Backdoor in Samsung Galaxy devices – archived source

Backdoor in Samsung Galaxy devices ‘allows remote access to data’

According to one developer, Samsung has committed a big security error by letting its modem write to disk but Samsung says it’s a “software feature” that poses no risk to users.

Written by Liam Tung, Contributor on March 13, 2014

The developers behind Replicant, an Android OS based on CyanogenMod, claim to have found a backdoor in the modem of several of Samsung’s Galaxy devices that could allow a remote attacker to manipulate their files and data.

According to Replicant’s chief developer Paul Kocialkowski, Samsung software that handles communications on the baseband processor found in several Galaxy devices can be used by an attacker to turn the device into a spying tool.

Android device owners might be familiar with the reference to “baseband”, which usually gets updated each time a new Android firmware update is released. One version number refers to the application processor, such as Android 4.2.2, and the other corresponds to the baseband processor, or modem, which supports radio communications.

“We discovered that the proprietary program running on the applications processor in charge of handling the communication protocol with the modem actually implements a backdoor that lets the modem perform remote file I/O operations on the file system,” Kocialkowski wrote in a post on the Free Software Foundation’s blog.

Affected Samsung Galaxy devices, according to Kocialkowski, include the Nexus S, S, S2, Note, Nexus, the seven-inch Tab 2, the 10.1-inch Tab 2, and the Note 2.

The software in question is Samsung’s implementation of the Android Radio Interface Layer (RIL), which handles communications with the modem. While reverse engineering Samsung’s RIL to create its own replacement, Kocialkowski found the software uses the Samsung IPC protocol to implement RFS commands and perform remote I/O operations.

“The incriminated RFS messages of the Samsung IPC protocol were not found to have any particular legitimacy nor relevant use-case,” Kocialkowski wrote in his technical analysis.

“However, it is possible that these were added for legitimate purposes, without the intent of doing harm by providing a back door. Nevertheless, the result is the same and it allows the modem to access the phone’s storage.”

Kocialkowski argues that the modem is a powerful tool attack tool since it can be used to activate the device’s mic, use the GPS, access the camera, and change data. Also, given that modems are generally connected to an operator’s network, it makes such backdoors very accessible.

The impact of the backdoor depends on the permissions the software has. The worst case is where the service is running as root, while there’s a lower impact for devices where it’s running as an unprivileged user or where SELinux is implemented, which restricts the scope of possible files the modem can access.

According to Kocialkowski, the affected devices have modems that use the Samsung IPC protocol, mostly Intel XMM6160 and Intel XMM6260 modems.

Update Sunday 16 March: According to Samsung, the “software feature” exposed by Kocialkowski poses no security risk to users.

“Samsung takes the security of its products extremely seriously. We have investigated the claims that have been made and can confirm that there is no security risk. The Free Software Foundation’s recent allegations are based on a false understanding of the software feature that enables communication between the modem and the Application Processor chipset,” a Samsung spokesperson said in a statement.