Forgot your password?
typodupeerror
Android Cellphones Operating Systems Security

Replicant OS Developers Find Backdoor In Samsung Galaxy Devices 126

Posted by Soulskill
from the caught-out dept.
An anonymous reader writes "Developers of the Free Software Foundation-endorsed Replicant OS have uncovered a backdoor through Android on Samsung Galaxy devices and the Nexus S. The research indicates the proprietary Android versions have a blob handling communication with the modem using Samsung's IPC protocol and in turn there's a set of commands that allow the modem to do remote I/O operations on the phone's storage. Replicant's open-source version of Android does away with the Samsung library to fend off the potential backdoor issue."
This discussion has been archived. No new comments can be posted.

Replicant OS Developers Find Backdoor In Samsung Galaxy Devices

Comments Filter:
  • How remote is remote? Are we talking over the internet/sms or are we talking if you control a cell tower?

    • Re: (Score:3, Funny)

      by MightyMartian (840721)

      How remote is remote? Are we talking over the internet/sms or are we talking if you control a cell tower?

      Yes

      • RMS was right (Score:5, Insightful)

        by Anonymous Coward on Wednesday March 12, 2014 @07:46PM (#46469607)

        This is what you get for essentially renting a a black box with audiovideo and communication capability and letting 3rd parties control it fully: a personal tracker better than what the worst totalitarian regime could dream. There is no reason why operating systems or essential drivers should be shipped as binary blobs, not this day and age, not after the NSA revelations.

    • by dos1 (2950945) on Wednesday March 12, 2014 @06:47PM (#46469233)

      Modem can ask the APU app to write/read selected files and do some other file system operations. Why would modem want to read/write arbitrary files on user's file system and what and how could invoke such behavior of the modem? The answer is up to your imagination.

      Well, in fact many other phones don't need any backdoor to do the same as lots of them have modems directly connected to main RAM, exposing it to monitoring or even manipulation by the closed and strictly secured modem firmware.

      That's why projects like Neo900 opt for clear APU<->modem separation as host<->peripheral, together with power and antenna usage monitoring and fully free software stack on APU side.

    • "How remote is remote? Are we talking over the internet/sms or are we talking if you control a cell tower?"

      Doesn't matter. Nobody likes to get "backdoored" without their consent.

  • So if I'm using my no-contract Samsung Galaxy phone as a wifi-only device, and have never inserted the SIM card at all, I believe I'm safe from this particular vulnerability.

    Tin-hatters, am I wrong on that?
    Explain,

    • by Anonymous Coward

      With no SIM card you have no service plan, no encryption key to verify that you are a subscriber, and the towers have every right to refuse communication from you.

      That doesn't mean that a tower absolutely cannot talk to your device in a non-subscriber cleartext mode, if they choose to do so. Also you THINK you turned off your radio, are you willing to trust the guys that have already been caught hiding deeply invasive crap to not violate that too? It could just turn on for a quick download of skynet directi

    • by Charliemopps (1157495) on Wednesday March 12, 2014 @07:54PM (#46469643)

      No. The modem can write to your OS. Anyone can communicate with your modem, even Ham radio operators. Granted, exploiting this would be a huge technological challenge... unless of course this was placed there intentionally and they know exactly what to send to your modem to get it to do what they want.

      • Not if you set it to flight mode.

        • by TheGavster (774657) on Wednesday March 12, 2014 @09:16PM (#46470139) Homepage

          Does anyone do verification on the "airplane mode" setting of phones? The FCC and FAA seem to have come to the conclusion that there's no way you can detect active radios via undesired behavior of an aircraft, and are down to sorting out the social ramifications of phone use on planes. I'd like to see an independent (and preferably paranoid) lab check to make sure that "all radios off" means that the radios are off, and not just that they stop passing traffic from the PDA OS.

          • Faraday Cage in a Faraday Cage, take the phone inside both, hook up the in internal cage to $SensitiveEquipment and look for induced current from the radio still being operational?

            IANAScientist, but it seems reasonable enough to me.
        • by BronsCon (927697)
          That stops it from transmitting, but there's nothing stopping it from receiving. Blast out a message across all active towers (go ahead and translate JSON to whatever the phone will actually understand):

          {"IMEI": "[your phone's IMEI]", "eval": "[code to execute]"}

          Your phone can kick back out of flight mode when it's done, to acknowledge that it received the message and executed the instruction, then kick back into flight mode, and you'll quite likely be none the wiser.
      • by megabeck42 (45659) on Wednesday March 12, 2014 @08:26PM (#46469857)

        Two things, "Even Ham radio operators?" When did they become the retards of the RF world - I thought that title belonged to CB'ers? Honestly, hams are not interested in your phone.

