Replicant OS Developers Find Backdoor In Samsung Galaxy Devices 126
An anonymous reader writes "Developers of the Free Software Foundation-endorsed Replicant OS have uncovered a backdoor through Android on Samsung Galaxy devices and the Nexus S. The research indicates the proprietary Android versions have a blob handling communication with the modem using Samsung's IPC protocol and in turn there's a set of commands that allow the modem to do remote I/O operations on the phone's storage. Replicant's open-source version of Android does away with the Samsung library to fend off the potential backdoor issue."
Re: (Score:3)
It was a vulnerability. Now it's a back door.
Re:OTA updates (Score:5, Funny)
"Nuts!" said the NSA. "Now we'll have to use one of our 12 other methods!"
Re: (Score:1)
Lube up boys. Time to start probing the other back doors.
Re:OTA updates (Score:5, Informative)
Re:OTA updates (Score:5, Interesting)
This is part of their undocumented protocol for communication with the modem. Modem can ask to read or write some file on disk using IPC_RFS_READ_FILE, IPC_RFS_WRITE_FILE, IPC_RFS_LSEEK_FILE, IPC_RFS_CLOSE_FILE, etc. messages and the library will happily do that for the modem. It's hardly unintended.
Re: (Score:1)
Who has access to execute these commands? I'm assuming just my carrier?
Re: (Score:3, Interesting)
Or anyone who sets up a fake tower? That's a pretty common and relatively easy attack vector now...
Re:OTA updates (Score:5, Interesting)
I couldn't agree more. There is no evidence to suggest that it's a malicious backdoor.
A quick strings on my samsung captivate glide's modem firmware, reveals all manner of novel debug messages and log strings:
err/CP_MA_TRACE_%d_%04d%02d%02d%02d%02d%02d.bin /data/efs/err =====
[DUMP] FILE OPEN FAIL
[ERROR]%s,%d,%s
[DUMP] FILE CREATE FAIL
[DUMP] Write MA Trace To
aurrcbp: discard cell due to system information read error
[Net]NV Read Fail! OEM_NVM_TESTBED
etc..
I do know that a lot of data persistence for the radio is done with dotfiles scattered around and throughout /data and /efs (because real nvram is expensive).
I'm curious what functionality is affected, if any is, by rejecting any of these IPC_RFS_ I/O.
I don't think it's clearly a backdoor. But, I do believe the concern is warranted. The radio/modem's firmware blob is not auditable. Perhaps a combination of logging/auditing filesystem requests and limiting which files are accessible by the RILD? Actually, isn't the rild run as an unprivileged user, radio? (Possibly for this very reason?)
Re:OTA updates (Score:4, Insightful)
I couldn't agree more. There is no evidence to suggest that it's a malicious backdoor.
No evidence to the contrary either, and worth questioning since this is a common theme. Motorola was found to be sending all kinds of data to Motorola servers without user knowledge, including specific authentication information in plain text, Apple's SSL mess up, Countless MS back doors in just about everything they make. Then you have other players that made horrible decisions costing them their phone business.
At a point we should at least wonder if these things are really just accidental and sloppy, or are they working as influenced/intended. The more we find that companies are doing the same things, the less plausible the "accidental" theory looks.
How to actually find out is the hard part. Any company doing things for a fat check and favors from a government realizes that whistle blowers will lose future checks and favors. I'd be very interested in seeing all the files the government has on this, especially things like how many employees on Government payroll are working at places like Intel, Samsung, Apple, Microsoft, etc (if any).. It's too bad the CIA and Senate fight won't do anything to open that door.
Re: (Score:3)
Remotely wiping a stolen mobile phone perhaps? It's just a guess - but by definition that would require the ability to do stuff to the phone's file system without the current user's knowledge or permission.
Re: (Score:1)
Remotely wiping a stolen mobile phone perhaps? It's just a guess - but by definition that would require the ability to do stuff to the phone's file system without the current user's knowledge or permission.
That is exactly what I was thinking it could be used for, to wipe the device.
Re: (Score:2)
Remotely wiping a stolen mobile phone ought to still be controlled by the main phone OS. All the modem should be responsible for is receiving the wipe request and passing it to the main OS's monitoring process.
Re: (Score:2)
Unfortunately, the daemon that opens, reads, and writes files on behalf of the modem, is running as a specific unprivileged user, radio (uid 1001 on my phone.) It could only wipe out the information I have in /efs and a few specific files in /data. Nothing bars it from triggering some other system/daemon/process responsible for more thorough wiping of data.
