➡ In Taiwan and the US, iPhones and high-end Android phones use Qualcomm, while most Android phones worldwide use Mediatek. These companies hold patents for cell tower communication, making modem processors a “black box” that could potentially hide spyware. Modem processors run an operating system called rtos and can be updated remotely. They house SIM cards and unique identifiers like the IMEI and IMSI. When a phone connects to a tower, it sends data in three categories: internet data, voice data, and call metadata. Carriers can see which IP addresses you interact with, but most traffic is encrypted. However, government agencies can access more data through programs like PRISM. The SS7 network carries non-voice call elements and can be used to remotely control phone functions. While hacking the application processor through the modem processor is theoretically possible, it hasn’t been proven in practice. Misconceptions about modem processor threats include the belief that the IMEI is passed through SS7, when it’s actually kept at the carrier level. Using a VoiceOver IP app can provide an extra layer of identity protection. Google Phones eliminate threats from the AP side by removing dangerous system apps.

What are all the spyware elements of a smartphone? This is a frequent question asked and frankly it’s a nightmare and fairly hard to grasp. So many different parties are able to control different pieces of the spyware and phones, and these threats include three letter agencies, big tech carriers, and hackers. Fortunately, it is possible to mitigate a lot of this if you understand what the threats are. But you can’t lump all these threats into one single group because they can’t access each other’s data. Each threat can steal some sliver of your data. The problem is that this is such a complex topic and the challenge is to organize this in such a way where I can still provide the needed detail, but not make it too technically dense.

You need to understand where all the holes are in a smartphone and it affects your choice of phones and and phone services. When you all jump into the newest device, thinking you’ve got the better camera or AI fascinates you. In reality, you’ve been fooled again, it just has better ways of tracking you. I know that if I try to go too deep into all the possibilities that this will be a very long video, so I will try to just make general statements without going into excessive detail. Maybe we can handle the detail in future Follow up Q and A videos and live streams on On Rumble.

This video will be one of the most detailed you will find on the Internet showing the complete threat of a mobile phone. So if you’re really interested in discovering all the dangers in it, this video is for you. At the end of the video I will actually give you some solutions to some of the issues I will bring up. So stay right there. First, let’s start with the basics. A phone has two main computers, or really the term is two CPUs. Yes, the actual motherboard of a phone is just one tiny circuit board. But forgetting about miniaturization, there are two separate computer systems in it.

A the application processor or ap, and b the modem processor or or mp. What is interesting is that each processor runs its own operating system. The application processor is running iOS or Android, depending on the model. The modem processor, also known as the Cell baseband modem, runs an OS called RTOS real time operating system and believe it or not, it is not controlled either by Apple or Google. This will all matter much later, but we will discuss these processors in sequence. The application processor, or ap, is what controls the main user interface of a phone. So when you think of a phone, you think of iOS or Android, but really that’s just the application processor.

When you’re thinking about your favorite social media apps. You’re thinking of the application processor. The application processor has limited interaction with the modem processor. It may ask the modem processor some questions about the setup of the cell connection or Internet connection. But iOS or Android really makes just requests and they’re completely separate modules. So the AP does not have anything to do with the cell connections directly. The AP operates primarily through an Internet connection. It can access the the Internet through the WI FI chip which is integrated into the ap. Or it can use an Internet connection established by the modem processor using cell data or the radio.

To the ap, the modem processor is just a router. Other modules that are part of the AP are Bluetooth, GPS and other sensor. The operating system of the AP, which is iOS or Android, typically has two kinds of programs or apps running in it. The ones built into the OS are called system apps. They’re always running and you cannot control them. Then there are the user apps which you can install from the app stores. The threads from the user apps are usually whatever data you’ve allowed the apps to receive based on permissions. So if a user app takes your data, it is your fault as you gave it permissions.

Your social media apps are user apps. In contrast, you have no control over system apps. System apps do not appear on your home screen. System apps are installed by Google or Apple and are involved with identifying you through your Apple ID or your Google ID, tracking you via device identifiers like IMEI and IMZ, endo telemetry and constant location location tracking 24,7 do not be tricked by lies on this matter. System apps on standard phones track you 24,7. In the case of Apple, if you lose Internet, the tracking continues using Bluetooth, BLE or otherwise known as Long Range Bluetooth.