        While, yes, technically anyone can communicate with your modem; anyone can communicate with your wifi card or your bluetooth adapter as well. And it would appear that the samsung radio interface IPC layer at least has a modicum less access to the entirety of your device than your wifi driver - which is in the kernel. People have, in the past, exploited mistakes in wifi drivers and wifi card firmware to remote exploit via wifi. (*: The specific instance I remember, was with an old intel 802.11b/g card and specially crafted management frames which could be trivially spoofed and didn't need to be encrypted to be accepted by the wireless card. The proof of concept was able to issue busmaster DMA read/writes which, ostensibly, would allow rewriting arbitrary kernel ram, etc.)

        Across the scope of samsung phones I was able to check (ok, two of them), the radio interface, the android host side of this communications channel, runs as uid 1001 (radio). As far as my cursory inspection revealed, meant that the radio/modem can read/write the files in /efs and only read a number of other places, such as /sdcard. Granted, /sdcard contains a lot of your personal data. My point is that, in this case, a compromised modem is still less privileged than a compromised android service or, worse, compromised driver/kernel. Also, given that these IPC instructions are used for reading/writing modem "nvram" data such as the handset IMEI, to describe them as a "backdoor" is horribly inappropriate.

        So, yeah, as you said, "huge technological challenge." Agreed. But, the idea that a data modem may be exploitable is by no means new.

        • by ShaunC (203807) on Wednesday March 12, 2014 @09:53PM (#46470301)

          Two things, "Even Ham radio operators?" When did they become the retards of the RF world - I thought that title belonged to CB'ers? Honestly, hams are not interested in your phone.

          He wasn't calling hams retards, quite the contrary. He was pointing out that people with absolutely no control over your cellular carrier's towers, and thus no legitimate path into your cellphone, could give you problems despite not being an "authorized" party. Those people would still need to be extremely technically adept, familiar with radio, etc. so hams was a pretty good example IMO.

          • It's also just wrong. From 3G onwards phones authenticate the cell towers. Even with a full stack running you wouldn't be easily able to force a phone to associate to your tower, at least not without jamming all the other towers in your vicinity.

            • by cdrudge (68377)

              As soon as backdoors or any other security related "features" get involved, I tend to think that anything is possible despite how things are suppose to operate.

            • I believe all Galaxy devices are capable of connecting to 2G towers. So assuming the message can be transmitted via 2GSM, the sophisticated hacker (I assume) would need to spoof such a tower at a time when the targetted phone would need to avoid 3G for some reason (say, lack of signal or too poor a signal)

            • by dos1 (2950945)

              Just drown out 3G signal near the victim and make it connect to your own 2G station. Piece of cake.

        • by Anonymous Coward

          Also, given that these IPC instructions are used for reading/writing modem "nvram" data such as the handset IMEI,

          I took your post as "informative" and even "insightfull" right upto this remark. With it you forfitted all your credibility.

          The above might be the publicized (or maybe even "naivily assumed") usage, but if it can as easily be used to access other files (system, log, personal, etc) it is a bad oversight (if that is what it is) indeed.

          to describe them as a "backdoor" is horribly inappropriate.

          Mayb

          • by megabeck42 (45659)

            I do believe you missed the point of my comment entirely. These IPC requests for doing file I/O are there to allow the to read and write to a small subset of files constrained to a specific portion of directory hierarchy.

            Yes, the modem could potentially read other files - limited by unix access controls, but it cannot read nor write from arbitrary files.

            > Maybe you're right and it should be called "criminal negligence" instead.

            I was growing the impression you'd authored a post with value worth contribut

        • by mysidia (191772)

          When did they become the retards of the RF world - I thought that title belonged to CB'ers? Honestly, hams are not interested in your phone.

          Someone who happens to be a Ham operator, might use a radio-based exploit to attack their phone as a proof of concept.

          But it's not likely..... they can't be transmitting on cell phone frequencies from their station anyways, as the transmission outside frequencies within their operating privileges would be a FCC violation that could get their station licenses re

          • But it's not likely..... they can't be transmitting on cell phone frequencies from their station anyways, as the transmission outside frequencies within their operating privileges would be a FCC violation that could get their station licenses revoked.

