One of the biggest security concerns I used to chat about with geeky network friends in quiet whispers behind closed doors, was about the baseband radio software in cell phones.
This is the lowest level of software embedded in the phone. It is responsible for establishing and maintaining connections to the cell tower, for example. But it is basically only secured through its obscurity. Nobody really thinks about it, and nobody was ever gonna build their own cellphone tower to exploit such a weakness (cough, cough, Stingray, coughcoughcough), so it was always a hypothetical that we just kinda hoped never got exploited.
Because imagine every cellphone in a city, for example, suddenly trying to connect to a single business. (Via any connection, phone, internet, whatever.)
Nobody is going to be able to sustain an attack of that magnitude.
And 90% of the people with the cell phones won't even know their phone is doing it.
And there would be almost no way to stop it without simply taking down the entire cellular network for the city.
Think that through for a moment, and you can see why we only talked about this type of attack in hushed whispers behind closed doors.
Well... that vulnerability has been established. And published.
Whoops.
So the first thing is that to overflow the stack on the baseband radio, the baseband radio needs to receive radio signals telling it to overflow the stack. Which means yes: stingray, dirtbox, etc. Which means a rogue cell tower, effectively, which do exist. But that means you're only going to exploit baseband radios within range of your rogue towers. There are probably about a quarter million cells in the US. Simply looking up "How many cell towers in Poughkeepsie?" gives you an impressive display. So your infection is going to be slow and isolated unless you have a big investment in hardware, or can take over Sprint, in which case what do you need the broadband exploit for. But let's say you grab 10,000 cell phones and convince them to all call 911 all at once. The useful thing is it's all data. Even a bum-ass end user like me, with my 25 channels into my 16-channel SIP gateway can set a failover so that my local e911 calls go to the next dispatch and a filter so that any CallerID that hits me more than four times in four minutes gets filtered for 20 minutes (I'll bet there's something similar in place already against butt dials). And that's with my retail interface on my bottom-dollar SIP trunk, which I only learned about this week because $4/mo and $0.008/min for 16 lines kicks the shit out of $89.95/mo for two lines from Comcast. I'm the n00biest n00b there is with this stuff and I can tell you it hits packet abstraction quickly at which point it's just another DDOS. But let's presume that you can hack the radio, have it patch the exploit behind itself, then pretend to be a cell tower to any other phone within range and spread the exploit. Now you're talking real numbers. But you're still only talking the cell radio. The Wifi radio is its own thing, as is the Bluetooth, and both of them are vulnerable to the power button. You can't create a botnet by hacking the NIC. All you can really do is make the NIC act up. If your hacked phone was attacking a number, you'd know - you'd be unable to make a call. And the cell provider could pretty easily disavow any cell phone that refused a query and quarantine them off the network. Inconvenient? Yes. Expensive? Yes. Bone-chillingly apocalyptic? Well, I think you can do more damage with less.