Re: (Score:2)
It's no more a backdoor than using using static functions in your compiled C. Simply because it's not documented, does not make it a backdoor.
Re: (Score:2)
I'm replying again because it occurred to me. to check the dictionary.
A backdoor is an indirect and devious system conceived for the purpose of allowing access to resources by circumventing security protections.
This is not. This is a set of IPC requests an "API" to allow the modem firmware to store non-volatile information in a specific location of the host phone's filesystem.
You're absolutely right that a backdoor is a backdoor; however, this is not a backdoor. If they'd really meant to introduce backdoors
Re:OTA updates (Score:5, Insightful)
This is part of their undocumented protocol for communication with the modem. Modem can ask to read or write some file on disk using ...
And "undocumented protocol for communication" is different than a Backdoor how ?
Re: (Score:2)
It's not.
Re: (Score:3)
Where exactly would you expect the documentation for something like that to be in a consumer device?
Re: (Score:2)
Where exactly would you expect the documentation for something like that to be in a consumer device?
e.g. We arent sure where to put all that TCP/IP documentation, so dont bother writting it all down.
Re: (Score:2)
On the included SD card? On the manufacturer website?
Re: (Score:2)
Would you also like them to give you a copy of the GSM specs? TCP/IP? A overview of the Linux kernel? The GPU's docs?
None of that sort of thing is needed by the end users.
I'm sure it is a fully documented feature, in Samsung.
We don't get a full copy of their blueprints just by buying the device however.
Re: (Score:2)
Well how is a documented protocol for communication different from a backdoor?
On a house, how is the back door different than the front door, other than being on the back side of the house?
Re: (Score:2)
Wow! Someone states an apparent truth and it gets marked down to -1 so nobody sees it - it's not the message the Android and Samsung fans want to hear, apparently. But, the original poster is correct, if this happened on with Apple, there would be no "mis-understanding" as to whether this was intentional or not on this site.
How remote is remote? (Score:1)
How remote is remote? Are we talking over the internet/sms or are we talking if you control a cell tower?
Re: (Score:3, Funny)
Yes
RMS was right (Score:5, Insightful)
This is what you get for essentially renting a a black box with audiovideo and communication capability and letting 3rd parties control it fully: a personal tracker better than what the worst totalitarian regime could dream. There is no reason why operating systems or essential drivers should be shipped as binary blobs, not this day and age, not after the NSA revelations.
Re: (Score:2)
If I don't personally assemble the bits on punchcards by hand, I don't trust anything! I figure I should have my trusted JVM ready to go in about forty years...
Re:How remote is remote? (Score:5, Informative)
Modem can ask the APU app to write/read selected files and do some other file system operations. Why would modem want to read/write arbitrary files on user's file system and what and how could invoke such behavior of the modem? The answer is up to your imagination.
Well, in fact many other phones don't need any backdoor to do the same as lots of them have modems directly connected to main RAM, exposing it to monitoring or even manipulation by the closed and strictly secured modem firmware.
That's why projects like Neo900 opt for clear APU<->modem separation as host<->peripheral, together with power and antenna usage monitoring and fully free software stack on APU side.
Re: (Score:2)
Ask who controls the modem. It's not Samsung - it's the carriers. In the US market, some of them might like this capability for things like detecting who has uncrippled their bundled handset and enabled tethering rather than pay for the higher tier service.
Re: How remote is remote? (Score:1)
Re: (Score:3)
"How remote is remote? Are we talking over the internet/sms or are we talking if you control a cell tower?"
Doesn't matter. Nobody likes to get "backdoored" without their consent.
Re: (Score:2)
Now, if you just need a few megs of
Is this testing whether the OS is Replicant (Score:1, Funny)
or a lesbian?
Re: (Score:2)
Re: (Score:1)
Let me tell you about my mother.
Re: (Score:2)
go home Sean Young, you're drunk
No contract, wifi-only (Score:2)
So if I'm using my no-contract Samsung Galaxy phone as a wifi-only device, and have never inserted the SIM card at all, I believe I'm safe from this particular vulnerability.
Tin-hatters, am I wrong on that?
Explain,
Re: (Score:1)
With no SIM card you have no service plan, no encryption key to verify that you are a subscriber, and the towers have every right to refuse communication from you.