            Yup. So they couldn't do so openly. These days, there are plenty of ways to do so anonymously. Given some of the cool tools out there in the Ham world for connecting radios, I wouldn't be at all surprised to find an Elmer who could do some interesting thin

            • by dos1 (2950945)

              In fact, all you need is for instance some TI Calypso based phone, like Openmoko Neo Freerunner or some old Motorolas, and OsmocomBB firmware. And of course lack of fear when you're doing something like that illegally.

      • by dpilot (134227)

        As ChunderDownUnder reminds me, I forgot to mention that this phone has never been out of airplane mode, in addition to never having a SIM card plugged in. Flashing out of T-Mobile software was also one of the first things I did, and the other night I flashed CyanogenMod 11 M4. (Of course some of the guys on IRC suggest that even that is too commercial, and that I should go to snapshots over on xda-developers, to be safer.)

        I keep my tinfoil hat handy, just like I tend to channel RMS and ESR. But there ar

        • by Patch86 (1465427)

          Doesn't Airplane Mode deactivate WiFi (and Bluetooth, NFC etc.) as well? (Genuine question, I've not looked that hard at it). If so, I can't see how useful a device it can be without any active radios.

          • by dpilot (134227)

            Mine has been in airplane mode from day 1, with wifi on. I've seen where others have problems keeping wifi on when airplane is also on, but I haven't. Perhaps the fact that the SIM card is still in the original box, never inserted, has something to do with this. I bought an unlocked phone, and have never given it a chance to lock itself.

    • by horm (2802801)
      As long as your phone is unable to connect to a cell tower/rogue femtocell/etc. you should be fine. The backdoor that was found is in the Radio Interface Layer (RIL), which governs communications between the Phone app and the radio. Wifi/bluetooth aren't managed by the RIL.
  • Why not leave the library in but alert the user to allow/deny the reads & writes when they occur? Perhaps even sandbox the writes for further examination.

    • by dos1 (2950945)

      Why not use and/or enhance already existing free software replacement, used by projects like freesmartphone.org or... Replicant?

      • Check out the status page... I don't see any phone that they support that they have everything working.. hardly 4.2 release.. more like 0.0.42 release... Why would i spend $1000 on a phone for it to only be able to send sms and call.. 2D graphics, 3D graphics, Sound, Telephony, Mobile data, Wi-Fi, Bluetooth, NFC, GPS, Sensors, Camera and Hardware media encoding/decoding all need to be working before anybody would bother with non-manufacture software.. also anyone who stores sensitive information on a phone
      • by GTRacer (234395)
        Looks like I need to read more about this particular blob. Any ideas if it can be controlled with XPrivacy?
    • by Arker (91948)
      Leaving malware in place and attempting to sandbox it instead of removing it entirely sounds like a very poor idea to me.
  • by rubycodez (864176) on Wednesday March 12, 2014 @09:37PM (#46470213)

    not even on their website do its developers explain what Replicant is, or what its goals and purpose are

    wikipedia does a better job...

    http://en.wikipedia.org/wiki/R... [wikipedia.org]

  • Does anyone have any contacts at Samsung (email addresses, phone numbers, etc.) that can address this issue?

    I just got back from looking at a Galaxy Note 3 (thinking form upgrading from by S2).

    Now I'm not sure - will probably just go buy a Nexus.

    I can't think of a single valid reason for this level of functionality to be available in a device that's sold commercially. I've never heard of any enterprise management tools that can use such functions, and their undisclosed existance is a real worry.

    The big

    • Now I'm not sure - will probably just go buy a Nexus.

      FTFS:

      Developers of the Free Software Foundation-endorsed Replicant OS have uncovered a backdoor through Android on Samsung Galaxy devices and the Nexus S.

      I can understand not reading the article, but not reading the summary?!

      • by Namarrgon (105036)

        The Nexus S [wikipedia.org] was made by Samsung way back in 2010.

        It hasn't been on sale for years. I really don't think it's relevant to new buyers.

        • by Anonymous Coward
          The fact that the Nexus range has a history of using the same vulnerable firmware is VERY relevant unless you can show definitive proof that it has been actively removed from all current models.
          • by AC-x (735297)

            Well, given the recent Nexus phones have been by LG with Qualcomm modems, I'm pretty sure they're free of this Samsung/Infineon modem firmware.

