Replicant OS Developers Find Backdoor In Samsung Galaxy Devices

An anonymous reader writes "Developers of the Free Software Foundation-endorsed Replicant OS have uncovered a backdoor through Android on Samsung Galaxy devices and the Nexus S. The research indicates the proprietary Android versions have a blob handling communication with the modem using Samsung's IPC protocol and in turn there's a set of commands that allow the modem to do remote I/O operations on the phone's storage. Replicant's open-source version of Android does away with the Samsung library to fend off the potential backdoor issue."

Re:OTA updates

[mythosaz]

It was a vulnerability. Now it's a back door.

How remote is remote?

[WyrdOne]

How remote is remote? Are we talking over the internet/sms or are we talking if you control a cell tower?

Re:How remote is remote?

[MightyMartian]

How remote is remote? Are we talking over the internet/sms or are we talking if you control a cell tower?

Yes

Re:How remote is remote?

[dos1]

Modem can ask the APU app to write/read selected files and do some other file system operations. Why would modem want to read/write arbitrary files on user's file system and what and how could invoke such behavior of the modem? The answer is up to your imagination.

Well, in fact many other phones don't need any backdoor to do the same as lots of them have modems directly connected to main RAM, exposing it to monitoring or even manipulation by the closed and strictly secured modem firmware.

That's why projects like Neo900 opt for clear APU<->modem separation as host<->peripheral, together with power and antenna usage monitoring and fully free software stack on APU side.

Re:How remote is remote?

[Jane+Q.+Public]

"How remote is remote? Are we talking over the internet/sms or are we talking if you control a cell tower?"

Doesn't matter. Nobody likes to get "backdoored" without their consent.

Re:How remote is remote?

[SuricouRaven]

Ask who controls the modem. It's not Samsung - it's the carriers. In the US market, some of them might like this capability for things like detecting who has uncrippled their bundled handset and enabled tethering rather than pay for the higher tier service.

Re: How remote is remote?

[bparker0017398]

So how can I disable or remove it from my Note 3?

Re:OTA updates

[supertall]

Actually, the article states that Cyanogenmod uses the same blob as well.

Re:OTA updates

[dos1]

This is part of their undocumented protocol for communication with the modem. Modem can ask to read or write some file on disk using IPC_RFS_READ_FILE, IPC_RFS_WRITE_FILE, IPC_RFS_LSEEK_FILE, IPC_RFS_CLOSE_FILE, etc. messages and the library will happily do that for the modem. It's hardly unintended.

Re:OTA updates

"Nuts!" said the NSA. "Now we'll have to use one of our 12 other methods!"

Re:OTA updates

Who has access to execute these commands? I'm assuming just my carrier?

Is this testing whether the OS is Replicant

[Ukab+the+Great]

or a lesbian?

Re:Is this testing whether the OS is Replicant

[grub]

ha ha very good!

Re:Is this testing whether the OS is Replicant

[greeze]

Let me tell you about my mother.

Re:Is this testing whether the OS is Replicant

[circletimessquare]

go home Sean Young, you're drunk

Re:OTA updates

Or anyone who sets up a fake tower? That's a pretty common and relatively easy attack vector now...

No contract, wifi-only

[dpilot]

So if I'm using my no-contract Samsung Galaxy phone as a wifi-only device, and have never inserted the SIM card at all, I believe I'm safe from this particular vulnerability.

Tin-hatters, am I wrong on that?
Explain,

Re:No contract, wifi-only

With no SIM card you have no service plan, no encryption key to verify that you are a subscriber, and the towers have every right to refuse communication from you.

That doesn't mean that a tower absolutely cannot talk to your device in a non-subscriber cleartext mode, if they choose to do so. Also you THINK you turned off your radio, are you willing to trust the guys that have already been caught hiding deeply invasive crap to not violate that too? It could just turn on for a quick download of skynet directives every other month, how would you ever know?

