Replicant OS Developers Find Backdoor In Samsung Galaxy Devices

← Back to Stories (view on slashdot.org)

Replicant OS Developers Find Backdoor In Samsung Galaxy Devices

Posted by Soulskill on Wednesday March 12, 2014 @10:22AM from the caught-out dept.

An anonymous reader writes "Developers of the Free Software Foundation-endorsed Replicant OS have uncovered a backdoor through Android on Samsung Galaxy devices and the Nexus S. The research indicates the proprietary Android versions have a blob handling communication with the modem using Samsung's IPC protocol and in turn there's a set of commands that allow the modem to do remote I/O operations on the phone's storage. Replicant's open-source version of Android does away with the Samsung library to fend off the potential backdoor issue."

126 comments

Min score:

Reason:

Sort:

OTA updates by Anonymous Coward · 2014-03-12 10:25 · Score: 0

Anyone? Bueller?
1. Re:OTA updates by Anonymous Coward · 2014-03-12 10:29 · Score: 0
  
  here ya go.
  But seriously, is this a "back door" (ie, an intentionally included method for remote file system access) or just a vulnerability (something left open accidentally). The effect for the end user may be the same technically, but the consequences for Samsung may be very different...
2. Re:OTA updates by mythosaz · 2014-03-12 10:32 · Score: 2
  
  It was a vulnerability. Now it's a back door.
3. Re:OTA updates by supertall · 2014-03-12 10:36 · Score: 5, Informative
  
  Actually, the article states that Cyanogenmod uses the same blob as well.
4. Re:OTA updates by dos1 · 2014-03-12 10:39 · Score: 5, Interesting
  
  This is part of their undocumented protocol for communication with the modem. Modem can ask to read or write some file on disk using IPC_RFS_READ_FILE, IPC_RFS_WRITE_FILE, IPC_RFS_LSEEK_FILE, IPC_RFS_CLOSE_FILE, etc. messages and the library will happily do that for the modem. It's hardly unintended.
5. Re:OTA updates by Anonymous Coward · 2014-03-12 10:42 · Score: 0
  
  From TFA:
  "the incriminated RFS messages of the Samsung IPC protocol were not found to have any particular legitimacy nor relevant use-case. However, it is possible that these were added for legitimate purposes, without the intent of doing harm by providing a back-door. Nevertheless, the result is the same and it allows the modem to access the phone's storage."
  Seems pretty clear that this is a back door, and not a security bug. If I understand correctly they coded an interface which allows the modem read/write access to the OS. No way that's unintentional
6. Re:OTA updates by Anonymous Coward · 2014-03-12 10:44 · Score: 5, Funny
  
  "Nuts!" said the NSA. "Now we'll have to use one of our 12 other methods!"
7. Re:OTA updates by Anonymous Coward · 2014-03-12 10:54 · Score: 1
  
  Who has access to execute these commands? I'm assuming just my carrier?
8. Re:OTA updates by Anonymous Coward · 2014-03-12 11:01 · Score: 3, Interesting
  
  Or anyone who sets up a fake tower? That's a pretty common and relatively easy attack vector now...
9. Re:OTA updates by Anonymous Coward · 2014-03-12 11:25 · Score: 0
  
  Seems pretty clear that this is a back door, and not a security bug. If I understand correctly they coded an interface which allows the modem read/write access to the OS. No way that's unintentional
  That is if it even works. FTFA:
  As the modem is running proprietary software, it is likely that it offers over-the-air remote control, that could then be used to issue the incriminated RFS messages and access the phone's file system.
  It's not proven that this even works.
10. Re:OTA updates by Anonymous Coward · 2014-03-12 11:29 · Score: 0
  
  If the modem has such ability and you can't control nor even strictly check what it does, it's already too much.
11. Re:OTA updates by megabeck42 · 2014-03-12 12:03 · Score: 4, Interesting
  
  I couldn't agree more. There is no evidence to suggest that it's a malicious backdoor.
  A quick strings on my samsung captivate glide's modem firmware, reveals all manner of novel debug messages and log strings:
  err/CP_MA_TRACE_%d_%04d%02d%02d%02d%02d%02d.bin
  [DUMP] FILE OPEN FAIL
  [ERROR]%s,%d,%s
  [DUMP] FILE CREATE FAIL
  [DUMP] Write MA Trace To /data/efs/err =====
  aurrcbp: discard cell due to system information read error
  [Net]NV Read Fail! OEM_NVM_TESTBED
  etc..
  I do know that a lot of data persistence for the radio is done with dotfiles scattered around and throughout /data and /efs (because real nvram is expensive).
  I'm curious what functionality is affected, if any is, by rejecting any of these IPC_RFS_ I/O.
  I don't think it's clearly a backdoor. But, I do believe the concern is warranted. The radio/modem's firmware blob is not auditable. Perhaps a combination of logging/auditing filesystem requests and limiting which files are accessible by the RILD? Actually, isn't the rild run as an unprivileged user, radio? (Possibly for this very reason?)
  
  --
  fnord.
12. Re:OTA updates by bug1 · 2014-03-12 12:50 · Score: 4, Insightful
  
  This is part of their undocumented protocol for communication with the modem. Modem can ask to read or write some file on disk using ...
  
  And "undocumented protocol for communication" is different than a Backdoor how ?
13. Re:OTA updates by dos1 · 2014-03-12 12:58 · Score: 1
  
  It's not.
14. Re:OTA updates by davester666 · 2014-03-12 12:59 · Score: 1
  
  Lube up boys. Time to start probing the other back doors.
  
  --
  Sleep your way to a whiter smile...date a dentist!
15. Re:OTA updates by Anonymous Coward · 2014-03-12 13:11 · Score: 0
  
  Maybe the functions used by the baseband processor to fetch its firmware when upgrading the radio firmware?
16. Re:OTA updates by cheater512 · 2014-03-12 14:21 · Score: 2
  
  Where exactly would you expect the documentation for something like that to be in a consumer device?
17. Re:OTA updates by bug1 · 2014-03-12 14:37 · Score: 1
  
  Where exactly would you expect the documentation for something like that to be in a consumer device?
  e.g. We arent sure where to put all that TCP/IP documentation, so dont bother writting it all down.
18. Re:OTA updates by Anonymous Coward · 2014-03-12 15:09 · Score: 0
  
  If the modem has such ability and you can't control nor even strictly check what it does, it's already too much.
  You say that but in reality you are wrong. People will still buy them just as they buy iphones, you have to prove that it is a problem rather than just assuming simply because you don't know.
19. Re:OTA updates by Anonymous Coward · 2014-03-12 15:16 · Score: 0
  
  Well how is a documented protocol for communication different from a backdoor? Is it somehow that anything that is undocumented is malicious?
20. Re:OTA updates by Anonymous Coward · 2014-03-12 15:25 · Score: 0
  