If you turn the iPhone off, then it continues to send signals using BLE until the battery runs out. One of the most dangerous tracking tools in phones is the 247 location tracking which is stored by Google in the Google Sensor vault at their hq. This data is frequently provided to government when they do something called geofencing, finding out who was at a certain location at a certain time. This, for example, was used in the J6 riots. Accurate location is possible from GPS outdoors and WI FI triangulation when indoors. But this data is captured by system apps only and there are dedicated apps focused on WI FI triangulation.

Another new group of extremely dangerous system apps are those that are built into AI like Apple Intelligence, Google Gemini, kind of like Windows Copilot, On Windows, these apps are called AI agents which operate in conjunction with the AI and you have absolutely no control over them. These are there to hear what you hear, see what you see and know what you know. Currently, they are the worst Trojan horse spyware you can have today. Basically this system apps cancel end to end encryption. Now fortunately, there are ways around these system apps. There are phones we commonly call the Google phones that eliminate these bad apps.

An example of this is our new Brax 3 phone. So these types of phones have eliminated all system app threats. The only direct threat to a de Google phone come from user apps and these are controlled by permissions you give. So the onus is on you. By the way, in the Google phones, user apps have no access to device identifiers like the IMEI and imz. And the Google phones have no Google ID or Apple id. So by default these phones do not report themselves to Apple or Google. Another threat that exists on all phones comes from the GPS module.

On most phones, the gps, Wi Fi and Bluetooth are a single module from Broadcom. In addition to supplying GPS information to apps with permissions or system apps, the GPS module will request the motor processor for the identity of the nearest cell tower which it will scan for. The modem processor always knows the nearest cell tower, even if it belongs to another carrier. This is because phones are made to contact that cell tower for emergencies requiring 911 calling or for sending government alerts. That tower identity is passed to Google using an Internet link to supple.google.com supple is an assisted GPS feature.

Supple returns the radio frequencies of the closest GPS satellites, which then allows for instant GPS activation and is an important convenience feature in modern phones. The problem is that the Google Supple server then knows the approximate location of any every phone in the world, at least in relation to the closest cell tower. Obviously you can consider this to be a circular area around the tower, so it’s not super precise, but at the very least it will be within a mile or two of that tower. Most phones have not eliminated this threat, including most D Google phones.

What is not clear is what identity is known that is sent to Supple. In theory, the GPS module could query the modem processor to ask for the IMEI of the device. But I cannot tell you what identifiers it sends with certainty. So this is a known leak with many phones de Googled or not. We have come up with our own workaround to this in our Brax phones, but most operating systems leave this alone. The AP communicates via the Internet. So theoretically iPhones aside, if there is no Internet then it would be impossible for a phone to connect to Google.

So theoretically this could kill a lot of spyware. I say iPhones aside because iOS will shift to Bluetooth, low energy and talk to other iPhones if Internet is lost. So iPhones are extra dangerous here with this. There are known hacking threats to the ap. The most well known is the Pegasus attack which targets iPhones mostly via attachments in imessage. These are known as zero day attacks because it is not known exactly how they are done as the data has not been publicly revealed otherwise. Generally it is very difficult for non state level hackers to break into phones without physical access.

So don’t expect your neighbor to hack your phone. I’m sure Pegasus must cost millions to use and thus it is often utilized by governments against their enemies. The modem processor is a very complex unit inside your phone. There are only two makers of modem processors, Qualcomm which is a US company and MediaTek which is in Taiwan. IPhones use Qualcomm. Most high end and Android phones sold in the US use Qualcomm. The rest of the world uses Mediatek on the majority of Android phones. The patents for communicating with cell towers is held primarily by these two companies and because of these patents a modem processor is a black box.

It is completely insulated from the ap through the two CPUs. Though the two CPUs share the memory, they do not publish anything publicly about the mp. All stuff is secret. The secrecy could also mean that three letter agencies and other bad parties are able to potentially hide spyware in them and some of those have been discovered. In spite of this, we know a lot about the MP which runs an operating system called rtos. Also as far as I know, modem processors can be flashed over the air by with updated instructions sent remotely. Thus many times some of you will see an alert showing carrier update.

The modem processor houses the physical SIM cards as well as the ESIM if you have any. It also has flash memory that has the IMEI identifier which is a unique identity to the modem processor. The SIM cards contain the subscriber identity and is given to you by your carrier. That identity is called imsi. SIM cards can also store some data like contacts and some of the spyware. For example, SIM cards can provide a website like UI to a controlling entity. The IMSI being broadcast by the phone can be used to identify you. However, the IMSI is no longer broadcast as it was in the past.