Re:No contract, wifi-only

[Charliemopps]

No. The modem can write to your OS. Anyone can communicate with your modem, even Ham radio operators. Granted, exploiting this would be a huge technological challenge... unless of course this was placed there intentionally and they know exactly what to send to your modem to get it to do what they want.

Re:No contract, wifi-only

[ChunderDownunder]

Not if you set it to flight mode.

Re:No contract, wifi-only

[megabeck42]

Two things, "Even Ham radio operators?" When did they become the retards of the RF world - I thought that title belonged to CB'ers? Honestly, hams are not interested in your phone.

While, yes, technically anyone can communicate with your modem; anyone can communicate with your wifi card or your bluetooth adapter as well. And it would appear that the samsung radio interface IPC layer at least has a modicum less access to the entirety of your device than your wifi driver - which is in the kernel. People have, in the past, exploited mistakes in wifi drivers and wifi card firmware to remote exploit via wifi. (*: The specific instance I remember, was with an old intel 802.11b/g card and specially crafted management frames which could be trivially spoofed and didn't need to be encrypted to be accepted by the wireless card. The proof of concept was able to issue busmaster DMA read/writes which, ostensibly, would allow rewriting arbitrary kernel ram, etc.)

Across the scope of samsung phones I was able to check (ok, two of them), the radio interface, the android host side of this communications channel, runs as uid 1001 (radio). As far as my cursory inspection revealed, meant that the radio/modem can read/write the files in /efs and only read a number of other places, such as /sdcard. Granted, /sdcard contains a lot of your personal data. My point is that, in this case, a compromised modem is still less privileged than a compromised android service or, worse, compromised driver/kernel. Also, given that these IPC instructions are used for reading/writing modem "nvram" data such as the handset IMEI, to describe them as a "backdoor" is horribly inappropriate.

So, yeah, as you said, "huge technological challenge." Agreed. But, the idea that a data modem may be exploitable is by no means new.

Re:No contract, wifi-only

[dpilot]

As ChunderDownUnder reminds me, I forgot to mention that this phone has never been out of airplane mode, in addition to never having a SIM card plugged in. Flashing out of T-Mobile software was also one of the first things I did, and the other night I flashed CyanogenMod 11 M4. (Of course some of the guys on IRC suggest that even that is too commercial, and that I should go to snapshots over on xda-developers, to be safer.)

I keep my tinfoil hat handy, just like I tend to channel RMS and ESR. But there are practical limits...

Re:No contract, wifi-only

[TheGavster]

Does anyone do verification on the "airplane mode" setting of phones? The FCC and FAA seem to have come to the conclusion that there's no way you can detect active radios via undesired behavior of an aircraft, and are down to sorting out the social ramifications of phone use on planes. I'd like to see an independent (and preferably paranoid) lab check to make sure that "all radios off" means that the radios are off, and not just that they stop passing traffic from the PDA OS.

Re:No contract, wifi-only

[ShaunC]

Two things, "Even Ham radio operators?" When did they become the retards of the RF world - I thought that title belonged to CB'ers? Honestly, hams are not interested in your phone.

He wasn't calling hams retards, quite the contrary. He was pointing out that people with absolutely no control over your cellular carrier's towers, and thus no legitimate path into your cellphone, could give you problems despite not being an "authorized" party. Those people would still need to be extremely technically adept, familiar with radio, etc. so hams was a pretty good example IMO.

Re:No contract, wifi-only

[BronsCon]

That stops it from transmitting, but there's nothing stopping it from receiving. Blast out a message across all active towers (go ahead and translate JSON to whatever the phone will actually understand):

{"IMEI": "[your phone's IMEI]", "eval": "[code to execute]"}

Your phone can kick back out of flight mode when it's done, to acknowledge that it received the message and executed the instruction, then kick back into flight mode, and you'll quite likely be none the wiser.

Re:No contract, wifi-only

[horm]

As long as your phone is unable to connect to a cell tower/rogue femtocell/etc. you should be fine. The backdoor that was found is in the Radio Interface Layer (RIL), which governs communications between the Phone app and the radio. Wifi/bluetooth aren't managed by the RIL.