  When I was a kid the computers my parents purchased came with 3 paper books that came with my OS, the first was basic usage instructions, the second detailed instructions of how to use every software that came with the OS including all extra flags, options, and known bugs. The third book was the advanced manual and contained a listing of ever file, what it did, and what all the system libraries where that could be called should you desire to build a program using a language of your choice.
  These where of course the new fangled computers with keyboards and fancy electronic displays. Previous to this the computers the schools had for instance operated by sticking in instruction cards with holes punched in them and reading off a series of lights and comparing it to instruction books for the results of your operations. I was lucky enough to be in the last group that got to use those punch machines and was one of the first in my class to try out math blaster with its amazing color graphics. I was very young though, and did not realize the significance to any of that being in only 3rd grade.
21. Re:OTA updates by bill_mcgonigle · 2014-03-12 16:45 · Score: 1
  
  Well how is a documented protocol for communication different from a backdoor?
  On a house, how is the back door different than the front door, other than being on the back side of the house?
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
22. Re:OTA updates by s.petry · 2014-03-12 17:57 · Score: 3, Insightful
  
  I couldn't agree more. There is no evidence to suggest that it's a malicious backdoor.
  No evidence to the contrary either, and worth questioning since this is a common theme. Motorola was found to be sending all kinds of data to Motorola servers without user knowledge, including specific authentication information in plain text, Apple's SSL mess up, Countless MS back doors in just about everything they make. Then you have other players that made horrible decisions costing them their phone business.
  At a point we should at least wonder if these things are really just accidental and sloppy, or are they working as influenced/intended. The more we find that companies are doing the same things, the less plausible the "accidental" theory looks.
  How to actually find out is the hard part. Any company doing things for a fat check and favors from a government realizes that whistle blowers will lose future checks and favors. I'd be very interested in seeing all the files the government has on this, especially things like how many employees on Government payroll are working at places like Intel, Samsung, Apple, Microsoft, etc (if any).. It's too bad the CIA and Senate fight won't do anything to open that door.
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
23. Re: OTA updates by Anonymous Coward · 2014-03-12 21:57 · Score: 0, Troll
  
  Because it's Samsung and Android instead of Apple, perhaps?
  If Apple did this, it would be an absolute Apple hate-fest. People here are defending Samsung's actions and debating whether this was an intentional back door or not. Who are the fan-boys again?
24. Re:OTA updates by Anonymous Coward · 2014-03-12 22:41 · Score: 0
  
  I don't care about "people", I care about me and unreasonable existence of such ability is enough for me to not buy such device.
25. Re:OTA updates by Anonymous Coward · 2014-03-12 23:54 · Score: 0
  
  Fortunately, for some values of device and OS, you can still find such documents online. They've just become too large to print and ship with the devices.
26. Re:OTA updates by Anonymous Coward · 2014-03-12 23:57 · Score: 0
  
  The fence around the back with the signs stating "Beware of Dog" and "No Trespassing".
27. Re:OTA updates by kbg · 2014-03-13 00:11 · Score: 1
  
  On the included SD card? On the manufacturer website?
28. Re:OTA updates by Anonymous Coward · 2014-03-13 01:12 · Score: 0
  
  Time for your nap now grandpa simpson
29. Re:OTA updates by teslar · 2014-03-13 01:53 · Score: 2
  
  I'm curious what functionality is affected, if any is, by rejecting any of these IPC_RFS_ I/O.
  Remotely wiping a stolen mobile phone perhaps? It's just a guess - but by definition that would require the ability to do stuff to the phone's file system without the current user's knowledge or permission.
30. Re: OTA updates by Ronin+Developer · 2014-03-13 01:54 · Score: 1
  
  Wow! Someone states an apparent truth and it gets marked down to -1 so nobody sees it - it's not the message the Android and Samsung fans want to hear, apparently. But, the original poster is correct, if this happened on with Apple, there would be no "mis-understanding" as to whether this was intentional or not on this site.
31. Re:OTA updates by Anonymous Coward · 2014-03-13 01:59 · Score: 0
  
  > There is no evidence to suggest that it's a malicious backdoor.
  What on earth? A back door is a back door, and it doesn't matter if it's malicious or not. It's an evasion of privacy, unethical, and they have absolutely have no right to do such a thing and keep it secret. If they do want to create backdoors, at least have the decency and the ethics to make sure everyone knows about it. Then let the consumer decide if they are happy with purchasing such a device or not.
32. Re:OTA updates by cboslin · 2014-03-13 05:21 · Score: 1
  
  I'm curious what functionality is affected, if any is, by rejecting any of these IPC_RFS_ I/O.
  Remotely wiping a stolen mobile phone perhaps? It's just a guess - but by definition that would require the ability to do stuff to the phone's file system without the current user's knowledge or permission.
  That is exactly what I was thinking it could be used for, to wipe the device.
33. Re:OTA updates by mrchaotica · 2014-03-13 05:31 · Score: 1
  
  Remotely wiping a stolen mobile phone ought to still be controlled by the main phone OS. All the modem should be responsible for is receiving the wipe request and passing it to the main OS's monitoring process.
  
  --
  "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
34. Re:OTA updates by megabeck42 · 2014-03-13 06:43 · Score: 1
  
  It's no more a backdoor than using using static functions in your compiled C. Simply because it's not documented, does not make it a backdoor.
  
  --
  fnord.
35. Re:OTA updates by megabeck42 · 2014-03-13 06:44 · Score: 1
  
  Unfortunately, the daemon that opens, reads, and writes files on behalf of the modem, is running as a specific unprivileged user, radio (uid 1001 on my phone.) It could only wipe out the information I have in /efs and a few specific files in /data. Nothing bars it from triggering some other system/daemon/process responsible for more thorough wiping of data.
  
  --
  fnord.
36. Re:OTA updates by megabeck42 · 2014-03-13 07:18 · Score: 1
  
  I'm replying again because it occurred to me. to check the dictionary.
  A backdoor is an indirect and devious system conceived for the purpose of allowing access to resources by circumventing security protections.
  This is not. This is a set of IPC requests an "API" to allow the modem firmware to store non-volatile information in a specific location of the host phone's filesystem.
  You're absolutely right that a backdoor is a backdoor; however, this is not a backdoor. If they'd really meant to introduce backdoors, don't you think they'd have made even a trivial effort to hide or obfuscate it? For example, D-Link's special request header “xmlset_roodkcableoj28840ybtide” that would bypass the web admin authentication. That's a backdoor. Minterpreting wrappers for read() and write() is not.
  