That doesn't mean that a tower absolutely cannot talk to your device in a non-subscriber cleartext mode, if they choose to do so. Also you THINK you turned off your radio, are you willing to trust the guys that have already been caught hiding deeply invasive crap to not violate that too? It could just turn on for a quick download of skynet directi
Re:No contract, wifi-only (Score:5, Informative)
No. The modem can write to your OS. Anyone can communicate with your modem, even Ham radio operators. Granted, exploiting this would be a huge technological challenge... unless of course this was placed there intentionally and they know exactly what to send to your modem to get it to do what they want.
Re: (Score:2)
Not if you set it to flight mode.
Re:No contract, wifi-only (Score:5, Interesting)
Does anyone do verification on the "airplane mode" setting of phones? The FCC and FAA seem to have come to the conclusion that there's no way you can detect active radios via undesired behavior of an aircraft, and are down to sorting out the social ramifications of phone use on planes. I'd like to see an independent (and preferably paranoid) lab check to make sure that "all radios off" means that the radios are off, and not just that they stop passing traffic from the PDA OS.
Re: (Score:2)
IANAScientist, but it seems reasonable enough to me.
Re: (Score:2)
{"IMEI": "[your phone's IMEI]", "eval": "[code to execute]"}
Your phone can kick back out of flight mode when it's done, to acknowledge that it received the message and executed the instruction, then kick back into flight mode, and you'll quite likely be none the wiser.
Re: (Score:2)
Re:No contract, wifi-only (Score:4, Informative)
Two things, "Even Ham radio operators?" When did they become the retards of the RF world - I thought that title belonged to CB'ers? Honestly, hams are not interested in your phone.
While, yes, technically anyone can communicate with your modem; anyone can communicate with your wifi card or your bluetooth adapter as well. And it would appear that the samsung radio interface IPC layer at least has a modicum less access to the entirety of your device than your wifi driver - which is in the kernel. People have, in the past, exploited mistakes in wifi drivers and wifi card firmware to remote exploit via wifi. (*: The specific instance I remember, was with an old intel 802.11b/g card and specially crafted management frames which could be trivially spoofed and didn't need to be encrypted to be accepted by the wireless card. The proof of concept was able to issue busmaster DMA read/writes which, ostensibly, would allow rewriting arbitrary kernel ram, etc.)
Across the scope of samsung phones I was able to check (ok, two of them), the radio interface, the android host side of this communications channel, runs as uid 1001 (radio). As far as my cursory inspection revealed, meant that the radio/modem can read/write the files in /efs and only read a number of other places, such as /sdcard. Granted, /sdcard contains a lot of your personal data. My point is that, in this case, a compromised modem is still less privileged than a compromised android service or, worse, compromised driver/kernel. Also, given that these IPC instructions are used for reading/writing modem "nvram" data such as the handset IMEI, to describe them as a "backdoor" is horribly inappropriate.
So, yeah, as you said, "huge technological challenge." Agreed. But, the idea that a data modem may be exploitable is by no means new.
Re:No contract, wifi-only (Score:5, Interesting)
Two things, "Even Ham radio operators?" When did they become the retards of the RF world - I thought that title belonged to CB'ers? Honestly, hams are not interested in your phone.
He wasn't calling hams retards, quite the contrary. He was pointing out that people with absolutely no control over your cellular carrier's towers, and thus no legitimate path into your cellphone, could give you problems despite not being an "authorized" party. Those people would still need to be extremely technically adept, familiar with radio, etc. so hams was a pretty good example IMO.
Re: (Score:2)
It's also just wrong. From 3G onwards phones authenticate the cell towers. Even with a full stack running you wouldn't be easily able to force a phone to associate to your tower, at least not without jamming all the other towers in your vicinity.
Re: (Score:2)
As soon as backdoors or any other security related "features" get involved, I tend to think that anything is possible despite how things are suppose to operate.
Re: (Score:2)
Re: (Score:2)
Just drown out 3G signal near the victim and make it connect to your own 2G station. Piece of cake.
Re: (Score:1)
https://www.google.com/search?q=stingray#q=stingray+cell+tower
Sorry, full search link.
Re: (Score:1)
I took your post as "informative" and even "insightfull" right upto this remark. With it you forfitted all your credibility.
The above might be the publicized (or maybe even "naivily assumed") usage, but if it can as easily be used to access other files (system, log, personal, etc) it is a bad oversight (if that is what it is) indeed.
