, , ,

Samsung Galaxy devices come with OTA backdoor access, your data may be at risk

galaxy s3 microsd card problem

This just in: If you’re using a Samsung Galaxy smartphone or tablet, your device might just contain a backdoor that could let attackers remotely control your device or access data stored in it.

According to Paul Kocialkowski, a developer for custom ROM Replicant, the backdoor basically involves protocols used by the Radio Interface Layer (RIL) in communicating with the device’s modem — or the chip that does the actual communication with the cellular tower. Kocialkowski cites the difference between devices’ two processors: (1) the general-purpose applications processor that runs Android, and (2) the one in charge of radio communications with the telephony network.

Over-the-air backdoor access

The concern here is that because the baseband is proprietary, there is no knowing what kind of backdoors manufacturers have put into the system. “This processor always runs a proprietary operating system, and these systems are known to have backdoors that make it possible to remotely convert the modem into a remote spying device.”

While developing Replicant, which is marketed as a fully free/libre version of Android, without the licensed or proprietary aspects that come shipped with devices, Kocialkowski said that the team discovered a few backdoors that Samsung may have implemented in its Galaxy line of devices. “[T]he proprietary program running on the applications processor in charge of handling the communication protocol with the modem actually implements a backdoor that lets the modem perform remote file I/O operations on the file system,” he writes on a guest article at the Free Software Foundation blog. The program is shipped on Galaxy devices, and the developer says it is “possible for the modem to read, write, and delete files on the phone’s storage.”

Kocialkowsi says that on most Galaxy devices, the baseband has sufficient privileges to modify user data stored on the device itself. A technical discussion is offered on Replicant’s wiki, where devices like the Galaxy S3 and Note 2 are listed to be vulnerable, as well as the Nexus S and Galaxy Nexus, Galaxy S, S2, Note and certain variants of the Galaxy Tab 2 . The Replicant developers showcased proof of concept, where a string of data was retrieved from the device’s storage using the backdoor.

And because the backdoor resides on the phone’s modem, which is almost always connected to the mobile network, it means that malicious individuals or organizations — or perhaps government agencies — can potentially gain access smartphones and tablets to spy on mobile users.

Is Samsung at fault?

According to Replicant, Samsung may have originally included the functionality for some legitimate purpose. The concerned RIL protocol was “not found to have any particular legitimacy nor relevant use-case. However, it is possible that these were added for legitimate purposes, without the intent of doing harm by providing a back-door.”

However, it remains to be a risk. And given mobile users’ paranoia against eavesdropping by the NSA, GCHQ and other government spy agencies, this is one big cause of concern, especially for those who use their devices in an enterprise or other potentially sensitive setting.

How to protect your privacy

To address this, Kocialkowski recommends the use of custom ROMs that will prevent data access through the baseband. He says that Replicant — which is the supposed spiritual successor to the ideals that were started by the CyanogenMod team — will prevent access from these backdoors. “Our free replacement for that non-free program does not implement this backdoor,” he writes. “If the modem asks to read or write files, Replicant does not cooperate with it.”

However, given the scope of control that the phone’s firmware has over the hardware, the backdoor may still be used to remotely control the device, such as turn on the microphone to listen in on conversations.

Samsung has not yet provided an official response to the security issue. Replicant has offered to help the company address the fix, however, and would be “very glad to work with Samsung in order to make things right, for instance through releasing free software or documentation that would make it easy for community Android versions to get rid of the incriminated blob.”

5 Comments

Leave a Reply
  1. Hackers have always been smarter than others. They think like a computer, that is what makes all this easy for them. I’ve been hanging out with a few computer engineers lately, and it is amazing to watch them solve their software related issues.

  2. That is a good piece of information. I don’t know if this is the case of Samsung only or even the other brands as well.

  3. I actually had to do a report and presentation for school about identity theft, privacy protection, and the like. You’re absolutely right that this is going to continue to be a topic of discussion. Hackers are getting smarter and more sophisticated everyday.

  4. It was WhatsApp earlier this week, and now its Samsung. I think protecting the privacy of users is going to be the topic of discussion for sometime now.

Leave a Reply

Your email address will not be published. Required fields are marked *