  --
  fnord.
37. Re:OTA updates by cheater512 · 2014-03-13 07:41 · Score: 1
  
  Would you also like them to give you a copy of the GSM specs? TCP/IP? A overview of the Linux kernel? The GPU's docs?
  None of that sort of thing is needed by the end users.
  I'm sure it is a fully documented feature, in Samsung.
  We don't get a full copy of their blueprints just by buying the device however.
38. Re: OTA updates by Anonymous Coward · 2014-03-13 11:11 · Score: 0
  
  Nope, it does not!
39. Re: OTA updates by Anonymous Coward · 2014-03-16 02:05 · Score: 0
  
  Yes, it does!
How remote is remote? by WyrdOne · 2014-03-12 10:33 · Score: 1

How remote is remote? Are we talking over the internet/sms or are we talking if you control a cell tower?
1. Re:How remote is remote? by MightyMartian · 2014-03-12 10:33 · Score: 2, Funny
  
  How remote is remote? Are we talking over the internet/sms or are we talking if you control a cell tower?
  Yes
  
  --
  The world's burning. Moped Jesus spotted on I50. Details at 11.
2. Re:How remote is remote? by dos1 · 2014-03-12 10:47 · Score: 5, Informative
  
  Modem can ask the APU app to write/read selected files and do some other file system operations. Why would modem want to read/write arbitrary files on user's file system and what and how could invoke such behavior of the modem? The answer is up to your imagination.
  Well, in fact many other phones don't need any backdoor to do the same as lots of them have modems directly connected to main RAM, exposing it to monitoring or even manipulation by the closed and strictly secured modem firmware.
  That's why projects like Neo900 opt for clear APU<->modem separation as host<->peripheral, together with power and antenna usage monitoring and fully free software stack on APU side.
3. Re:How remote is remote? by Jane+Q.+Public · 2014-03-12 10:54 · Score: 2
  
  "How remote is remote? Are we talking over the internet/sms or are we talking if you control a cell tower?"
  Doesn't matter. Nobody likes to get "backdoored" without their consent.
4. Re:How remote is remote? by Anonymous Coward · 2014-03-12 11:23 · Score: 0
  
  Why would modem want to read/write arbitrary files on user's file system and what and how could invoke such behavior of the modem?
  and
  Or anyone who sets up a fake tower? That's a pretty common and relatively easy attack vector now...
  and
  previously reported incidents of cops using fake towers (short range) to track suspects' cell phones
  Leads to: cops (feds, whoever) load incriminating files (kiddie pr0n, whatever) on to undesirable person's cell phones to be used as evidence against them. For added hilarity, do it when they're about to cross a border.
5. Re:How remote is remote? by SuricouRaven · 2014-03-12 22:29 · Score: 1
  
  Ask who controls the modem. It's not Samsung - it's the carriers. In the US market, some of them might like this capability for things like detecting who has uncrippled their bundled handset and enabled tethering rather than pay for the higher tier service.
6. Re: How remote is remote? by bparker0017398 · 2014-03-13 06:43 · Score: 1
  
  So how can I disable or remove it from my Note 3?
Workaround? by Anonymous Coward · 2014-03-12 11:00 · Score: 0

There are no other results on google for the keywords (RxRFS_WriteFile, IPC_RFS_WRITE_FILE, etc). This is probably the first public disclosure of this backdoor (though I think we all expected this capability existed)
Seeing as Replicant is not quite ready for full-time use (GPS doesn't work yet), can anyone provide a workaround for this backdoor?
Better yet, port Replicant's Samsung-RIL library back into a standard Android build.
I would happily pay developers to work on Replicant, if there were a way to do so.
For those with more free time than money, check out their code wishlist: http://redmine.replicant.us/projects/replicant/wiki/Tasks
1. Re:Workaround? by fuzzyfuzzyfungus · 2014-03-12 23:52 · Score: 1
  
  On phones that use Samsung's RIL; but either custom firmware or substantially-modifiable rooted firmware, the SELinux capabilities that they (fairly recently, was it 4.2?) could presumably be used to nuke most of the risk. Assuming it uses the filesystem commands at all, the legitimate day-to-day uses are presumably a few specific 'we were too cheap for NVRAM' locations that (if not documented, should at least be empirically determinable) you could then restrict it to.
  
  Now, if you just need a few megs of cheap storage and don't want to bump the BoM, building an arbitrary filesystem access mechanism seems so sloppy and unconcerned with actual security as to make me wonder what else they fucked up; but SELinux is pretty powerful, if a pain, at granular lockdown of lousy or dangerous software.
Is this testing whether the OS is Replicant by Ukab+the+Great · 2014-03-12 11:01 · Score: 1, Funny

or a lesbian?
1. Re:Is this testing whether the OS is Replicant by grub · 2014-03-12 11:50 · Score: 1
  
  ha ha very good!
  
  --
  Trolling is a art,
2. Re:Is this testing whether the OS is Replicant by greeze · 2014-03-12 16:57 · Score: 1
  
  Let me tell you about my mother.
3. Re:Is this testing whether the OS is Replicant by circletimessquare · 2014-03-12 21:02 · Score: 1
  
  go home Sean Young, you're drunk
  
  --
  intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
No contract, wifi-only by dpilot · 2014-03-12 11:08 · Score: 1

So if I'm using my no-contract Samsung Galaxy phone as a wifi-only device, and have never inserted the SIM card at all, I believe I'm safe from this particular vulnerability.
Tin-hatters, am I wrong on that?
Explain,

--
The living have better things to do than to continue hating the dead.
1. Re:No contract, wifi-only by Anonymous Coward · 2014-03-12 11:33 · Score: 1
  
  With no SIM card you have no service plan, no encryption key to verify that you are a subscriber, and the towers have every right to refuse communication from you.
  That doesn't mean that a tower absolutely cannot talk to your device in a non-subscriber cleartext mode, if they choose to do so. Also you THINK you turned off your radio, are you willing to trust the guys that have already been caught hiding deeply invasive crap to not violate that too? It could just turn on for a quick download of skynet directives every other month, how would you ever know?
2. Re:No contract, wifi-only by Charliemopps · 2014-03-12 11:54 · Score: 5, Informative
  
  No. The modem can write to your OS. Anyone can communicate with your modem, even Ham radio operators. Granted, exploiting this would be a huge technological challenge... unless of course this was placed there intentionally and they know exactly what to send to your modem to get it to do what they want.
3. Re:No contract, wifi-only by ChunderDownunder · 2014-03-12 12:08 · Score: 1
  
  Not if you set it to flight mode.
4. Re:No contract, wifi-only by megabeck42 · 2014-03-12 12:26 · Score: 3, Informative
  