Mayb
Re: (Score:2)
I do believe you missed the point of my comment entirely. These IPC requests for doing file I/O are there to allow the to read and write to a small subset of files constrained to a specific portion of directory hierarchy.
Yes, the modem could potentially read other files - limited by unix access controls, but it cannot read nor write from arbitrary files.
> Maybe you're right and it should be called "criminal negligence" instead.
I was growing the impression you'd authored a post with value worth contribut
Re: (Score:2)
> And pardon me, but could you explain to me what the need is for a(n undocumented!) way to gain access to "certain files" on a phone by a remote person ? As far as I can tell there is nothing on a phone a remote person should have access to without the explicit say-so of the owner.
Sweet jesus. The system is not an undocumented way to allow a reomte, third party unauthenticated arbitrary access to y
Re: (Score:2)
When did they become the retards of the RF world - I thought that title belonged to CB'ers? Honestly, hams are not interested in your phone.
Someone who happens to be a Ham operator, might use a radio-based exploit to attack their phone as a proof of concept.
But it's not likely..... they can't be transmitting on cell phone frequencies from their station anyways, as the transmission outside frequencies within their operating privileges would be a FCC violation that could get their station licenses re
Re: (Score:2)
But it's not likely..... they can't be transmitting on cell phone frequencies from their station anyways, as the transmission outside frequencies within their operating privileges would be a FCC violation that could get their station licenses revoked.
Yup. So they couldn't do so openly. These days, there are plenty of ways to do so anonymously. Given some of the cool tools out there in the Ham world for connecting radios, I wouldn't be at all surprised to find an Elmer who could do some interesting thin
Re: (Score:2)
In fact, all you need is for instance some TI Calypso based phone, like Openmoko Neo Freerunner or some old Motorolas, and OsmocomBB firmware. And of course lack of fear when you're doing something like that illegally.
Re: (Score:2)
As ChunderDownUnder reminds me, I forgot to mention that this phone has never been out of airplane mode, in addition to never having a SIM card plugged in. Flashing out of T-Mobile software was also one of the first things I did, and the other night I flashed CyanogenMod 11 M4. (Of course some of the guys on IRC suggest that even that is too commercial, and that I should go to snapshots over on xda-developers, to be safer.)
I keep my tinfoil hat handy, just like I tend to channel RMS and ESR. But there ar
Re: (Score:2)
Doesn't Airplane Mode deactivate WiFi (and Bluetooth, NFC etc.) as well? (Genuine question, I've not looked that hard at it). If so, I can't see how useful a device it can be without any active radios.
Re: (Score:2)
Mine has been in airplane mode from day 1, with wifi on. I've seen where others have problems keeping wifi on when airplane is also on, but I haven't. Perhaps the fact that the SIM card is still in the original box, never inserted, has something to do with this. I bought an unlocked phone, and have never given it a chance to lock itself.
Re: (Score:1)
Re:Third-party ROMs (Score:5, Insightful)
Most of the popular ROMs are made using the very same closed drivers the article is talking about to provide hardware compatibility - otherwise they would be exactly where Replicant is now.
Any third-party ROM for Galaxy devices that uses Samsung's library to communicate with the modem is vulnerable - so almost all of them are, including CyanogenMod.
Re: (Score:2)
Aren't there legal problems with CM and other ROMs including these blobs, since they're presumably copyrighted? Or are they licensed by Samsung under the GPL along with the kernel? But in the latter case, shouldn't Samsung be including source?
Leave it in? (Score:1)
Why not leave the library in but alert the user to allow/deny the reads & writes when they occur? Perhaps even sandbox the writes for further examination.
Re: (Score:2)
Why not use and/or enhance already existing free software replacement, used by projects like freesmartphone.org or... Replicant?
Re: (Score:1)
Re: (Score:2)
The release number aligns with the AOSP release, i.e. Replicant 4.2 targets Jelly Bean.
Re: (Score:2)
Re: (Score:2)
OSS devs lack of communication skills (Score:4, Informative)
not even on their website do its developers explain what Replicant is, or what its goals and purpose are
wikipedia does a better job...
http://en.wikipedia.org/wiki/R... [wikipedia.org]
Any contacts at Samsung we can call? (Score:2)
I just got back from looking at a Galaxy Note 3 (thinking form upgrading from by S2).
Now I'm not sure - will probably just go buy a Nexus.
I can't think of a single valid reason for this level of functionality to be available in a device that's sold commercially. I've never heard of any enterprise management tools that can use such functions, and their undisclosed existance is a real worry.
