UPDATE – Samsung is contending claims last week that several of their Galaxy branded devices have a backdoor that could give an attacker “over-the-air remote control,” access to the phone’s file system and turn them into spying tools.
Developers behind the Replicant project, a Cyanogen-based Android OS, initially discovered the backdoor last week included in “most proprietary Android systems” running on Galaxy devices. The Galaxy Nexus S, S, S2, Note, Nexus, both the seven-inch and 10.1-inch Tab 2 and the Note 2 are all affected by the backdoor, according to Replicant.
Technically the problem lies in a program – Android’s Radio Interface Layer (RIL) – that runs on the devices’ baseband processor that’s in charge of handling the communication with the modem. That program, Samsung’s IPC protocol, allows the modem to “perform remote file I/O operations on the file system” via a class of requests called RFS commands.
The program affords the user the ability to read, write and delete files on the phone’s storage, according to Replicant developer Paul Kocialkowski in a write up on the backdoor yesterday in a blogpost on the Free Software Foundation.
Kocialkowski goes on to explain that the program is shipped with the aforementioned Galaxy devices and that the way its implemented on certain devices can give it sufficient rights to access and modify user data.
Even when the modem is isolated and cannot directly access the storage, the backdoor can provide remote access to the phone’s data, something Kocialkowski stresses is simply “unacceptable behavior,” regardless of whether it’s something Samsung knew about.
“It is possible that these were added for legitimate purposes without the intent of doing harm by providing a back door,” Kocialkowski said of the RFS commands. “Nevertheless, the result is the same and it allows the modem to access the phone’s storage.”
A further in depth analysis of the backdoor shows that some of the RFS commands are so obviously titled (IPC_RFS_READ_FILE, IPC_RFS_WRITE_FILE, IPC_RFS_RENAME_FILE, etc.) that it’s clear they perform I/O operations on the file system.
Replicant goes on to claim that the commands “were not found to have any particular legitimacy nor relevant use-case,” making it even more interesting that they’re there.
Dan Rosenberg, a security researcher who has done a lot of work on Android security, said on Twitter that he confirmed that some versions of the Galaxy S4 and Note 3 also are affected by this issue.
When reached Friday a Samsung spokesperson tried to assure users their products were safe to use and that Replicant had “misunderstood” the devices’ software feature.
“Samsung takes consumer privacy and security very seriously and we’d like to assure consumers that our products are safe to use. We are able to confirm that the matter reported by the Free Software Foundation is based on an incorrect understanding of the software feature that enables communication between the modem and the AP chipset,” Samsung said Friday.
It was almost a year ago that an Italian researcher discovered half a dozen bugs in some of the company’s devices, including some that allowed attackers to send premium SMS messages without permission and change a user’s settings without their knowing.
Most recently, in January, researchers from Israel determined that it was possible to bypass a secure virtual private network connection on Samsung Galaxy S4 devices and redirect traffic in clear text to an attacker.