  Two things, "Even Ham radio operators?" When did they become the retards of the RF world - I thought that title belonged to CB'ers? Honestly, hams are not interested in your phone.
  While, yes, technically anyone can communicate with your modem; anyone can communicate with your wifi card or your bluetooth adapter as well. And it would appear that the samsung radio interface IPC layer at least has a modicum less access to the entirety of your device than your wifi driver - which is in the kernel. People have, in the past, exploited mistakes in wifi drivers and wifi card firmware to remote exploit via wifi. (*: The specific instance I remember, was with an old intel 802.11b/g card and specially crafted management frames which could be trivially spoofed and didn't need to be encrypted to be accepted by the wireless card. The proof of concept was able to issue busmaster DMA read/writes which, ostensibly, would allow rewriting arbitrary kernel ram, etc.)
  Across the scope of samsung phones I was able to check (ok, two of them), the radio interface, the android host side of this communications channel, runs as uid 1001 (radio). As far as my cursory inspection revealed, meant that the radio/modem can read/write the files in /efs and only read a number of other places, such as /sdcard. Granted, /sdcard contains a lot of your personal data. My point is that, in this case, a compromised modem is still less privileged than a compromised android service or, worse, compromised driver/kernel. Also, given that these IPC instructions are used for reading/writing modem "nvram" data such as the handset IMEI, to describe them as a "backdoor" is horribly inappropriate.
  So, yeah, as you said, "huge technological challenge." Agreed. But, the idea that a data modem may be exploitable is by no means new.
  
  --
  fnord.
5. Re:No contract, wifi-only by dpilot · 2014-03-12 13:11 · Score: 1
  
  As ChunderDownUnder reminds me, I forgot to mention that this phone has never been out of airplane mode, in addition to never having a SIM card plugged in. Flashing out of T-Mobile software was also one of the first things I did, and the other night I flashed CyanogenMod 11 M4. (Of course some of the guys on IRC suggest that even that is too commercial, and that I should go to snapshots over on xda-developers, to be safer.)
  I keep my tinfoil hat handy, just like I tend to channel RMS and ESR. But there are practical limits...
  
  --
  The living have better things to do than to continue hating the dead.
6. Re:No contract, wifi-only by TheGavster · 2014-03-12 13:16 · Score: 4, Interesting
  
  Does anyone do verification on the "airplane mode" setting of phones? The FCC and FAA seem to have come to the conclusion that there's no way you can detect active radios via undesired behavior of an aircraft, and are down to sorting out the social ramifications of phone use on planes. I'd like to see an independent (and preferably paranoid) lab check to make sure that "all radios off" means that the radios are off, and not just that they stop passing traffic from the PDA OS.
  
  --
  "Because Science" is one step from "Because old book". Try "Because of my experiment testing my falsifiable assertion".
7. Re:No contract, wifi-only by ShaunC · 2014-03-12 13:53 · Score: 4, Interesting
  
  Two things, "Even Ham radio operators?" When did they become the retards of the RF world - I thought that title belonged to CB'ers? Honestly, hams are not interested in your phone.
  He wasn't calling hams retards, quite the contrary. He was pointing out that people with absolutely no control over your cellular carrier's towers, and thus no legitimate path into your cellphone, could give you problems despite not being an "authorized" party. Those people would still need to be extremely technically adept, familiar with radio, etc. so hams was a pretty good example IMO.
  
  --
  Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
8. Re:No contract, wifi-only by BronsCon · 2014-03-12 15:07 · Score: 1
  
  That stops it from transmitting, but there's nothing stopping it from receiving. Blast out a message across all active towers (go ahead and translate JSON to whatever the phone will actually understand):
  
  {"IMEI": "[your phone's IMEI]", "eval": "[code to execute]"}
  
  Your phone can kick back out of flight mode when it's done, to acknowledge that it received the message and executed the instruction, then kick back into flight mode, and you'll quite likely be none the wiser.
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
9. Re:No contract, wifi-only by horm · 2014-03-12 17:58 · Score: 1
  
  As long as your phone is unable to connect to a cell tower/rogue femtocell/etc. you should be fine. The backdoor that was found is in the Radio Interface Layer (RIL), which governs communications between the Phone app and the radio. Wifi/bluetooth aren't managed by the RIL.
10. Re:No contract, wifi-only by Anonymous Coward · 2014-03-12 19:34 · Score: 1
  
  Also, given that these IPC instructions are used for reading/writing modem "nvram" data such as the handset IMEI,
  
  I took your post as "informative" and even "insightfull" right upto this remark. With it you forfitted all your credibility.
  The above might be the publicized (or maybe even "naivily assumed") usage, but if it can as easily be used to access other files (system, log, personal, etc) it is a bad oversight (if that is what it is) indeed.
  
  to describe them as a "backdoor" is horribly inappropriate.
  Maybe you're right and it should be called "criminal negligence" instead.
  You've been describing something like a key thats supposed to only access a gate in the fence of your backyard (something rather benign), but turns out to also open the doors of your house and fits the vault in the master bedroom too ...
  By the way: Being able to silently, remotely overwrite the IMEI ? I see joe-jobs coming up ... (a criminal cloning his phones compromized IMEI to someone elses phone, letting the plod chase an innocent bystander for a while).
11. Re:No contract, wifi-only by mysidia · 2014-03-12 20:20 · Score: 1
  
  When did they become the retards of the RF world - I thought that title belonged to CB'ers? Honestly, hams are not interested in your phone.
  Someone who happens to be a Ham operator, might use a radio-based exploit to attack their phone as a proof of concept.
  But it's not likely..... they can't be transmitting on cell phone frequencies from their station anyways, as the transmission outside frequencies within their operating privileges would be a FCC violation that could get their station licenses revoked.
12. Re:No contract, wifi-only by IamTheRealMike · 2014-03-12 21:14 · Score: 1
  
  It's also just wrong. From 3G onwards phones authenticate the cell towers. Even with a full stack running you wouldn't be easily able to force a phone to associate to your tower, at least not without jamming all the other towers in your vicinity.
13. Re:No contract, wifi-only by Anonymous Coward · 2014-03-12 23:05 · Score: 0
  
  Flight mode works for real on phones where it powers down (not off) the baseband. And you will know it, because it locks down the SIM (thus requires manual unlocking to register again with the carrier network) and drains a LOT less battery.
  Interestingly enough, all my sansungs do exactly that.
  This crap is samsungs usual incompetence at coming up with safe ways to do whatever stuff they think they need done.
14. Re:No contract, wifi-only by cdrudge · 2014-03-13 00:56 · Score: 1
  
  As soon as backdoors or any other security related "features" get involved, I tend to think that anything is possible despite how things are suppose to operate.
15. Re:No contract, wifi-only by Anonymous Coward · 2014-03-13 01:09 · Score: 0
  
  Funnily enough, none of my Verizon Samsung phones have ever done anything remotely like that. A GNex and Note 2 fwiw.
16. Re:No contract, wifi-only by Anonymous Coward · 2014-03-13 01:10 · Score: 0
  
  https://www.google.com/search?q=stingray
  Oh really? Doesn't seem to be that difficult...
17. Re:No contract, wifi-only by Anonymous Coward · 2014-03-13 01:12 · Score: 1
  
  https://www.google.com/search?q=stingray#q=stingray+cell+tower
  Sorry, full search link.
18. Re:No contract, wifi-only by Anonymous Coward · 2014-03-13 01:41 · Score: 0
  
  Hang on, you mean your Verizon phone doesn't lock down the SIM in flight mode? Tell me more ...
19. Re:No contract, wifi-only by L4t3r4lu5 · 2014-03-13 01:53 · Score: 1
  
  Faraday Cage in a Faraday Cage, take the phone inside both, hook up the in internal cage to $SensitiveEquipment and look for induced current from the radio still being operational?
  
