back to article Backdoor snoops can access files on your Samsung phone via the cell network – claim

The developers of Replicant, a pure free-software version of Android, claim to have discovered a security hole in certain Samsung Galaxy phones and tablets – one so serious that it could potentially grant an attacker remote access to the device's file system. Among the devices said to be vulnerable are the Nexus S, Galaxy S, …

COMMENTS

This topic is closed for new posts.
  1. Eguro

    The optimist: Maybe it's just a way to circumvent the phone for maintenance if the main software has buggered somehow. It's used only for problem solving and such

    The pessimist: No way is this only in Samsung phones

    1. Fatman

      RE: We've found a file spying backdoor in Samsung phones – Replicant devs

      The pessimist: No way is this only in Samsung phones They just found another NSA backdoor!!!!

      FTFY!!!

    2. Anonymous Coward
      Anonymous Coward

      Amusing that people try and build a secure phone OS by starting with the least secure phone OS in Android. Which needs addons like Knox to try and imitate the security that say Blackberry or Windows Phone come out of the box with.

      1. Bronek Kozicki
        Facepalm

        No at all. It would be amusing if they started from closed platform, such as iPhone. Try to reverse engineer that.

      2. Yet Another Anonymous coward Silver badge

        And your closed source phone doesn't have any extra CPUs in the modem or screen or camera?

        And you know that these extra CPUs don't have bus access?

        And you know there are no errors in the OS - like a 10year old hole when displaying JPEGs - whihc give them unrestricted access

        But at least you know that it doesn't matter because your commercial OS is pawned by a NSL anyway

      3. eulampios
        Devil

        @AC

        No, amusement is all ours to see how naive you really are. Any_Proprietary_OS_ has all those delicacies out of the box, it is a big fat back door, by definition. The sad part here is that you might not be able to verify it in any way other than through some kind of back-engineering.

        And on top of that, it might be either impossible or very hard to load an alternative, open OS on the device at all. So Win Phone and surfaces are to be ruled out right there.

  2. Charles Manning

    Lot's of speculation

    So they've found a back door frame. It might have a solid, well locked door in it or it might have something bad people can sneak through.

    Granted, the software should be resticting permissions as much as it can, but there really is no smoking gun, or even gun.

    These data, as hardware becomes both more capable AND more integrated, it is getting harder to verify security just at the software level.

    It is getting common for ethernet controllers, modems, etc to become more capable with complex software stacks. Many of these sit on the bus as a bus master and can access all the system resources (RAM, peripherals,...) just as easily as the CPU can. It is very much technically feasible to get these devices to snoop memory and access resource.

    At that level of integration, the OS permissions etc just don't matter since the OS and the CPU are not even part of the picture.

    1. A Non e-mouse Silver badge

      Re: Lot's of speculation

      It is getting common for ethernet controllers, modems, etc to become more capable with complex software stacks. Many of these ... can access all the system resources (RAM, peripherals,...) just as easily as the CPU can.

      It's already been done.

    2. Steve Graham
      Big Brother

      Re: Lot's of speculation

      If I understand it correctly, the issue here is that the modem software has a relatively high-level interface to the phone's file system. That's different to a peripheral sitting on the same bus as the CPU.

      The latter, as you say, is a default consequence of current designs, but the former is a deliberate design decision, and one I find hard to justify for innocent purposes.

      1. John Smith 19 Gold badge
        Unhappy

        Re: Lot's of speculation

        "If I understand it correctly, the issue here is that the modem software has a relatively high-level interface to the phone's file system. That's different to a peripheral sitting on the same bus as the CPU."

        No.

        The issue is the RF MODEM software is not a separate process running on the standard ARM but a separate processor implementing the Android interface by executing software on it's own processor.

        And with a whole bunch of extra commands as well.

        1. Steve Graham

          Re: Lots of speculation

          You've misunderstood my post.

          (Also, I've just noticed that I inherited a misused apostrophe from the original post.)

