to protect against baseband exploits leaking into Android. The modem is strictly isolated via IOMMU and not allowed direct memory access to Android OS space. The WIFI module is not IOMMU isolated. The firmware is loaded at boot by Android while the baseband firmware is loaded by the baseband bootloader which is better.
Respectfully, your comparison overlooks the real-world practicality of proximity-based attacks. Unlike cellular baseband exploits, which require highly specialized gear and access to deeply protected code, Wi-Fi-based attacks (especially on Broadcom) have been repeatedly demonstrated with cheap hardware and remote code execution vectors via probe responses, beacon floods, or malformed frames.
Additionally, Pixel's Tensor SoC isolates the baseband via IOMMU and pKVM, but Wi-Fi firmware is still less isolated and less regulated. It’s significantly easier to sit in a coffee shop and sniff out targets with passive probes or evil twin setups than to craft a baseband-level attack. Even APTs often start by compromising Wi-Fi before trying cellular.
Wi-Fi firmware, especially Broadcom’s, has a long track record of critical vulnerabilities, including well-known exploits like Broadpwn (CVE-2017-9417), CVE-2019-9503, and CVE-2021-0430. These were real remote code execution vulnerabilities that could be exploited via malformed frames and did not require any user interaction. In contrast, baseband exploits are rare, highly valuable, and heavily guarded.
Wi-Fi firmware is also generally much less protected than modem firmware. It’s not governed by telecom standards like 3GPP, it often lacks modern mitigations (such as ASLR or proper sandboxing), and the Wi-Fi stack runs with broad privileges through kernel drivers. This makes it far easier to fuzz and attack from the outside.
So, in practice, even if Wi-Fi firmware exploits are harder to deliver at long range, the barrier to entry is drastically lower, and the attack feasibility is higher for most adversaries. You don’t need to track a device via IMEI or deploy cellular infrastructure — you just need to be in the same physical environment for a few minutes, which is trivial in most cases. Compared to cellular, Wi-Fi remains the softer target, both in historical precedent and practical terms.