  IANAScientist, but it seems reasonable enough to me.
  
  --
  Finally had enough. Come see us over at https://soylentnews.org/
20. Re:No contract, wifi-only by squiggleslash · 2014-03-13 01:59 · Score: 1
  
  I believe all Galaxy devices are capable of connecting to 2G towers. So assuming the message can be transmitted via 2GSM, the sophisticated hacker (I assume) would need to spoof such a tower at a time when the targetted phone would need to avoid 3G for some reason (say, lack of signal or too poor a signal)
  
  --
  You are not alone. This is not normal. None of this is normal.
21. Re:No contract, wifi-only by zeugma-amp · 2014-03-13 02:08 · Score: 1
  
  But it's not likely..... they can't be transmitting on cell phone frequencies from their station anyways, as the transmission outside frequencies within their operating privileges would be a FCC violation that could get their station licenses revoked.
  Yup. So they couldn't do so openly. These days, there are plenty of ways to do so anonymously. Given some of the cool tools out there in the Ham world for connecting radios, I wouldn't be at all surprised to find an Elmer who could do some interesting things with cell phones if they wanted to.
  Yeah, I'm a ham, but I'd never put my callsign on /.
  
  --
  This is an ex-parrot!
22. Re:No contract, wifi-only by Patch86 · 2014-03-13 05:40 · Score: 1
  
  Doesn't Airplane Mode deactivate WiFi (and Bluetooth, NFC etc.) as well? (Genuine question, I've not looked that hard at it). If so, I can't see how useful a device it can be without any active radios.
23. Re:No contract, wifi-only by dos1 · 2014-03-13 06:32 · Score: 1
  
  In fact, all you need is for instance some TI Calypso based phone, like Openmoko Neo Freerunner or some old Motorolas, and OsmocomBB firmware. And of course lack of fear when you're doing something like that illegally.
24. Re:No contract, wifi-only by dos1 · 2014-03-13 06:33 · Score: 1
  
  Just drown out 3G signal near the victim and make it connect to your own 2G station. Piece of cake.
25. Re:No contract, wifi-only by megabeck42 · 2014-03-13 07:06 · Score: 1
  
  I do believe you missed the point of my comment entirely. These IPC requests for doing file I/O are there to allow the to read and write to a small subset of files constrained to a specific portion of directory hierarchy.
  Yes, the modem could potentially read other files - limited by unix access controls, but it cannot read nor write from arbitrary files.
  > Maybe you're right and it should be called "criminal negligence" instead.
  I was growing the impression you'd authored a post with value worth contributing to the discussion until I noticed this statement. I thank you for announcing your ignorance so clearly.
  Want to prevent people from destroying/modifying your IMEI using a yet-unknown-and-incredibly-unlikely-but-still-technically-possible hypothetical remote privilege escalation? Use the chmod(1) command with the argument 640 to remove the group write permissions.
  Really, how is this unlike any other phone that has a cellmodem with firmware and nvram?
  If you really wanted to limit what files the rild could interact with on behalf of the modem, a trivial bind mount and chroot( ) would suffice.
  
  --
  fnord.
26. Re:No contract, wifi-only by dpilot · 2014-03-13 08:02 · Score: 1
  
  Mine has been in airplane mode from day 1, with wifi on. I've seen where others have problems keeping wifi on when airplane is also on, but I haven't. Perhaps the fact that the SIM card is still in the original box, never inserted, has something to do with this. I bought an unlocked phone, and have never given it a chance to lock itself.
  
  --
  The living have better things to do than to continue hating the dead.
27. Re:No contract, wifi-only by Anonymous Coward · 2014-03-13 10:47 · Score: 0
  
  Yes, the modem could potentially read other files - limited by unix access controls, but it cannot read nor write from arbitrary files.
  Potentially ? I did spot a part of the TFA (third link in the posted article) that seemed to mention that at least the Galaxy S has the RPC calls running under Root privileges, thereby not being hindered by any limitations. The others ? For all I know they might be running under "local admin" privileges (one step below Root), nothing is said about it.
  And pardon me, but could you explain to me what the need is for a(n undocumented!) way to gain access to "certain files" on a phone by a remote person ? As far as I can tell there is nothing on a phone a remote person should have access to without the explicit say-so of the owner.
  That its possible to do so using undocumented RPC which is kept outof the sight and thus the control of the owner of the phone is ... reprehensable to say the least. And pardon me saying so, but such an "out of sight and thus control" method is often called a "backdoor".
  
  Want to prevent people from destroying/modifying your IMEI using a yet-unknown-and-incredibly-unlikely-but-still-technically-possible hypothetical remote privilege escalation?
  Escalation ? Not needed on a Galaxy S, as it seems to, per TFA, run the RPC calls under root. on other phones it could be running under similar privileges. And pardon me, but as GSM traffic can already be intercepted (the police usess a device called "stingray" for that) the possibility does not seem to be far-fetched at all. And that is disregarding the possibility that the same RPC calls can be accessed over WiFi, Bluetooth or something similar.
  
  Really, how is this unlike any other phone that has a cellmodem with firmware and nvram?
  You mean to say that as they all have got similar backdoors (do they ?) its OK ? Strange reasoning ...
  
