Mobile Security

The Baseband Processor: The Other Operating System in Your Phone

July 11, 2026 8 min read Haven Team

Your phone runs two computers. One is the one you know: the application processor, running Android or iOS, patched monthly, studied by thousands of security researchers. The other has its own CPU, its own memory, and its own operating system, ships as closed firmware you cannot inspect, and spends all day parsing radio messages from whatever cell tower is loudest. In 2023, Google's Project Zero found bugs in one vendor's version that could be exploited knowing nothing about a victim except their phone number.


What the Baseband Actually Is

The baseband processor, also called the modem or cellular processor, is the subsystem that implements the cellular protocols: GSM, UMTS, LTE, 5G. It handles registering with towers, negotiating radio channels, encoding your voice calls, and moving your packets. It runs a dedicated real-time operating system on its own processor core, separate from the main OS, because radio protocol timing does not tolerate the scheduling jitter of a general-purpose kernel.

Three properties combine badly from a security standpoint. First, the firmware is closed: it is written by the modem vendor (Qualcomm, MediaTek, Samsung's Exynos group, Apple's recent in-house C1 line), signed, and shipped as a blob that neither you nor most researchers can read. Second, the codebase is enormous and old: cellular standards drag decades of accumulated protocol machinery behind them, including 2G-era state machines written long before memory-safety was a design priority, largely in C. Third, its input is the air. The baseband parses complex, attacker-controllable messages from any transmitter that speaks the protocol, before any authentication of the network has happened.

An input parser, in C, of enormous complexity, processing hostile input from radio range, inside a black box. That combination is why baseband exploitation has its own category at security conferences.

The Exynos Bugs: Zero-Click, By Phone Number

The concrete case worth knowing is Project Zero's March 2023 disclosure. Google's researchers reported eighteen vulnerabilities in Samsung Exynos modems, used at the time in various Samsung Galaxy models, some Pixels, and several wearables and cars. Four of the eighteen allowed internet-to-baseband remote code execution: an attacker needed only the victim's phone number to compromise the modem, with no click, no message the victim would see, no indication anything happened.

The severity was unusual enough that Project Zero withheld technical details for the four worst bugs, an exception to its own disclosure policy, and publicly recommended that users of affected devices disable Wi-Fi calling and VoLTE until patches arrived. Patches did arrive, through the ordinary monthly update channel, which is one of the few pieces of good news in the story: baseband firmware on a supported phone is updatable, and updates fix real, weaponizable bugs.

Why "zero-click" matters here

Most attacks need you to do something: open an attachment, tap a link, install an app. A baseband remote-code-execution bug needs you to have a phone that is turned on. There is no user behavior to train, which is why the only defenses are patching, attack-surface reduction, and isolation.

What a Compromised Baseband Can and Cannot Do

Everything that travels the cellular path transits the baseband: your calls, your SMS (including two-factor codes), your data traffic, and the signaling that reveals your location to the network. A compromised baseband can observe and manipulate all of it. It can also lie to the main OS about network state, and it can keep transmitting things the main OS believes are off.

What it can do beyond the radio path depends on the phone's architecture, and this is where the last decade genuinely improved. In older and cheaper designs, the baseband shared memory with the application processor, so owning the modem meant owning the phone. Modern flagship designs put the baseband behind an IOMMU, a hardware unit that restricts which memory the modem can touch, so a compromised modem cannot simply read the application processor's RAM. Compromise of the baseband then means compromise of your cellular traffic and location, which is bad, but your Signal messages, encrypted before they reach the modem, stay encrypted through it. End-to-end encryption was designed for untrusted networks, and the baseband is best modeled as the first hop of the untrusted network, sitting inside your pocket.

This framing also clarifies the relationship between basebands and IMSI catchers. A fake base station does not need to exploit anything to log identities or push phones onto weaker protocols; the protocols themselves permit that. A baseband bug is what an attacker reaches for when passive and downgrade tricks are not enough.

The 2G Problem

A large share of the baseband's attack surface is code for protocols you no longer need. 2G's cryptography is broken, its networks are shut down in many countries, and its authentication is one-directional: the phone proves itself to the network, the network proves nothing to the phone, which is precisely what fake base stations exploit. But every baseband still speaks it, and an attacker who can force a phone down to 2G gets to talk to the oldest, least maintained parsers in the firmware.

Android has shipped a user-facing "Allow 2G" toggle since Android 12 (on devices whose radio HAL supports it), and hardened builds like GrapheneOS go further, defaulting to LTE-and-newer configurations. Turning 2G off is the single cheapest baseband-attack-surface reduction available to an ordinary user. The cost is losing service in the shrinking set of places where 2G is the only coverage.

What You Can Actually Do

The Structural Point

The baseband is a reminder that "my phone" names a committee. The device in your pocket contains code written by the OS vendor, the phone manufacturer, the modem vendor, and the SIM issuer, with different update cadences and different amounts of public scrutiny. The application processor side of that committee gets most of the attention because it is where researchers can look. The modem side gets attention mainly when something like the Exynos disclosure forces it.

You cannot audit your baseband. You can decide how much to route around it: which protocols you let it speak, which secrets ever cross it in plaintext, and whether the phone carrying it still receives patches. Those three decisions cover most of what is actually in your control.

Try Haven free for 15 days

Encrypted email and chat in one app. No credit card required.

Get Started →