Re:No contract, wifi-only

Also, given that these IPC instructions are used for reading/writing modem "nvram" data such as the handset IMEI,

I took your post as "informative" and even "insightfull" right upto this remark. With it you forfitted all your credibility.

The above might be the publicized (or maybe even "naivily assumed") usage, but if it can as easily be used to access other files (system, log, personal, etc) it is a bad oversight (if that is what it is) indeed.

to describe them as a "backdoor" is horribly inappropriate.

Maybe you're right and it should be called "criminal negligence" instead.

You've been describing something like a key thats supposed to only access a gate in the fence of your backyard (something rather benign), but turns out to also open the doors of your house and fits the vault in the master bedroom too ...

By the way: Being able to silently, remotely overwrite the IMEI ? I see joe-jobs coming up ... (a criminal cloning his phones compromized IMEI to someone elses phone, letting the plod chase an innocent bystander for a while).

Re:No contract, wifi-only

[mysidia]

When did they become the retards of the RF world - I thought that title belonged to CB'ers? Honestly, hams are not interested in your phone.

Someone who happens to be a Ham operator, might use a radio-based exploit to attack their phone as a proof of concept.

But it's not likely..... they can't be transmitting on cell phone frequencies from their station anyways, as the transmission outside frequencies within their operating privileges would be a FCC violation that could get their station licenses revoked.

Re:No contract, wifi-only

[IamTheRealMike]

It's also just wrong. From 3G onwards phones authenticate the cell towers. Even with a full stack running you wouldn't be easily able to force a phone to associate to your tower, at least not without jamming all the other towers in your vicinity.

Re:No contract, wifi-only

[cdrudge]

As soon as backdoors or any other security related "features" get involved, I tend to think that anything is possible despite how things are suppose to operate.

Re:No contract, wifi-only

https://www.google.com/search?q=stingray#q=stingray+cell+tower

Sorry, full search link.

Re:No contract, wifi-only

[L4t3r4lu5]

Faraday Cage in a Faraday Cage, take the phone inside both, hook up the in internal cage to $SensitiveEquipment and look for induced current from the radio still being operational?

IANAScientist, but it seems reasonable enough to me.

Re:No contract, wifi-only

[squiggleslash]

I believe all Galaxy devices are capable of connecting to 2G towers. So assuming the message can be transmitted via 2GSM, the sophisticated hacker (I assume) would need to spoof such a tower at a time when the targetted phone would need to avoid 3G for some reason (say, lack of signal or too poor a signal)

Re:No contract, wifi-only

[zeugma-amp]

But it's not likely..... they can't be transmitting on cell phone frequencies from their station anyways, as the transmission outside frequencies within their operating privileges would be a FCC violation that could get their station licenses revoked.

Yup. So they couldn't do so openly. These days, there are plenty of ways to do so anonymously. Given some of the cool tools out there in the Ham world for connecting radios, I wouldn't be at all surprised to find an Elmer who could do some interesting things with cell phones if they wanted to.

Yeah, I'm a ham, but I'd never put my callsign on /.

Re:No contract, wifi-only

[Patch86]

Doesn't Airplane Mode deactivate WiFi (and Bluetooth, NFC etc.) as well? (Genuine question, I've not looked that hard at it). If so, I can't see how useful a device it can be without any active radios.

Re:No contract, wifi-only

[dos1]

In fact, all you need is for instance some TI Calypso based phone, like Openmoko Neo Freerunner or some old Motorolas, and OsmocomBB firmware. And of course lack of fear when you're doing something like that illegally.

Re:No contract, wifi-only

[dos1]

Just drown out 3G signal near the victim and make it connect to your own 2G station. Piece of cake.

Re:No contract, wifi-only

[megabeck42]

I do believe you missed the point of my comment entirely. These IPC requests for doing file I/O are there to allow the to read and write to a small subset of files constrained to a specific portion of directory hierarchy.