  If you really wanted to limit what files the rild could interact with on behalf of the modem, a trivial bind mount and chroot( ) would suffice.
  Yep. Thats so easy to do for every john and jane on the street ... IT is not everyones thing you know. And that is assuming that the phone you have will allow it ofcourse.
  Bottom line: A phone which has got RPC file-IO calls from the cellular into the smart part of the phone is at least questionable. And pardon me saying so, the Replicant OS guys seem to agree with me on that. :-)
28. Re:No contract, wifi-only by BronsCon · 2014-03-13 18:37 · Score: 1
  
  I really want to say something here, but my better judgment is telling me n..... oh fuck it... Trololololololololol. There. I said it.
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
29. Re:No contract, wifi-only by megabeck42 · 2014-03-14 11:28 · Score: 1
  
  If you're the same anonymous coward, then I am flattered that you returned to check your post for my reply. > And pardon me, but could you explain to me what the need is for a(n undocumented!) way to gain access to "certain files" on a phone by a remote person ? As far as I can tell there is nothing on a phone a remote person should have access to without the explicit say-so of the owner. Sweet jesus. The system is not an undocumented way to allow a reomte, third party unauthenticated arbitrary access to your data. It's a system used to allow the modem firmware running on a separate DSP core to save and recall information. Yes, there exists a <b>possibility</b> that a flaw in the modem firmware could allow a third party to command the modem to make IPC requests to the device's host processor to read information and then, potentially, transmit it back. There is no evidence to suggest that such a flaw exists. > You mean to say that as they all have got similar backdoors (do they ?) its OK ? Strange reasoning ... No I don't mean to say all have any backdoors; a backdoor is a camouflaged or otherwise hidden system installed to circumvent access restrictions. This is niether camouflaged nor hidden. It's purpose is not to circumvent access controls. It is not a backdoor. > Bottom line: A phone which has got RPC file-IO calls from the cellular into the smart part of the phone is at least questionable. Questionable? Yes, of course. But do not attribute to malice what is adequately explained as incompetence.
  
  --
  fnord.
Third-party ROMs by Anonymous Coward · 2014-03-12 11:15 · Score: 0

Yet one more reason to install a third-party ROM then. Most (all?) of them are better than the stock ROM put on Android phones by any manufacturer, and most of them are made by users who are more interested in making a good ROM packed with functionality and features rather than backdoors. No guarantees of course - it's possible some ROM developers are a bit mischievous and throw in their own bit of dodgy code, but most of the popular ROMs are made by people who've developed a trusted reputation and also make the code to their ROM freely available. I'd much rather trust a single person or a small group of developers to some faceless corporate entity at this point.
1. Re:Third-party ROMs by dos1 · 2014-03-12 11:22 · Score: 5, Insightful
  
  Most of the popular ROMs are made using the very same closed drivers the article is talking about to provide hardware compatibility - otherwise they would be exactly where Replicant is now.
  Any third-party ROM for Galaxy devices that uses Samsung's library to communicate with the modem is vulnerable - so almost all of them are, including CyanogenMod.
2. Re:Third-party ROMs by pruss · 2014-03-13 00:35 · Score: 1
  
  Aren't there legal problems with CM and other ROMs including these blobs, since they're presumably copyrighted? Or are they licensed by Samsung under the GPL along with the kernel? But in the latter case, shouldn't Samsung be including source?
3. Re:Third-party ROMs by Anonymous Coward · 2014-03-13 02:12 · Score: 0
  
  Aren't there legal problems with CM and other ROMs including these blobs, since they're presumably copyrighted?
  BLOBs can't be copyrighted. Source can, but that's not even in the equation here.
  
  Or are they licensed by Samsung under the GPL along with the kernel? But in the latter case, shouldn't Samsung be including source?
  Even if these were under the GPL, good luck with that. If you got it, any modifications would have to go through FCC approval, too, so double-GLWT.
remote recover/wipe data for lost stolen phones by Anonymous Coward · 2014-03-12 11:22 · Score: 0

I'm more likely to think it has to do with Samsung's recover/delete data that you can do on samsung s web site cyogenmod has the same feature.
So that a lost or stolen device can be wiped remotely
Leave it in? by LeonPierre · 2014-03-12 11:40 · Score: 1

Why not leave the library in but alert the user to allow/deny the reads & writes when they occur? Perhaps even sandbox the writes for further examination.

--
"If it ain't broke, it doesn't have enough features yet"
1. Re:Leave it in? by dos1 · 2014-03-12 11:44 · Score: 1
  
  Why not use and/or enhance already existing free software replacement, used by projects like freesmartphone.org or... Replicant?
2. Re:Leave it in? by elmer+at+web-axis · 2014-03-12 12:02 · Score: 1
  
  Check out the status page... I don't see any phone that they support that they have everything working.. hardly 4.2 release.. more like 0.0.42 release... Why would i spend $1000 on a phone for it to only be able to send sms and call.. 2D graphics, 3D graphics, Sound, Telephony, Mobile data, Wi-Fi, Bluetooth, NFC, GPS, Sensors, Camera and Hardware media encoding/decoding all need to be working before anybody would bother with non-manufacture software.. also anyone who stores sensitive information on a phone without encryption is asking for trouble..
3. Re:Leave it in? by ChunderDownunder · 2014-03-12 12:14 · Score: 1
  
  The release number aligns with the AOSP release, i.e. Replicant 4.2 targets Jelly Bean.
4. Re:Leave it in? by Anonymous Coward · 2014-03-12 12:38 · Score: 0
  
  "2D graphics, 3D graphics, Sound, Telephony, Mobile data, Wi-Fi, Bluetooth, NFC, GPS, Sensors, Camera and Hardware media encoding/decoding all need to be working before anybody would bother with non-manufacture software"
  This is why we can't have nice things.
5. Re:Leave it in? by GTRacer · 2014-03-12 14:20 · Score: 1
  
  Looks like I need to read more about this particular blob. Any ideas if it can be controlled with XPrivacy?
  
  --
  Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
6. Re:Leave it in? by Arker · 2014-03-12 17:18 · Score: 1
  
  Leaving malware in place and attempting to sandbox it instead of removing it entirely sounds like a very poor idea to me.
  
  --
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-
  Friends don't let friends enable ecmascript.
7. Re:Leave it in? by Anonymous Coward · 2014-03-12 23:54 · Score: 0
  
  Counter intelligence sounds like a poor idea to you?
RMS was right by Anonymous Coward · 2014-03-12 11:46 · Score: 5, Insightful

This is what you get for essentially renting a a black box with audiovideo and communication capability and letting 3rd parties control it fully: a personal tracker better than what the worst totalitarian regime could dream. There is no reason why operating systems or essential drivers should be shipped as binary blobs, not this day and age, not after the NSA revelations.
1. Re:RMS was right by Anonymous Coward · 2014-03-13 00:28 · Score: 0
  
  What... you trust your compiler?
2. Re:RMS was right by MightyMartian · 2014-03-13 11:31 · Score: 1
  
  If I don't personally assemble the bits on punchcards by hand, I don't trust anything! I figure I should have my trusted JVM ready to go in about forty years...
  