    3. JeffyPoooh
      Pint

      Re: Lot's of speculation

      Even the memory card jammed into the phone can run code.

  3. Roger Stenning
    Meh

    Am I being cynical...

    ...or does Replicant, screaming "SECURITY HOLE! (you can avoid it with OUR operating system)" just sound a little bit like sensationalist panic-driving advertising?

    Reference (para 10): "The solution, Kocialkowski says, is to replace the device's stock Android firmware with a purely free-software OS, such as Replicant."

    Meh. Because, well.

    1. Anonymous Coward
      Anonymous Coward

      Re: Am I being cynical...

      No, because they aren't claiming Replicant would fix this hole. If there's a separate lower level (realtime, no doubt) OS running on the modem, it wouldn't matter what OS is running on the main CPU. Maybe this is something they discovered while replacing various proprietary bits of Android and had to write the interface that talks to the modem.

      Definitely want to learn more about this, and what modems may be vulnerable. Maybe the NSA doesn't care if a phone is running Android, iOS, Blackberry or WP, if they've got a way to break into the Qualcomm modem's OS to do what they want...

      1. hyarion

        Re: Am I being cynical...

        "No, because they aren't claiming Replicant would fix this hole."

        Yes they are: "THE SOLUTION, Kocialkowski says, is to replace the device's stock Android firmware with a purely free-software OS, such as Replicant."

        And there's the fact that they cover themselves frequently by stating it's not actually something unique to samsung and is common elsewhere - e.g. "And because this processor runs a proprietary operating system – like virtually all phone modems do".

        While this is very likely an issue that should be addressed with device manufacturers, this sounds very much like it's primary purpose was to generate awareness of their OS coupled with a bit of fear to get people to use it.

        1. dogged

          Re: Am I being cynical...

          > Yes they are: "THE SOLUTION, Kocialkowski says, is to replace the device's stock Android firmware with a purely free-software OS, such as Replicant."

          Caps yours and no, they're not.

          "He cautioned, however, that if the modem can potentially take full control of the device's main application processor, further remote exploits may still be possible, including ones that even an OS replacement like Replicant can't block."

          That's a responsible warning, not a sales drive. Not that a sales drive for free software is exactly common except among evangelists on the Reg's comment boards anyway.

          1. petur
            Boffin

            Re: Am I being cynical...

            It all depends on how the modem is connected to the rest of the system, really. If it is connected via a serial link, it needs a program on the main CPU to communicate with the modem and execute its (evil) commands. AFAIK most modem chips work this way.

            What they claim (as a warning) is that they can only close the hole at the processor by not implementing those (evil) commands. However, nothing stops the modem from intercepting and forwarding any traffic that passes through it, since it is a closed system with its own firmware.

            So yes, the close the security hole regarding access to your data/files, but other mishaps are still possible.

    2. Anonymous Coward
      Anonymous Coward

      Re: Am I being cynical...

      Well, there has to be some law-enforcement interface to plant kiddie-pr0n or bomb-making manuals that can later be used as evidence. Otherwise, the growth projections of the security state will be harmed and stockholders will demand new leadership.

  4. Neil Alexander

    "Back door" is the wrong term. "Security weakness" is the correct term.

    1. Beau
      FAIL

      "Back door" = "Security weakness"

      Er, isn't a "Back door" a "Security weakness".

      Unless that is, it's firmly locked?

      1. auburnman

        Re: "Back door" = "Security weakness"

        "Back Door" implies it was deliberately designed in for illicit access, which is not an allegation which the currently available facts can support.

    2. Anonymous Coward
      Anonymous Coward

      Backdoor / Security weakness

      It's probably all a matter of perspective, but if it provides privileged access to the user's data and it is not possible for the user to disable it, then I'd say it certainly is a security weakness.

      If in addition it is undocumented and not necessary for the correct operation of the device, then I have no doubt that 'Backdoor' is the correct term. It doesn't really matter what its purpose is.

  5. HKmk23

    ROE (Rules of Engagement)

    Do not use any radio device to pass or receive important data or information.

