Google adds Rust to Pixel 10 modem for security
▼ Summary
– Google’s Project Zero demonstrated remote code execution on Pixel phone modems, prompting a security reassessment.
– Cellular modems run legacy C/C++ code, making them vulnerable to memory-unsafe attacks like buffer overflows.
– Modem firmware is difficult to update due to decades of technical debt and the need for real-time performance.
– Researchers have found numerous severe vulnerabilities in Exynos modems, with more likely existing due to code complexity.
– Google is implementing Rust in the Pixel 10 modem for memory safety, as garbage-collected languages are too slow for this real-time task.
In the ongoing battle for mobile security, the operating system often gets the most attention. Yet, a far more critical and vulnerable component lies beneath: the cellular modem. Recent research from Google’s own Project Zero team demonstrated that remote code execution on Pixel phone modems is a real threat, compelling the company to fundamentally rethink its approach. The result is a significant architectural shift for the upcoming Pixel 10, where a new Rust-based component is being integrated directly into the modem firmware to bolster its defenses.
The cellular modem operates as a distinct, isolated system, essentially a black box running its own specialized operating system. This baseband firmware is typically written in legacy languages like C and C++, which are notoriously difficult to manage for memory safety. The memory-unsafe firmware code that results creates a persistent attack surface, allowing exploits such as buffer overflows and memory leaks to potentially compromise the entire device from a low level.
Given these well-known risks, why does this outdated paradigm persist? The answer lies partly in the sheer inertia of embedded systems. Modem development has been built upon decades of 3GPP specifications, accruing immense technical debt. Furthermore, these components must process data in real time to maintain cellular connectivity, a task for which the raw speed of C and C++ has long been considered essential.
The vulnerabilities are not theoretical. Google’s demonstration of an Exynos modem exploit is just one example in a growing list. Project Zero has cataloged over two dozen such vulnerabilities in recent years, with 18 rated as severe. While patches are issued upon discovery, the inherent complexity and opacity of modem code virtually ensure that more severe vulnerabilities remain hidden, waiting to be discovered by malicious actors.
Addressing this core problem requires closing the memory safety loopholes at their source. Rust emerges as a compelling solution. It is not the only memory-safe language available, of course. Alternatives like Python and C# employ garbage collection to manage memory automatically. However, that process introduces unpredictable latency and performance overhead, making it unsuitable for the real-time demands of modem firmware. Rust’s unique advantage is its compile-time ownership model, which enforces memory safety without a garbage collector, preserving the performance necessary for this critical hardware.
(Source: Ars Technica)