  --
  The world's burning. Moped Jesus spotted on I50. Details at 11.
demand to be made whole by Anonymous Coward · 2014-03-12 11:47 · Score: 0

Contact samsung support and demand to be whole. Demand a refund if they cant make you whole otherwise. They need to feel this in their pocketbooks if they are to learn not to do it again.
1. Re:demand to be made whole by Anonymous Coward · 2014-03-13 11:43 · Score: 0
  
  Yeah, cos 247 nerds asking for money back is going to be soooooooooo painful for them.
  shut up.
OSS devs lack of communication skills by rubycodez · 2014-03-12 13:37 · Score: 3, Informative

not even on their website do its developers explain what Replicant is, or what its goals and purpose are
wikipedia does a better job...
http://en.wikipedia.org/wiki/R...
1. Re:OSS devs lack of communication skills by Anonymous Coward · 2014-03-12 14:51 · Score: 0
  
  what a bunch of jerkoffs eh? srsly if they werent so secretive about their history, what their software is for, and what their motivations are for making their software, I would have been using it long ago... they are no better than the NSA
2. Re:OSS devs lack of communication skills by Anonymous Coward · 2014-03-13 03:20 · Score: 0
  
  Yeah the last time I read about Replicant I scoured their web site and never did figure out what it was from there, I had to use wikipedia. They just assume if you're at their site you know what it is.
Any contacts at Samsung we can call? by slincolne · 2014-03-12 13:41 · Score: 2

Does anyone have any contacts at Samsung (email addresses, phone numbers, etc.) that can address this issue?
I just got back from looking at a Galaxy Note 3 (thinking form upgrading from by S2).
Now I'm not sure - will probably just go buy a Nexus.
I can't think of a single valid reason for this level of functionality to be available in a device that's sold commercially. I've never heard of any enterprise management tools that can use such functions, and their undisclosed existance is a real worry.
The biggest laugh about this is that Samsung Australia is currently trying to get the Samsung Galaxy Note 10.1, Galaxy Note 2 and S3 onto the Australian Government Endorsed Product List (http://www.asd.gov.au/infosec/epl/index.php ) - I don't like their chances now.
1. Re:Any contacts at Samsung we can call? by R3d+M3rcury · 2014-03-12 15:41 · Score: 1
  
  Now I'm not sure - will probably just go buy a Nexus.
  FTFS:
  
  Developers of the Free Software Foundation-endorsed Replicant OS have uncovered a backdoor through Android on Samsung Galaxy devices and the Nexus S.
  I can understand not reading the article, but not reading the summary?!
2. Re:Any contacts at Samsung we can call? by Namarrgon · 2014-03-12 17:10 · Score: 1
  
  The Nexus S was made by Samsung way back in 2010.
  It hasn't been on sale for years. I really don't think it's relevant to new buyers.
  
  --
  Why would anyone engrave "Elbereth"?
3. Re:Any contacts at Samsung we can call? by Anonymous Coward · 2014-03-12 19:20 · Score: 1
  
  The fact that the Nexus range has a history of using the same vulnerable firmware is VERY relevant unless you can show definitive proof that it has been actively removed from all current models.
4. Re:Any contacts at Samsung we can call? by Kremmy · 2014-03-13 05:15 · Score: 1
  
  My guess is that he meant he was going for an Asus Nexus rather than a Samsung Nexus. Isn't it weird how Android phone branding is working lately?
5. Re:Any contacts at Samsung we can call? by mrchaotica · 2014-03-13 05:24 · Score: 1
  
  Or an LG Nexus, if he wants a phone instead of a tablet.
  The important question, which I am keenly interested in as the owner of a Nexus 5, is whether LG phones have a similar backdoor.
  
  --
  "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
6. Re:Any contacts at Samsung we can call? by AC-x · 2014-03-13 05:45 · Score: 1
  
  Well, given the recent Nexus phones have been by LG with Qualcomm modems, I'm pretty sure they're free of this Samsung/Infineon modem firmware.
  Of course what security issues the LG/Qualcomm firmware do contain are anyone's guess.
Great for defense lawyers! by ShaunC · 2014-03-12 14:02 · Score: 3, Insightful

This will be wonderful news for criminal defense attorneys. Is your client accused of having a couple of terrorists in his phone's contact list? Did a customs official conveniently find child porn pictures on your client's phone during a border crossing? Did the prosecutor haul out telco logs "proving" that your client was sending text messages to arrange a heroin deal?
Sounds to me like it's quite plausible that someone else put that $ILLEGAL_SHIT on your client's phone. After all, the capability was built right into the phone by Samsung.

--
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
NSA_backdoor_trojan into America by strstr · 2014-03-12 14:24 · Score: 1, Funny

NSA_backdoor_trojan:
AMD processors were found to have similar vulnerabilities.
Mascarading as a debug mode, all hardware and thus software security features can be bypassed. Essentially allowing both stealth software operation, bypassing root and administrator authentication restrictions, and more. Intel is known to have similar functionality, but its not publically disclosed yet.. http://hardware.slashdot.org/s...
NSA compiled and uses all these exploits whether it was installed there for them or not.
Windows also has NSAKEY installed and all vulnerabilities and the source code of Windows is turned over to the NSA before the things can be patched, allowing NSA to locate and exploit vulnerabilities for hacking us and everyone else. http://www.washingtonsblog.com...
RSA also put in exploits so SSL / Etc would be vulnerable to their attack, as the leaks indicated. http://it.slashdot.org/story/1...
Stuxnet virus was created by NSA. http://rt.com/news/snowden-nsa...
NSA and GCHQ are recording us masturbating. http://www.theguardian.com/wor...
FBI records us even when our devices are powered off. http://www.washingtonsblog.com...
NSA is ceiling cat watching us masturbate with space capability and electron imaging/radar systems. They are recording all calls and saving the content, not just metadata. http://www.pbs.org/newshour/bb... and http://youtu.be/d6m1XbWOfVk
NSA has Thought Amplifier and Mind Interface (patented by Robert Malech in 1974, deployed in all radar in 1976), aka Remote Neural Monitoring first disclosed in Nexus Magazine in 1996 by John St Claire Akwei. Backed up today by Dr. Robert Duncan who helped invented these weapons, being used to attack and control us. http://www.oregonstatehospital... http://www.oregonstatehospital...
TAO hacking unit, NSA: http://www.spiegel.de/internat...
Obama is raping and murdering and torturing thousands of his own citizens, committing acts of Genocide worse than any dictator ever before. He has killed his own people and covered it up. http://www.obamasweapon.com/
1. Re:NSA_backdoor_trojan into America by strstr · 2014-03-12 14:27 · Score: 1
  
  I was insinuating that this Samsung Galaxy phone backdoor was an NSA hack, which undoubtably they're using along with the FBI to hack us. Oops!
2. Re:NSA_backdoor_trojan into America by swb · 2014-03-13 02:33 · Score: 1
  
