Replicant OS Developers Find Backdoor In Samsung Galaxy Devices 126
An anonymous reader writes "Developers of the Free Software Foundation-endorsed Replicant OS have uncovered a backdoor through Android on Samsung Galaxy devices and the Nexus S. The research indicates the proprietary Android versions have a blob handling communication with the modem using Samsung's IPC protocol and in turn there's a set of commands that allow the modem to do remote I/O operations on the phone's storage. Replicant's open-source version of Android does away with the Samsung library to fend off the potential backdoor issue."
Re:OTA updates (Score:5, Informative)
Re:How remote is remote? (Score:5, Informative)
Modem can ask the APU app to write/read selected files and do some other file system operations. Why would modem want to read/write arbitrary files on user's file system and what and how could invoke such behavior of the modem? The answer is up to your imagination.
Well, in fact many other phones don't need any backdoor to do the same as lots of them have modems directly connected to main RAM, exposing it to monitoring or even manipulation by the closed and strictly secured modem firmware.
That's why projects like Neo900 opt for clear APU<->modem separation as host<->peripheral, together with power and antenna usage monitoring and fully free software stack on APU side.
Re:No contract, wifi-only (Score:5, Informative)
No. The modem can write to your OS. Anyone can communicate with your modem, even Ham radio operators. Granted, exploiting this would be a huge technological challenge... unless of course this was placed there intentionally and they know exactly what to send to your modem to get it to do what they want.
Re:No contract, wifi-only (Score:4, Informative)
Two things, "Even Ham radio operators?" When did they become the retards of the RF world - I thought that title belonged to CB'ers? Honestly, hams are not interested in your phone.
While, yes, technically anyone can communicate with your modem; anyone can communicate with your wifi card or your bluetooth adapter as well. And it would appear that the samsung radio interface IPC layer at least has a modicum less access to the entirety of your device than your wifi driver - which is in the kernel. People have, in the past, exploited mistakes in wifi drivers and wifi card firmware to remote exploit via wifi. (*: The specific instance I remember, was with an old intel 802.11b/g card and specially crafted management frames which could be trivially spoofed and didn't need to be encrypted to be accepted by the wireless card. The proof of concept was able to issue busmaster DMA read/writes which, ostensibly, would allow rewriting arbitrary kernel ram, etc.)
Across the scope of samsung phones I was able to check (ok, two of them), the radio interface, the android host side of this communications channel, runs as uid 1001 (radio). As far as my cursory inspection revealed, meant that the radio/modem can read/write the files in /efs and only read a number of other places, such as /sdcard. Granted, /sdcard contains a lot of your personal data. My point is that, in this case, a compromised modem is still less privileged than a compromised android service or, worse, compromised driver/kernel. Also, given that these IPC instructions are used for reading/writing modem "nvram" data such as the handset IMEI, to describe them as a "backdoor" is horribly inappropriate.
So, yeah, as you said, "huge technological challenge." Agreed. But, the idea that a data modem may be exploitable is by no means new.
OSS devs lack of communication skills (Score:4, Informative)
not even on their website do its developers explain what Replicant is, or what its goals and purpose are
wikipedia does a better job...
http://en.wikipedia.org/wiki/R... [wikipedia.org]