Google is turning its attention to a long-overlooked weak spot in modern smartphones: the cellular baseband. Rather than overhauling decades-old modem firmware, the company is introducing a Rust-based DNS parser in the Pixel 10 modem to strengthen an attack surface that typical OS protections don’t fully address. The move builds on years of research showing that once attackers breach the modem, standard sandboxing and exploit defenses at the operating system level may offer little protection.
The issue stems from how cellular modems are designed. A phone’s baseband functions as a separate operating system, usually built in C and C++, running tens of megabytes of mostly proprietary code responsible for tasks ranging from signal processing to protocol handling.
Managing memory in this environment is inherently challenging, often resulting in firmware that lacks strong memory safety. This leaves room for vulnerabilities such as buffer overflows, use-after-free errors, and memory leaks, which attackers can chain together to achieve remote code execution.
Google’s Project Zero team has previously shown that remote code execution against Pixel devices using Exynos modems is possible over the Internet. The group has also identified more than two dozen vulnerabilities in Exynos modems, 18 of them considered severe. Fixing those individual flaws, however, does not eliminate the broader concern, the codebase is still complex, proprietary, and widely exposed.
Rewriting modem firmware in a memory-safe language is not a practical short-term solution. Vendors have built up decades of code to meet evolving 3GPP standards, much of which remains closely guarded as proprietary technology.
At the same time, modems are required to run in real time, a constraint that has long favored C and C++ for their performance. Memory-safe alternatives like Python or C# depend on garbage collection, which can introduce latency spikes that are unsuitable for baseband operations.
Rust introduces a viable alternative for Google’s approach. Its ownership and borrowing model enforces memory safety at compile time via a strict borrow checker, eliminating the need for garbage collection. This prevents entire classes of memory vulnerabilities from compiling, positioning Rust as an effective choice for high-performance components that demand robust safety guarantees.
Instead of rewriting everything, Google identified one particularly exposed and well-bounded subsystem: DNS parsing inside the modem.
As cellular functionality has moved onto IP-based networks, DNS has become a critical component for how devices discover services and handle features like call forwarding. Because DNS parsers must process untrusted packets and interpret a complex protocol, they have repeatedly been a source of exploitable vulnerabilities when written in C or C++.
To reinforce this attack surface, Google adopted the hickory-proto DNS library, a widely deployed and actively maintained Rust implementation with comprehensive test coverage. Given that the Pixel modem is not subject to severe memory constraints, engineers were able to embed a streamlined no_std variant directly within the baseband firmware.
The Rust components add roughly 371KB to the firmware after the team removed standard library dependencies to meet modem constraints.
Within this architecture, incoming DNS requests are routed through Rust-based handling before interfacing with legacy C/C++ components. Consequently, memory corruption attempts delivered via malicious DNS payloads are mitigated by Rust’s compile-time guarantees, replacing exposure to manual pointer arithmetic.
Maybe you would like other interesting articles?