Slashdot Mirror
Poking Holes In Samsung's Android Security
Orome1 writes "Tired of waiting for Samsung to fix a string of critical flaws in their smartphones running Android, Italian security researcher Roberto Paleari has decided to inform the public about the seriousness of the matter and maybe make the company pick up the pace. Mindful of the danger that the vulnerabilities present to the users if they are exploited by malicious individuals, he decided not to share any technical details, but to just give a broad overview of what their misuse would allow. This includes a silent installation of highly-privileged applications with no user interaction and an app performing almost any action on the victim's phone."
After some further investigation, it seems all these exploits are fixed in the latest 4.2 leaked firmware for the SGS3, so ... they're actually fixed, just maybe not rolled out yet.
Say what you will about Apple & the iPhone, but I appreciate the tight integration of OS & hardware and their desire to provide a consistent & reliable user experience. I own and use a (Sprint) Samsung Galaxy S2 Epic 4G Touch, and it was a series of broken promises on ever getting ICS. When finally rolled out, it wasn't the true android experience, but some half-baked Samsung-proprietary interface aka "Touchwiz." Great, that wasn't what I was sold when I purchased the device. I want android, not Samsung's half-baked, bug-filled, garbage-software-filled version of it.
Eventually, I rooted and installed JB, because Samsung sure as heck wasn't going to do that. And then, as you venture deeper into the rooting environment, you find out a bunch of hardware/software issues directly caused by Samsung, including but not limited the EMMC super-brick bug. These security issues in TFA are just more of the same. For me, their handling of their android phones and my experience with them has tarnished their image across their entire product fleet. Will I buy a Samsung brand washer/dryer? There's a lot of digital tech in even washing/drying machines nowadays. Before this, their name wasn't an issue. Now, maybe I consider some other brand.
"any patches [Samsung] develops must first be approved by the network carriers."
Well there's your problem. if I had to call up my ISP every time I wanted to patch windows I'd be screwed.
When finally rolled out, it wasn't the true android experience, but some half-baked Samsung-proprietary interface aka "Touchwiz."
Lesson learned: If you want a full-baked true Android experience, always look for the word "Nexus".
PCs don't require the user to bring in the computer to have it reprogrammed to use a different ISP. CDMA2000 without CSIM, the typical setup on U.S. prepaid carriers such as Ting and Page Plus, does.
I still can't use my phone as a WiFi access point without paying an additional $10-$20 per month.
That's an ISP problem more than an Android problem. During this transition from 2G to 3G to 4G-lite,* wireless carriers rely on subscribers not using all their monthly megabytes, and subscribers who use multiple devices on one plan tend to use more megabytes per month than subscribers who do not. Even a phone that obeys its owner (that is, one with a custom ROM) can't hide tethering-like behavior unless you run everything through a VPN. Carriers are reported to use traffic to Internet sites that host desktop OS updates, antivirus updates, and desktop application updates as evidence of tethering. By the time you've paid extra for a higher cap and paid extra for a VPN so that the ISP doesn't see what you're visiting, you might as well have paid for the tethering rider.
* "Lite" because LTE isn't really 4G.
Yup. And look at the eMMC "Superbrick" defect on many of the GS2 family. Many of those devices had a defect in the eMMC wear leveller such that the chip could be unrecoverably corrupted if you issued a secure erase command to the chip. (Probably about a 5% chance of it happening, it's similar if not identical to the defect that hit some of their desktop SSDs in late 2012). Not even JTAG could bring a "Superbricked" device back to life.
After discovery of exynos-abuse, the only thing standing between Samsung and permanent damage to thousands of devices was the fact that modern blackhats care more about obtaining information (money) than doing damage. Samsung knew about this bug for many months - they were aware of the defect in the eMMC chips as early as Galaxy Nexus prototype development in 2011. Yet they released updates for devices in 2012 with kernels that allowed secure erase through to the eMMC chip. The only safe device was the I9100 - which had MMC_CAP_ERASE removed from the kernel to protect the chip. In June 2012, Samsung publically acknowledged the bug and claimed to be "working hard" on it - in July 2012 they released updates for the I9100 that turned the MMC_CAP_ERASE flag ON, putting those devices in danger.
They had an official fix that blocked only secure erase merged into the mainline Linux kernel in September 2012, but not a single affected device had the fix deployed until 2013. Their "stuff takes time to get through carrier testing" line is bullshit. Sprint FI27 was *built* (as in, testing STARTED not ended) on September 27, 2012 (nearly a month after the official fix had been mainlined), and deployed to customers in early-mid October.
As to the I9100 XWLPM MMC_CAP_ERASE fiasco, Samsung's answer was that the lack of MMC_CAP_ERASE in earlier source code was a mistake and that the source code did not match binaries running on devices (yes, that's right, Samsung's defense was "yeah bitches, we violated the GPL"). The strange thing is, this was one of the cases where Samsung's source actually DID match binaries - not a single I9100 ICS kernel prior to XWLPM and XXLQ5 had MMC_CAP_ERASE turned on. (This was obvious by the fact that no one experienced "Superbrick" on such devices.)
Samsung's stance was that it was an "open source" problem, but the fact is, with a privilege escalation exploit, any malware could permanently destroy many of Samsung's devices to the point where a motherboard replacement (instead of mere JTAG) was required.
In short, Samsung's "SAFE" marketing crap is bullshit. "Samsung Approved for Enterprise" - who did the approval? Samsung! Hardly an independent certification authority.
retrorocket.o not found, launch anyway?
I had problems start with my Samsung TV. It would take 10 minutes to turn on. Just sit there clicking on, off, on, off. I called Samsung and it was a known problem. They contacted a local repair shop and had the shop come out to my house and fix it THAT NIGHT. Zero cost to me.
are you one of these crazy old people who still repairs stuff?
I am. I have a ~7 year old Samsung 1600x1200 monitor that still looks nice. I like this form factor, and it's hard to get in these days of HDTV LCDs. Unfortunately, Samsung was known for using shoddy capacitors in that time period, and a few years ago my monitor started blacking out shortly after power up.
I found a video on YouTube where they showed how to fix my exact model, and I fixed mine with $5 of new caps. Now it's still going strong.
it would be hard to find someone who does NOT use cheap 'china caps' inside instead of proper panasonic (japan) or nichicon or any of the other *reliable* electrolytic makers.
badcaps.net is informative for those that have not heard of this 15+ yr old problem in the parts industry. worldwide! china fucked the world on this and we're still paying with blown caps on nearly everything that uses them.
buy the parts from known places (digikey, mouser, newark, jameco, etc) and you'll get guaranteed real parts, not fakes. even the vendors who build boards tend to use fake caps (bad formula) and they last about a year before they fail.
--
"It is now safe to switch off your computer."
Funny how in a thread about Samsung, someone must come out and say "but Apple also sucks" like this then makes it all better.
And comparing Apple to rape is a bit much, isn't it?
And all the idiot moderators that modded this interesting, WTF are you smoking?