The big
Re: (Score:2)
Now I'm not sure - will probably just go buy a Nexus.
FTFS:
I can understand not reading the article, but not reading the summary?!
Re: (Score:2)
The Nexus S [wikipedia.org] was made by Samsung way back in 2010.
It hasn't been on sale for years. I really don't think it's relevant to new buyers.
Re: (Score:1)
Re: (Score:2)
Well, given the recent Nexus phones have been by LG with Qualcomm modems, I'm pretty sure they're free of this Samsung/Infineon modem firmware.
Of course what security issues the LG/Qualcomm firmware do contain are anyone's guess.
Re: (Score:2)
Re: (Score:2)
Or an LG Nexus, if he wants a phone instead of a tablet.
The important question, which I am keenly interested in as the owner of a Nexus 5, is whether LG phones have a similar backdoor.
Great for defense lawyers! (Score:3, Insightful)
This will be wonderful news for criminal defense attorneys. Is your client accused of having a couple of terrorists in his phone's contact list? Did a customs official conveniently find child porn pictures on your client's phone during a border crossing? Did the prosecutor haul out telco logs "proving" that your client was sending text messages to arrange a heroin deal?
Sounds to me like it's quite plausible that someone else put that $ILLEGAL_SHIT on your client's phone. After all, the capability was built right into the phone by Samsung.
NSA_backdoor_trojan into America (Score:1, Funny)
NSA_backdoor_trojan:
AMD processors were found to have similar vulnerabilities.
Mascarading as a debug mode, all hardware and thus software security features can be bypassed. Essentially allowing both stealth software operation, bypassing root and administrator authentication restrictions, and more. Intel is known to have similar functionality, but its not publically disclosed yet.. http://hardware.slashdot.org/s... [slashdot.org]
NSA compiled and uses all these exploits whether it was installed there for them or not.
Windows
Re: (Score:1)
I was insinuating that this Samsung Galaxy phone backdoor was an NSA hack, which undoubtably they're using along with the FBI to hack us. Oops!
Re: (Score:2)
Obama is raping and murdering and torturing thousands of his own citizens, committing acts of Genocide worse than any dictator ever before.
That's a pretty tall order. The Germans managed something like 6 million and Stalin something like 7 million. Pol Pot didn't reach those nominal figures but on a percentage of total population he probably outdid both, killing something like 1 in 3.
Are you really sure Obama has exceeded 6 million dead via outright acts of genocide, excluding combat against armed adversa
RIL and EFS (Score:4, Insightful)
I don't find that surprising. When I was playing with CyanogenMod it became obvious to me that RIL reads/writes files from EFS partition on behalf of the modem because settings for the modem, like IMEI, state of network lock, preferred networks etc, are stored there. I am not sure whether the interface is general enough so the modem can ask for any file.
If they are concerned about binary blobs doing unknown stuff, RIL is small potatoes. There is huge GPS daemon binary made by 3rd party. Sensor drivers are linked with closed source processing libraries (AKM/akmd). Camera loads whole bunch of image/video processing libraries which are closed source/3rd party too. Lots of phones also use closed source 3rd party audio processing libraries. Not to mention 16MB of compressed modem firmware, running on modem CPU which is like another little independent computer.
Re: (Score:1)
This.
It is widely believed older style cell phones have long been mandated to support remote operations/activation by the government/laws/secret service/someone. Local police says phones can be tracked even when off, but they don't use it for lost cell phones, only big crimes, but the capability is present and available.
On smart phones, that are much more software and less fixed hardware, programmable and adaptive, how could that functionality be provided? Perhaps with some features of modem hardware to com
Lebron James, Is this how his Samsung was wiped? (Score:1)
My phone just erased everything it had in it and rebooted. One of the sickest feelings I've ever had in my life!!! [businessinsider.com] ~ Lebron James via Twitter. He later erased the tweet.
Anyone know if this was how NBA player, Lebron James, Samsung was wiped [businessinsider.com]? Its been covered on CNBC's SqwakonStreet today. For those that had not heard, King James basically tweeted the quote above, yesterday(3/12) at 5:03PM, and later erased the tweet. Guessed he realized as a "Famous Samsung Endorser", that might not look great.
End result, his phone was restored...when they announced this I was wondering when his last backup was taken and how many daysold it might have been.
From a German Twitter user
Samsung Kies Air (Score:1)