This just in: If you’re using a Samsung Galaxy smartphone or tablet, your device might just contain a backdoor that could let attackers remotely control your device or access data stored in it.
According to Paul Kocialkowski, a developer for custom ROM Replicant, the backdoor basically involves protocols used by the Radio Interface Layer (RIL) in communicating with the device’s modem — or the chip that does the actual communication with the cellular tower. Kocialkowski cites the difference between devices’ two processors: (1) the general-purpose applications processor that runs Android, and (2) the one in charge of radio communications with the telephony network.
Over-the-air backdoor access
The concern here is that because the baseband is proprietary, there is no knowing what kind of backdoors manufacturers have put into the system. “This processor always runs a proprietary operating system, and these systems are known to have backdoors that make it possible to remotely convert the modem into a remote spying device.”
While developing Replicant, which is marketed as a fully free/libre version of Android, without the licensed or proprietary aspects that come shipped with devices, Kocialkowski said that the team discovered a few backdoors that Samsung may have implemented in its Galaxy line of devices. “[T]he proprietary program running on the applications processor in charge of handling the communication protocol with the modem actually implements a backdoor that lets the modem perform remote file I/O operations on the file system,” he writes on a guest article at the Free Software Foundation blog. The program is shipped on Galaxy devices, and the developer says it is “possible for the modem to read, write, and delete files on the phone’s storage.”
Kocialkowsi says that on most Galaxy devices, the baseband has sufficient privileges to modify user data stored on the device itself. A technical discussion is offered on Replicant’s wiki, where devices like the Galaxy S3 and Note 2 are listed to be vulnerable, as well as the Nexus S and Galaxy Nexus, Galaxy S, S2, Note and certain variants of the Galaxy Tab 2 . The Replicant developers showcased proof of concept, where a string of data was retrieved from the device’s storage using the backdoor.
And because the backdoor resides on the phone’s modem, which is almost always connected to the mobile network, it means that malicious individuals or organizations — or perhaps government agencies — can potentially gain access smartphones and tablets to spy on mobile users.
Is Samsung at fault?
According to Replicant, Samsung may have originally included the functionality for some legitimate purpose. The concerned RIL protocol was “not found to have any particular legitimacy nor relevant use-case. However, it is possible that these were added for legitimate purposes, without the intent of doing harm by providing a back-door.”
However, it remains to be a risk. And given mobile users’ paranoia against eavesdropping by the NSA, GCHQ and other government spy agencies, this is one big cause of concern, especially for those who use their devices in an enterprise or other potentially sensitive setting.
How to protect your privacy
To address this, Kocialkowski recommends the use of custom ROMs that will prevent data access through the baseband. He says that Replicant — which is the supposed spiritual successor to the ideals that were started by the CyanogenMod team — will prevent access from these backdoors. “Our free replacement for that non-free program does not implement this backdoor,” he writes. “If the modem asks to read or write files, Replicant does not cooperate with it.”
However, given the scope of control that the phone’s firmware has over the hardware, the backdoor may still be used to remotely control the device, such as turn on the microphone to listen in on conversations.
Samsung has not yet provided an official response to the security issue. Replicant has offered to help the company address the fix, however, and would be “very glad to work with Samsung in order to make things right, for instance through releasing free software or documentation that would make it easy for community Android versions to get rid of the incriminated blob.”