First look: Google is focusing directly on one of the least protected parts of modern smartphones: the cellular baseband. But the company is not trying to rewrite decades of modem firmware. Instead, it is adding a Rust-based DNS parser to the Pixel 10 modem to better harden an attack surface that traditional OS defenses do not fully cover. The work follows years of research showing that once an attacker reaches the modem, the operating system's usual sandboxing and exploit mitigations may no longer matter.
The security problem starts with how cellular modems are built. A phone's baseband is effectively its own operating system, typically written in C and C++, and it runs tens of megabytes of largely proprietary code that handles everything from signal processing to protocol negotiations.
Memory management in this environment is difficult, and the result is firmware that is "memory-unsafe" in ways that open the door to buffer overflows, use-after-free bugs, and leaks that can be chained into remote code execution.
Google's Project Zero team has already demonstrated remote code execution against the Pixel's Exynos-based modem over the Internet and has cataloged more than two dozen Exynos modem vulnerabilities, 18 of which are rated as severe. Patching those specific bugs did not change the underlying risk: the codebase remains complex, closed, and highly exposed.
Rewriting this firmware in a memory-safe language is not realistic in the near term. Modem vendors have accumulated layer upon layer of code aligned to 3GPP specifications over decades, and much of it is treated as a trade secret.
At the same time, modems must operate in real time, which has historically favored C and C++ for performance reasons. Other memory-safe languages such as Python or C# rely on garbage collection, which introduces latency spikes that are unacceptable for baseband workloads.
Rust gives Google another path. The language enforces memory safety at compile time through its ownership and borrowing model, using a strict "borrow checker" rather than a garbage collector. With Rust, a class of memory errors simply cannot compile, which makes it a fit for performance-critical components that still need safety guarantees.
Instead of rewriting everything, Google identified one particularly exposed and well-bounded subsystem: DNS parsing inside the modem.
As cellular features have shifted onto IP data networks, DNS has become a core dependency for how phones locate services and route features such as call forwarding. DNS parsers must consume untrusted packets and decode a fairly complex protocol, which has made them a recurring source of exploitable bugs when implemented in C or C++.
To harden this path, Google selected the hickory-proto Rust DNS library, which is broadly used in the Rust ecosystem and has extensive tests and active maintenance. The Pixel modem does not face extreme memory constraints, so the team could integrate a trimmed-down, no_std version of hickory-proto directly into the baseband firmware.
The Rust components add roughly 371KB to the firmware after the team removed standard library dependencies to meet modem constraints.
Under this architecture, DNS requests that reach the modem are handled by Rust code before they can interact with legacy C/C++ paths. Attempts to exploit memory corruption via malicious DNS packets run into Rust's compile-time guarantees instead of hand-written pointer arithmetic.
The Pixel 10 is the first device to ship with this Rust-based DNS parser in its modem. Google presents this as a pattern for future work: isolate the riskiest parsing code, move it into memory-safe Rust, and, over time, shrink the share of legacy code exposed to untrusted data.