Yes, the modem could potentially read other files - limited by unix access controls, but it cannot read nor write from arbitrary files.

> Maybe you're right and it should be called "criminal negligence" instead.

I was growing the impression you'd authored a post with value worth contributing to the discussion until I noticed this statement. I thank you for announcing your ignorance so clearly.

Want to prevent people from destroying/modifying your IMEI using a yet-unknown-and-incredibly-unlikely-but-still-technically-possible hypothetical remote privilege escalation? Use the chmod(1) command with the argument 640 to remove the group write permissions.

Really, how is this unlike any other phone that has a cellmodem with firmware and nvram?

If you really wanted to limit what files the rild could interact with on behalf of the modem, a trivial bind mount and chroot( ) would suffice.

Re:No contract, wifi-only

[dpilot]

Mine has been in airplane mode from day 1, with wifi on. I've seen where others have problems keeping wifi on when airplane is also on, but I haven't. Perhaps the fact that the SIM card is still in the original box, never inserted, has something to do with this. I bought an unlocked phone, and have never given it a chance to lock itself.

Re:No contract, wifi-only

[BronsCon]

I really want to say something here, but my better judgment is telling me n..... oh fuck it... Trololololololololol. There. I said it.

Re:No contract, wifi-only

[megabeck42]

If you're the same anonymous coward, then I am flattered that you returned to check your post for my reply.

> And pardon me, but could you explain to me what the need is for a(n undocumented!) way to gain access to "certain files" on a phone by a remote person ? As far as I can tell there is nothing on a phone a remote person should have access to without the explicit say-so of the owner.

Sweet jesus. The system is not an undocumented way to allow a reomte, third party unauthenticated arbitrary access to your data. It's a system used to allow the modem firmware running on a separate DSP core to save and recall information. Yes, there exists a <b>possibility</b> that a flaw in the modem firmware could allow a third party to command the modem to make IPC requests to the device's host processor to read information and then, potentially, transmit it back. There is no evidence to suggest that such a flaw exists.

> You mean to say that as they all have got similar backdoors (do they ?) its OK ? Strange reasoning ...

No I don't mean to say all have any backdoors; a backdoor is a camouflaged or otherwise hidden system installed to circumvent access restrictions. This is niether camouflaged nor hidden. It's purpose is not to circumvent access controls. It is not a backdoor.

> Bottom line: A phone which has got RPC file-IO calls from the cellular into the smart part of the phone is at least questionable.

Questionable? Yes, of course. But do not attribute to malice what is adequately explained as incompetence.

Re:Third-party ROMs

[dos1]

Most of the popular ROMs are made using the very same closed drivers the article is talking about to provide hardware compatibility - otherwise they would be exactly where Replicant is now.
Any third-party ROM for Galaxy devices that uses Samsung's library to communicate with the modem is vulnerable - so almost all of them are, including CyanogenMod.

Leave it in?

[LeonPierre]

Why not leave the library in but alert the user to allow/deny the reads & writes when they occur? Perhaps even sandbox the writes for further examination.

Re:Leave it in?

[dos1]

Why not use and/or enhance already existing free software replacement, used by projects like freesmartphone.org or... Replicant?

Re:Leave it in?

[elmer+at+web-axis]

Check out the status page... I don't see any phone that they support that they have everything working.. hardly 4.2 release.. more like 0.0.42 release... Why would i spend $1000 on a phone for it to only be able to send sms and call.. 2D graphics, 3D graphics, Sound, Telephony, Mobile data, Wi-Fi, Bluetooth, NFC, GPS, Sensors, Camera and Hardware media encoding/decoding all need to be working before anybody would bother with non-manufacture software.. also anyone who stores sensitive information on a phone without encryption is asking for trouble..

Re:Leave it in?

[ChunderDownunder]

The release number aligns with the AOSP release, i.e. Replicant 4.2 targets Jelly Bean.

Re:Leave it in?

[GTRacer]

Looks like I need to read more about this particular blob. Any ideas if it can be controlled with XPrivacy?