Instead, a derived value called the k1 or k is what is sent over the air. And if you’re the carrier, you can translate the K1 to the original IMSI internally. If you are not the carrier for that SIM card, then you cannot validate the K1. You will not know what the MZ is, so non carrier towers will not establish a normal connection with the phone. It is also important to know that carriers have their own reserved frequencies and that will be noted in the SIM card. There will also be a carrier identifier on the SIM card.

That’s why there’s a different SIM card per carrier. However, if you do a 911 call, the tower has to accept your call even if you have no SIM card or K1. This is why phones may query a closest tower even when it is not your carrier. Regardless of frequency, remember that your phone initiates a contact to the tower if you do 911, but by default the phone will not transmit to the tower. With no SIM card, the MP’s job is to connect to your carrier’s tower and validate your identity. Once your identity and subscription status is determined, then an open radio channel becomes active.

Through this radio channel, the phone will send multiple data elements. First is to regular Internet traffic or what we call cell data. And then the calling data will be sent as well in what is referred to in modern phones as voiceover, LTE or VoLTE. This was different in older phones, but in new phones all data is now digital and sent through this single cell data connection. Back in the day it was split into analog and digital portions. Not anymore. Once the radio transmission is received at the tower, the data is split up into multiple pieces. This is going to be important to understand.

There are three categories of data which the signal is split into. Number one Internet data 2. Voice data 3. Call metadata and commands. Once the Internet data crosses over to the tower, the Internet data is identified by an IPv6 address within the carrier network. Then it follows standard Internet routing protocols. At the termination point within the carrier, it is passed through an Internet router and the traffic is translated to IPv4 so it can be sent to the Internet. Thus, at the receiving end of the traffic, let’s say at some Internet platform like google.com, what they see is the IPv4 address of the carrier router.

They do not see the IPv6 address of your device. Also understand that 99% of traffic nowadays is encrypted with TLS, so the carrier does not actually see the the traffic. However, the carrier can see the IP addresses you are communicating with and will know you are interacting with YouTube or Google or Amazon. The carrier can also see your DNS request, but if you’re using a vpn, the carrier sees only an encrypted VPN connection and cannot see any other site including DNS. The end platform though cannot know your IPv6 address which identifies your device without a warrant.

So that’s why cell data can be useful if you have no VPN. However, if your threat is a three letter agency then they can see your IPv6 because most of the carriers supply that data to the government via the PRISM program. So no hiding from three letter agencies. Without a vp, the call data is the actual voice traffic. By law, no one is supposed to be recording any voice data without a warrant, so generally speaking if they abide by this, I would expect this to be a concern only for targeted people. However, this voice data is intercepted at various points in the phone infrastructure called the pstn, the Public Switch Telephone network and Snowden referred to voice print capability that can identify identify any voice around the world.

Now the actual signaling and switching is passed in this third channel and this channel has a special name. It is called SS7 or signaling system 7. This is where you will find all the elements of a call not tied to the voice. This includes caller and callee numbers, commands like ring, hang up, busy Pickup, forwarding caller ID and also includes all SMS traffic. Access to the SS7 network is typically restricted to carriers. This is the main source of information captured by the NSA prison program. I’m certain three letter agencies store all the information accumulated from SS7.

There is the FBI DCIS database which collects all this data including all calling data and all sms. This is provided automatically to the FBI under the CALEA law in the us. So expect that all calling data and all SMS data is stored and recorded in multiple databases in three letter agencies. Now the interesting thing about SS7 is that it is bi directional. Certain commands to the modem can be sent to your device via SS7 and translate it to commands the modem can understand. This can then initiate all the functions possible on phones like calling and texting, but controlled remotely by someone who has access to SS7.

Commands are not visible to you because they are hidden text. An example of an attack on the modem processor is the SIM jacking attack. It uses SS7 to send commands to control the calling features of your phone. To me the biggest threat here is being able to turn on your phone without your knowledge and thus be able to listen in on conversations. This is an example of the truly bizarre spyware affecting a modem processor. It is possible to hack the application processor through the modem processor as theoretically proven by some hackers because the CPUs share memory.

