Forgot your password?
typodupeerror
Android Cellphones Handhelds Security IT

Poking Holes In Samsung's Android Security 107

Posted by timothy
from the ethical-hacking dept.
Orome1 writes "Tired of waiting for Samsung to fix a string of critical flaws in their smartphones running Android, Italian security researcher Roberto Paleari has decided to inform the public about the seriousness of the matter and maybe make the company pick up the pace. Mindful of the danger that the vulnerabilities present to the users if they are exploited by malicious individuals, he decided not to share any technical details, but to just give a broad overview of what their misuse would allow. This includes a silent installation of highly-privileged applications with no user interaction and an app performing almost any action on the victim's phone."
This discussion has been archived. No new comments can be posted.

Poking Holes In Samsung's Android Security

Comments Filter:
  • by SpinningCone (1278698) on Thursday March 21, 2013 @10:02AM (#43233913)

    "any patches [Samsung] develops must first be approved by the network carriers."

    Well there's your problem. if I had to call up my ISP every time I wanted to patch windows I'd be screwed.

  • Look for Nexus (Score:5, Insightful)

    by tepples (727027) <tepples&gmail,com> on Thursday March 21, 2013 @10:03AM (#43233941) Homepage Journal

    When finally rolled out, it wasn't the true android experience, but some half-baked Samsung-proprietary interface aka "Touchwiz."

    Lesson learned: If you want a full-baked true Android experience, always look for the word "Nexus".

  • by Andy Dodd (701) <atd7@@@cornell...edu> on Thursday March 21, 2013 @10:23AM (#43234183) Homepage

    Yup. And look at the eMMC "Superbrick" defect on many of the GS2 family. Many of those devices had a defect in the eMMC wear leveller such that the chip could be unrecoverably corrupted if you issued a secure erase command to the chip. (Probably about a 5% chance of it happening, it's similar if not identical to the defect that hit some of their desktop SSDs in late 2012). Not even JTAG could bring a "Superbricked" device back to life.

    After discovery of exynos-abuse, the only thing standing between Samsung and permanent damage to thousands of devices was the fact that modern blackhats care more about obtaining information (money) than doing damage. Samsung knew about this bug for many months - they were aware of the defect in the eMMC chips as early as Galaxy Nexus prototype development in 2011. Yet they released updates for devices in 2012 with kernels that allowed secure erase through to the eMMC chip. The only safe device was the I9100 - which had MMC_CAP_ERASE removed from the kernel to protect the chip. In June 2012, Samsung publically acknowledged the bug and claimed to be "working hard" on it - in July 2012 they released updates for the I9100 that turned the MMC_CAP_ERASE flag ON, putting those devices in danger.

    They had an official fix that blocked only secure erase merged into the mainline Linux kernel in September 2012, but not a single affected device had the fix deployed until 2013. Their "stuff takes time to get through carrier testing" line is bullshit. Sprint FI27 was *built* (as in, testing STARTED not ended) on September 27, 2012 (nearly a month after the official fix had been mainlined), and deployed to customers in early-mid October.

    As to the I9100 XWLPM MMC_CAP_ERASE fiasco, Samsung's answer was that the lack of MMC_CAP_ERASE in earlier source code was a mistake and that the source code did not match binaries running on devices (yes, that's right, Samsung's defense was "yeah bitches, we violated the GPL"). The strange thing is, this was one of the cases where Samsung's source actually DID match binaries - not a single I9100 ICS kernel prior to XWLPM and XXLQ5 had MMC_CAP_ERASE turned on. (This was obvious by the fact that no one experienced "Superbrick" on such devices.)

    Samsung's stance was that it was an "open source" problem, but the fact is, with a privilege escalation exploit, any malware could permanently destroy many of Samsung's devices to the point where a motherboard replacement (instead of mere JTAG) was required.

    In short, Samsung's "SAFE" marketing crap is bullshit. "Samsung Approved for Enterprise" - who did the approval? Samsung! Hardly an independent certification authority.

  • Re:Look for Nexus (Score:4, Insightful)

    by Silentknyght (1042778) on Thursday March 21, 2013 @10:35AM (#43234349)

    Lesson learned: If you want a full-baked true Android experience, always look for the word "Nexus".

    Agreed, that is the lesson I've learned.

  • by wbr1 (2538558) on Thursday March 21, 2013 @11:01AM (#43234743)
    Forgive typos, I'm on a touch screen.
    All of these issues, carrier lock, Cdma reprogramming and carrier approval of roms, and unpatchrd bugs have one root. The fact that most people do npt care as long as the can make phone calls, email, and whatever their app du jour is. We that care about security,openness and gpl, getting software updates in a timely fashion, we are a small fraction of the market and no matter how vocal we are here,we are no threat to profit. You, the earlybadopter, the bleeding edge techie, you have been marginilized by greed. Welcome to now.
  • by the_B0fh (208483) on Thursday March 21, 2013 @02:18PM (#43237165) Homepage

    Funny how in a thread about Samsung, someone must come out and say "but Apple also sucks" like this then makes it all better.

    And comparing Apple to rape is a bit much, isn't it?

    And all the idiot moderators that modded this interesting, WTF are you smoking?

I am the wandering glitch -- catch me if you can.

Working...