    Do not allow any critical computer system to be connected to the internet.

    Oh so simple really.

    1. FuzzyTheBear
      Black Helicopters

      Re: ROE (Rules of Engagement)

      The days of the computer phone modem seem to be near, again. A single computer to computer comm via telephone line,encrypted to the max seem a more private means of communication.

  6. Hans 1
    Black Helicopters

    Here I was thinking that Android apps reading/writing or even deleting your contacts, shared files etc, etc, etc without you being able to stop it was bad, now this ... hm ... I do guess this affects all mobile phones, not just smartphones, and certainly not just phones from one vendor if the OS with the backdoor running on that radio ship is Qualcomm's.

    I also think phones are insecure by design for a reason.

    Shit, choppers again, c ya l8er [crawl, crawl, crawl]

  7. TJ1

    Misguided sensationalism

    I'm associated with the Replicant project with my work on reverse-engineering the MEIF protocol for GNSS/GPS chipsets to create an open-source replacement for the current binary blobs that implement location services.

    I think Paul has misunderstood the architecture and purpose of these master-slave System on Chip (SOC) designs - the applications CPU is a co-processor under control of the boot CPU.

    I've reverse engineered several 'smart' phones with dual-CPU architectures where the baseband real-time executive OS is something like REXX/AMSS running on the boot CPU and the user interface OS is Android/Linux or Windows Phone running on the application CPU.

    Internal flash memory is partitioned and some partitions are used for read/write data by the real-time executive. At power-on the boot CPU has exclusive access to the flash partitions.

    However, once the boot CPU has initialised the application CPU and handed over control to the secondary boot loader on the application CPU, which in turn loads the kernel and the root file-system, it cannot directly access the flash partitions without risking corruption.

    From that point on the application CPU OS has exclusive control of the flash memory. If the boot CPU needs to access it that has to be done via shared memory or other RPC mechanisms.

    These are required for Firmware Over The Air (FOTA) updates and access to other partitions containing OS and user configuration data, including such things as touch-screen calibration data.

  8. heyrick Silver badge

    it's not readily apparent what it's capable of doing

    How about an "erase your phone if stolen" feature? When does a useful feature become a weakness? If it can be exploited? If so, isn't this true of pretty much anything?

  9. Tex Arcana

    Huh.

    Time for a replacement phone:

    http://quixoteslaststand.files.wordpress.com/2013/11/rotary_phone_1233145.jpg

  10. Anonymous Coward
    Anonymous Coward

    It's not just the phone(s) OS....

    The default configuration of the tools used to make apps (for both Apple and Android) appear to default to settings that allow access to things on your phone that nobody in their right mind would give permission to.

    Why does any app need permission to dial numbers, scrape or delete contacts, change various parameters etc etc especially stuff like Flappy Birds?

  11. Jamie Jones Silver badge

    " The default configuration of the tools used to make apps (for both Apple and Android) appear to default to settings that allow access to things on your phone that nobody in their right mind would give permission to."

    No they don't - not on Android, at least.

    It is true that if an app is built using an old SDK level where a newer permission didn't exist, for compatibility reasons that app will be granted said permission automatically on devices where the permission does exist.

    Also, it can be argued that some of the permissions aren't granular enough (For instance, Candy Crush saga requests 'read details of installed apps' so that it can bug you in game to install some of their other games if you haven't already - it would be nice if such a permission could be restricted to apps from the same author, for example)

    "Why does any app need permission to dial numbers, scrape or delete contacts, change various parameters etc etc especially stuff like Flappy Birds?"

    Generally, excess permissions are a requirement of in-app advert SDK's - I'm sure you can draw your own conclusions on that!

    It's also a pain that there is no mechanism for apps to request permissions that are optional, and can be rejected, allowing an app to be run with reduced functionality.

    But yeah, many apps do request excessive pernissions - either out of authors ignorance, or more evil reasons!

This topic is closed for new posts.

Other stories you might like