            Of course what security issues the LG/Qualcomm firmware do contain are anyone's guess.

      • by Kremmy (793693)
        My guess is that he meant he was going for an Asus Nexus rather than a Samsung Nexus. Isn't it weird how Android phone branding is working lately?
        • Or an LG Nexus, if he wants a phone instead of a tablet.

          The important question, which I am keenly interested in as the owner of a Nexus 5, is whether LG phones have a similar backdoor.

  • by ShaunC (203807) on Wednesday March 12, 2014 @10:02PM (#46470323)

    This will be wonderful news for criminal defense attorneys. Is your client accused of having a couple of terrorists in his phone's contact list? Did a customs official conveniently find child porn pictures on your client's phone during a border crossing? Did the prosecutor haul out telco logs "proving" that your client was sending text messages to arrange a heroin deal?

    Sounds to me like it's quite plausible that someone else put that $ILLEGAL_SHIT on your client's phone. After all, the capability was built right into the phone by Samsung.

  • NSA_backdoor_trojan:

    AMD processors were found to have similar vulnerabilities.

    Mascarading as a debug mode, all hardware and thus software security features can be bypassed. Essentially allowing both stealth software operation, bypassing root and administrator authentication restrictions, and more. Intel is known to have similar functionality, but its not publically disclosed yet.. http://hardware.slashdot.org/s... [slashdot.org]

    NSA compiled and uses all these exploits whether it was installed there for them or not.

    Windows

    • by strstr (539330)

      I was insinuating that this Samsung Galaxy phone backdoor was an NSA hack, which undoubtably they're using along with the FBI to hack us. Oops!

    • by swb (14022)

      Obama is raping and murdering and torturing thousands of his own citizens, committing acts of Genocide worse than any dictator ever before.

      That's a pretty tall order. The Germans managed something like 6 million and Stalin something like 7 million. Pol Pot didn't reach those nominal figures but on a percentage of total population he probably outdid both, killing something like 1 in 3.

      Are you really sure Obama has exceeded 6 million dead via outright acts of genocide, excluding combat against armed adversa

  • RIL and EFS (Score:4, Insightful)

    by Technomancer (51963) on Wednesday March 12, 2014 @11:00PM (#46470549)

    I don't find that surprising. When I was playing with CyanogenMod it became obvious to me that RIL reads/writes files from EFS partition on behalf of the modem because settings for the modem, like IMEI, state of network lock, preferred networks etc, are stored there. I am not sure whether the interface is general enough so the modem can ask for any file.
    If they are concerned about binary blobs doing unknown stuff, RIL is small potatoes. There is huge GPS daemon binary made by 3rd party. Sensor drivers are linked with closed source processing libraries (AKM/akmd). Camera loads whole bunch of image/video processing libraries which are closed source/3rd party too. Lots of phones also use closed source 3rd party audio processing libraries. Not to mention 16MB of compressed modem firmware, running on modem CPU which is like another little independent computer.

    • by labawi (2931497)

      This.

      It is widely believed older style cell phones have long been mandated to support remote operations/activation by the government/laws/secret service/someone. Local police says phones can be tracked even when off, but they don't use it for lost cell phones, only big crimes, but the capability is present and available.

      On smart phones, that are much more software and less fixed hardware, programmable and adaptive, how could that functionality be provided? Perhaps with some features of modem hardware to com

  • My phone just erased everything it had in it and rebooted. One of the sickest feelings I've ever had in my life!!! [businessinsider.com] ~ Lebron James via Twitter. He later erased the tweet.

    Anyone know if this was how NBA player, Lebron James, Samsung was wiped [businessinsider.com]? Its been covered on CNBC's SqwakonStreet today. For those that had not heard, King James basically tweeted the quote above, yesterday(3/12) at 5:03PM, and later erased the tweet. Guessed he realized as a "Famous Samsung Endorser", that might not look great.

    End result, his phone was restored...when they announced this I was wondering when his last backup was taken and how many daysold it might have been.

    From a German Twitter user

  • I think it is highly likely that this blob is the proprietary Samsung Kies Air portal. Kies Air let's you connect your smartphone to your desk-top computer with a wireless connection for back-ups and installs. So, seems like a feature, not a bug. It might have some security holes but the intention seems legitimate

There is never time to do it right, but always time to do it over.

Working...