So the first thing is that to overflow the stack on the baseband radio, the baseband radio needs to receive radio signals telling it to overflow the stack. Which means yes: stingray, dirtbox, etc. Which means a rogue cell tower, effectively, which do exist. But that means you're only going to exploit baseband radios within range of your rogue towers. There are probably about a quarter million cells in the US. Simply looking up "How many cell towers in Poughkeepsie?" gives you an impressive display. So your infection is going to be slow and isolated unless you have a big investment in hardware, or can take over Sprint, in which case what do you need the broadband exploit for. But let's say you grab 10,000 cell phones and convince them to all call 911 all at once. The useful thing is it's all data. Even a bum-ass end user like me, with my 25 channels into my 16-channel SIP gateway can set a failover so that my local e911 calls go to the next dispatch and a filter so that any CallerID that hits me more than four times in four minutes gets filtered for 20 minutes (I'll bet there's something similar in place already against butt dials). And that's with my retail interface on my bottom-dollar SIP trunk, which I only learned about this week because $4/mo and $0.008/min for 16 lines kicks the shit out of $89.95/mo for two lines from Comcast. I'm the n00biest n00b there is with this stuff and I can tell you it hits packet abstraction quickly at which point it's just another DDOS. But let's presume that you can hack the radio, have it patch the exploit behind itself, then pretend to be a cell tower to any other phone within range and spread the exploit. Now you're talking real numbers. But you're still only talking the cell radio. The Wifi radio is its own thing, as is the Bluetooth, and both of them are vulnerable to the power button. You can't create a botnet by hacking the NIC. All you can really do is make the NIC act up. If your hacked phone was attacking a number, you'd know - you'd be unable to make a call. And the cell provider could pretty easily disavow any cell phone that refused a query and quarantine them off the network. Inconvenient? Yes. Expensive? Yes. Bone-chillingly apocalyptic? Well, I think you can do more damage with less.