Attack surface of using a SIM vs. a RJ45 dongle

henry9018

When talking about the recent Pixel 8/9/10 series, can we consider that using a physical SIM vs. any RJ45 dongle be equally secure/isolated?

From what I have read, when using a SIM there needs to be again a serious bug in the modem firmware as well as a vulnerable kernel driver for being able to compromise GrapheneOS. For any USB dongle I would expect that it is far less tested and secure. So a potential attacker directly compromising it or over an attached router may have a higher chance to interact with the USB interface, although then there still needs to be another vulnerability to succeed.

What do you think about, may it even make a huge difference?

void0

You need to expand a bit more on your setup and who your adversaries are in this scenario (gov/big tech/other).

Are you comparing sim data against an isp internet plan with rj45?

henry9018

void0 You need to expand a bit more on your setup and who your adversaries are in this scenario (gov/big tech/other).

Since big tech will not start hacking into individual devices for any tracking purposes, the considerations are only about gov and related actors. At least in my case there should be no reason for any hacking, but you never know what others assume when noticing a hardened setup consisting of GrapheneOS with a VPN etc. The goal is to retain user data privacy by comparing if one solution has a security advantage over the other. Using a second Pixel as a gateway only may be a more secure solution, but it's an overkill for me and would burn additional money and resources.

Are you comparing sim data against an isp internet plan with rj45?

No, rather if using a physical SIM directly in the Pixel or instead connecting a RJ45 dongle, cable, OpenWRT router and there any common LTE dongle. For avoiding unnecessary correlations and a bit better initial security, all components would be newly bought and exclusively used in this setup. When also considering anonymity, for sure, regularly using even an anonymously bought data-only SIM on the same place(s) would allow to find out who the person is, but that is a common tradeoff which non-high risk people often need to accept and is not really the topic here.

Using the SIM in the Pixel is convenient, while using an OpenWRT installation (or a second Pixel) requires additional maintenance efforts regularly. With OpenWRT there is also at least the option for tinkering, although any dedicated router is always less portable than using a SIM directly.

So assuming a sophisticated attacker has privileged access to both the mobile network and RJ45 dongle, perhaps the Pixel 8/9/10 hardware with GrapheneOS remains considerably stronger in one of the cases?

Upstate1618

Routers are often poor at security because they lack security updates and verified boot. You also have to enable USBC which is also risky. A hotspot can also be used to track your location by anyone.

Upstate1618

Why not just using SIM? Your so called vulnerability doesn't exist

henry9018

Upstate1618 My question was not about whether there is an unfixed vulnerability present, but whether using either the baseband or the USB-C port is maybe more secure. If I read below FAQ and explanation from GrapheneOS correctly, they implemented protections but as usual there can still be unknown vulnerabilities.

https://grapheneos.org/faq#baseband-isolation

https://x.com/GrapheneOS/status/2004699245606220207#m

Modem obeys towers whether you trust Google or not

No, it doesn't obey the cellular network or carriers. It's Samsung that's being trusted, not the cellular network or carriers. It's an unprivileged, isolated radio similar to Wi-Fi, Bluetooth, NFC and UWB. It doesn't give control to the networks it joins just as those other radios don't do that. There can be firmware vulnerabilities so there's a lot of internal hardening and regular updates. We can harden it through attack surface reduction (disabling protocols and features) and we can harden the OS from being exploited from it since it's an isolated component like the other radios. An attacker exploiting the cellular radio does not get control over the device and needs an OS exploit for the drivers/services talking to the cellular radio to take control of the OS, which is certainly something we can and do protect against.

23Sha-ger

SIM vs. a RJ45? You are comparing apples to oranges.
Maybe SIM vs eSIM/Wifi?

Doesn't make sense to compare a radio technology, based on subscriber identity, to a wired zero knowledge.

henry9018

23Sha-ger My question is only about any possible hardware and GrapheneOS attack surface differences when using the built-in baseband vs. the USB-C port.

de0u

henry9018 My question was not about whether there is an unfixed vulnerability present, but whether using either the baseband or the USB-C port is maybe more secure.

I don't think it's possible to provide a strong answer here. The problem is that there isn't really anything about cellular baseband hardware or Ethernet hardware or USB-C hardware that is particularly safe or particularly dangerous. The risks are generally going to be in firmware or software. In both cases there's a lot of it (which adds risk) and it's complicated (which adds risk). The cellular baseband hardware certainly has a bunch of closed-source firmware (and then there will be driver code, plus of course an entire IP stack to exploit), but these days an Ethernet transceiver probably also contains firmware (and then there will be driver code, plus of course an entire IP stack to exploit). There is probably less firmware inside an Ethernet dongle, but it's probably much harder to replace that firmware.

I guess you could try adding up the lines of code or the sizes of the object code for each option, but honestly either way there will be a lot of it. These days USB-C includes the DisplayPort Alt Mode code, which I suspect is not small.

Some people seem to have a certainty that cellular baseband firmware is uniquely dangerous, but it's not clear what supports that. It's true that when a radio is involved it's possible to mount an attack from the other side of a wall or the other side of the street... but actually people compromise IP routers, especially home routers, from the other side of the world every day.

Meanwhile, if the question is whether a random malefactor is more likely to get into a Pixel via the cellular baseband or by sneaking through an Ethernet cable... I suspect the answer is: neither one. It's more likely they'll show up via a web page delivered over one or the other.

And if the question is whether somebody deliberately targeting a specific person will show up over the air or along a wire.... any well-resourced attacker will try to figure out which vulnerabilities that specific person is subject to (including inventing new ones).

Upstate1618

While there may be vulns in the baseband, carrying around or constantly connecting Pixel to a known insecure device all the time is clearly recommended against.

henry9018

Upstate1618 constantly connecting Pixel to a known insecure device all the time is clearly recommended against.

Yes, although in the end it may not differ much from using any of the radios, as public APs are for example likely also not very secure. So as described by de0u there seems to be no clear winner. Thank you!

henry9018

henry9018 I have found a statement from GrapheneOS. While already from April 11, 2024 it may still be true.

https://x.com/GrapheneOS/status/1778411459635990865#m

Those are less private and secure than simply using a privately obtained eSIM. We do not recommend using a USB or Wi-Fi based hotspot instead of the more isolated and more secure radio in the phone. USB is much worse for isolation than the IOMMU isolation used within the phone.