  Obama is raping and murdering and torturing thousands of his own citizens, committing acts of Genocide worse than any dictator ever before.
  That's a pretty tall order. The Germans managed something like 6 million and Stalin something like 7 million. Pol Pot didn't reach those nominal figures but on a percentage of total population he probably outdid both, killing something like 1 in 3.
  Are you really sure Obama has exceeded 6 million dead via outright acts of genocide, excluding combat against armed adversaries?
3. Re:NSA_backdoor_trojan into America by strstr · 2014-03-13 07:42 · Score: 0
  
  Barack Obama.. Killed 14 at the Navy Ship Yard in September 2013, including Aaron Alexis, by psychic driving him and programming him to go on a murderous rampage by using their remote control technology on him: http://communities.washingtont...
  There are thousands of victims of genocide, mind control and directed-energy weapons attacks across the country, and millions world wide, being abused by the Department of Defense, Central Intelligence Agency, US Department of Justice, DIA, US Air Force, and National Security Agency.
  Please view the homepage of http://www.obamasweapon.com/ for more information. There are people just like me in every city, every state, and every country, and this has all been proven time and time again by countless whistleblowers to be real (Duncan is the biggest one), and not a single person or media agency is taking it seriously.
  Here's a room full of people at the Bio Ethics Committee in New York, NY, talking all about being abused and tortured by the government with these weapons. This is truly genocide, on a massive scale: http://bioethics.gov/node/225
  Senator Paul Wellstone was also assassinated with this technology: http://www.assassinationscienc...
  The World Trade Center was also dustified on 9/11 with this same technology. It's proven true, there is even evidence that the metal of the WTC was jellified with the Tesla Hutchison Effect of electromagnetism. http://www.drjudywood.com/
4. Re:NSA_backdoor_trojan into America by strstr · 2014-03-13 07:51 · Score: 0
  
  Also, CIA Project MKULTRA was a program of human genocide and testing on the American people by the CIA back in the 1940s, 1950s, 1960s, and 1970s. In this program they developed weapons to control peoples minds, and drugs, like LSD, psilocybin, and Radio Hypnotic Intracerebral Control Electronic Dissolution of Memory and Voice of God weapons to beam sounds and words into the minds of targets. They tested this out on thousands of unwitting victims around the country, and prisoners and other people. They had the US Military involved, the FBI, hospitals, and psychiatrists around the country took part.
  Additionally, the FBI ran program COINTELPRO in which activists and others were assassinated by the FBI.
  On top of this, Dr. Robert Duncan says that MKULTRA never ended, and the program continues today under new names. They have been heavily into mind control and public sabotage ever since the CIA was created in the 1940s. The NSA also did very similar surveillance programs under MINART back in the 1950s, through the 1970s, as soon as they were created.
  Look up the Frank Church Committee, in which all these abuses were investigated by the Senate back then. It resulted in the 1978 FISA, which was supposed to protect Americans, but they bypassed it and did all this illegally, under executive orders and black operations.
  http://en.wikipedia.org/wiki/C...
  Today, NSA whistleblower Thomas Drake says the country has been operating in a clandestine war mode since at least 2001, and the constitution is not even in effect anymore. This means the laws we think are in effect, don't even exist, and they're doing what ever they want all around us; raping, murdering, mind control abuses, spying on us with satellites and radar systems, reading our brainwaves, stealing passcodes, hacking into all our systems whenever they want, rigging elections, rigging court procedures, hiding evidence, covering everything up. Here's the interview with Thomas Drake from just yesterday: http://www.ora.tv/offthegrid/n...
5. Re:NSA_backdoor_trojan into America by Anonymous Coward · 2014-03-13 11:45 · Score: 0
  
  you are a fucking idiot
  shut up
RIL and EFS by Technomancer · 2014-03-12 15:00 · Score: 3, Insightful

I don't find that surprising. When I was playing with CyanogenMod it became obvious to me that RIL reads/writes files from EFS partition on behalf of the modem because settings for the modem, like IMEI, state of network lock, preferred networks etc, are stored there. I am not sure whether the interface is general enough so the modem can ask for any file.
If they are concerned about binary blobs doing unknown stuff, RIL is small potatoes. There is huge GPS daemon binary made by 3rd party. Sensor drivers are linked with closed source processing libraries (AKM/akmd). Camera loads whole bunch of image/video processing libraries which are closed source/3rd party too. Lots of phones also use closed source 3rd party audio processing libraries. Not to mention 16MB of compressed modem firmware, running on modem CPU which is like another little independent computer.
1. Re:RIL and EFS by Anonymous Coward · 2014-03-12 19:52 · Score: 0
  
  Not to mention 16MB of compressed modem firmware, running on modem CPU which is like another little independent computer.
  ...with Internet access.
2. Re:RIL and EFS by labawi · 2014-03-13 02:50 · Score: 1
  
  This.
  It is widely believed older style cell phones have long been mandated to support remote operations/activation by the government/laws/secret service/someone. Local police says phones can be tracked even when off, but they don't use it for lost cell phones, only big crimes, but the capability is present and available.
  On smart phones, that are much more software and less fixed hardware, programmable and adaptive, how could that functionality be provided? Perhaps with some features of modem hardware to communicate, but if it's largely a software radio, then the logical place is: binary firmware. Coupled with the capabilities like the new privileges of modern ARM CPUs that provide an über ring0 separate context, unaccessible and hidden from the normal OS - marketed as DRM and security, it can do whatever it likes, on the main CPU and memory, without involving the OS. They still need hardware support to communicate while off, etc. but hidden software is easier than dedicated hardware.
Lebron James, Is this how his Samsung was wiped? by cboslin · 2014-03-13 05:22 · Score: 1

My phone just erased everything it had in it and rebooted. One of the sickest feelings I've ever had in my life!!! ~ Lebron James via Twitter. He later erased the tweet.
Anyone know if this was how NBA player, Lebron James, Samsung was wiped? Its been covered on CNBC's SqwakonStreet today. For those that had not heard, King James basically tweeted the quote above, yesterday(3/12) at 5:03PM, and later erased the tweet. Guessed he realized as a "Famous Samsung Endorser", that might not look great.
End result, his phone was restored...when they announced this I was wondering when his last backup was taken and how many daysold it might have been.
From a German Twitter user, Shibumi @Sh1bumi #Backdoor in #Samsung Smartphones http://www.golem.de/news/samsu... poster, (thank you Google Translate):

Because the modems are always connected basically with a mobile network operator , the backdoor can be used virtually any time . As a possible attack options Kocialkowski lists, in addition to accessing the device memory, the switch on the microphone, activating the GPS module and the access to the camera.
Samsung Kies Air by northernpaddler · 2014-03-13 06:04 · Score: 1

I think it is highly likely that this blob is the proprietary Samsung Kies Air portal. Kies Air let's you connect your smartphone to your desk-top computer with a wireless connection for back-ups and installs. So, seems like a feature, not a bug. It might have some security holes but the intention seems legitimate