But currently this is not proven to have been done in the wild, though it is possible that someone has done this and kept it a secret. In general, there is no protection from hacks to the modem processor coming from the SS7 side. This applies to all phones, including the Google phones, but the clear threats so far are limited to call and texting functions, not stealing photos from the AP side of things There are several misconceptions about the modem processor threat. First, although a carrier establishes a connection with the device using the K1 which drives the MZ, after the connection is established, the carrier does know the device imei.

This is true. However, the IMEI is not passed through SS7. The IMEI and IMZ are identifiers kept at the carrier level through the PSDN. The identifiers of devices are figured out by phone numbers only. This is an important detail since only carriers see the identity information. Now the only exception to this are three letter agencies that can see the subscriber data from the carrier via the NSA prison program. Now I will mention this as a related topic. If you’re using a VoiceOver IP app on the phone, let’s say say with a Brack’s virtual phone service for example, then you are not passing any IMEI or IMSI, you’re just going straight to the PSTN.

So in general a VoiceOver IP solution provides another layer of identity protection. Assuming the VoIP provider does not do KYC, meaning they don’t ask for ID. Based on this very compact information, you will have an idea of of where the threats are and how to resolve them. The Google Phones remove all the dangerous system apps including AI agents, location tracking, telemetry and so on. This is the only way to eliminate threats from the AP side. We know that the Google Phones have no dangerous system apps because these operating systems are open source and we can see what the system apps are doing.

No secrets. The Google phones also never ask you for a device, Google ID or Apple id. So phones have no identifiers and absent the system apps there is no way then to pass the unique identifiers like IMEI and IMZ to big tech. However, there is no 100% solution to to the supple threat which is a general location threat, though it is not a precise location, you can assume that the city you are in is known. A de Google phone can only be a phone that runs Android, but it is important to understand that system apps can never be removed from an iPhone.

So all the Apple intelligence agents cannot be eliminated nor any of the location spyware or app telemetry. IPhones will talk to Apple without Internet using ble. IPhones will talk to Apple if you turn off the phone because it will once again use ble. So I’m mentioning this specifically because there’s no solution to the iPhone problem. Just dump it. What the VPN does is prevent the carrier from seeing what websites you are going to. They won’t even know what apps you are using. It does this by encapsulating all Internet traffic to a single encrypted connection to the VPN server.

While you might think this is insignificant, understand that all carriers supply data directly to the NSA prison program. So yes, the carrier may discover that your signal connection is to a vpn, but that’s all they will know. In countries where certain platforms are banned, this approach will hide that well. If you do not care about this, it’s fine too as long as you’re using cell data. If you’re on a home network then you must use a VPN since you’d be revealing your home IP address and home location. As I revealed in this video, the three letter agencies have their hooks into every carrier as well as the entire infrastructure of SS7.

Thus it behooves everyone to be super conscious when you use the pstn. Use end to end encrypted apps like Signal and Session as much as possible. However, don’t bother if you’re using Apple Intelligence or Windows Copilot because it can spy on you anyway. Like I said, the entirety of the SMS system is recorded in SS7 and stored by government. So use the PSTN for unimportant things only. If you’re using a voiceover IP service with no kyc, then the effect is that you’re not identifying your call with an identity like an IMEI or IMZ that could be captured by the prison program.

If the service has no KYC or is housed outside the usa, then there’s no direct method to retrieve kyc. Be forewarned though that very few companies allow a no KYC VOIP service. I provide a solution like this, but it is very rare. This is a very abbreviated explanation of what’s going on with your phones. Just realize that there’s a lot of spyware in action at all times, but each portion exposes you to a different party. The application processor risk is mostly to big tech surveillance. The modem processor risk is mostly related to government mass surveillance. Folks.

Fortunately, I’m not just always bringing up problems. I do offer solutions and when I can, I create the solutions. One of the newest Solutions is the Brax 3 phone, which is currently on the crowdfunding site Indiegogo.com this phone is a true privacy phone which we created with a team of contributors. Check it out. We also have other products like the Brax Virtual Phone, which is a VoIP service with no KYC, a rare feature nowadays. We also have Braxmail that allows for unlimited aliases so you can use a different email for every Internet platform. We have bytesVPN, which is our reasonably priced VPN solution.

We also offer other de googled fonts which will provide the benefits discussed in this video. All these are on my platform Braxme. Please join the community of over 100,000 users there talking about privacy daily. The store is there with the products I mentioned. Thank you for watching and see you next time.
[tr:tra].

See more of Rob Braxman Tech on their Public Channel and the MPN Rob Braxman Tech channel.