Re:Leave it in?

[Arker]

Leaving malware in place and attempting to sandbox it instead of removing it entirely sounds like a very poor idea to me.

RMS was right

This is what you get for essentially renting a a black box with audiovideo and communication capability and letting 3rd parties control it fully: a personal tracker better than what the worst totalitarian regime could dream. There is no reason why operating systems or essential drivers should be shipped as binary blobs, not this day and age, not after the NSA revelations.

Re:RMS was right

[MightyMartian]

If I don't personally assemble the bits on punchcards by hand, I don't trust anything! I figure I should have my trusted JVM ready to go in about forty years...

Re:OTA updates

[megabeck42]

I couldn't agree more. There is no evidence to suggest that it's a malicious backdoor.

A quick strings on my samsung captivate glide's modem firmware, reveals all manner of novel debug messages and log strings:

err/CP_MA_TRACE_%d_%04d%02d%02d%02d%02d%02d.bin
[DUMP] FILE OPEN FAIL
[ERROR]%s,%d,%s
[DUMP] FILE CREATE FAIL
[DUMP] Write MA Trace To /data/efs/err =====
aurrcbp: discard cell due to system information read error
[Net]NV Read Fail! OEM_NVM_TESTBED

etc..

I do know that a lot of data persistence for the radio is done with dotfiles scattered around and throughout /data and /efs (because real nvram is expensive).

I'm curious what functionality is affected, if any is, by rejecting any of these IPC_RFS_ I/O.

I don't think it's clearly a backdoor. But, I do believe the concern is warranted. The radio/modem's firmware blob is not auditable. Perhaps a combination of logging/auditing filesystem requests and limiting which files are accessible by the RILD? Actually, isn't the rild run as an unprivileged user, radio? (Possibly for this very reason?)

Re:OTA updates

[bug1]

This is part of their undocumented protocol for communication with the modem. Modem can ask to read or write some file on disk using ...

And "undocumented protocol for communication" is different than a Backdoor how ?

Re:OTA updates

[dos1]

It's not.

Re:OTA updates

[davester666]

Lube up boys. Time to start probing the other back doors.

OSS devs lack of communication skills

[rubycodez]

not even on their website do its developers explain what Replicant is, or what its goals and purpose are

wikipedia does a better job...

http://en.wikipedia.org/wiki/R...

Any contacts at Samsung we can call?

[slincolne]

Does anyone have any contacts at Samsung (email addresses, phone numbers, etc.) that can address this issue?

I just got back from looking at a Galaxy Note 3 (thinking form upgrading from by S2).

Now I'm not sure - will probably just go buy a Nexus.

I can't think of a single valid reason for this level of functionality to be available in a device that's sold commercially. I've never heard of any enterprise management tools that can use such functions, and their undisclosed existance is a real worry.

The biggest laugh about this is that Samsung Australia is currently trying to get the Samsung Galaxy Note 10.1, Galaxy Note 2 and S3 onto the Australian Government Endorsed Product List (http://www.asd.gov.au/infosec/epl/index.php ) - I don't like their chances now.

Re:Any contacts at Samsung we can call?

[R3d+M3rcury]

Now I'm not sure - will probably just go buy a Nexus.

FTFS:

Developers of the Free Software Foundation-endorsed Replicant OS have uncovered a backdoor through Android on Samsung Galaxy devices and the Nexus S.

I can understand not reading the article, but not reading the summary?!

Re:Any contacts at Samsung we can call?

[Namarrgon]

The Nexus S was made by Samsung way back in 2010.

It hasn't been on sale for years. I really don't think it's relevant to new buyers.

Re:Any contacts at Samsung we can call?

The fact that the Nexus range has a history of using the same vulnerable firmware is VERY relevant unless you can show definitive proof that it has been actively removed from all current models.

Re:Any contacts at Samsung we can call?

[Kremmy]

My guess is that he meant he was going for an Asus Nexus rather than a Samsung Nexus. Isn't it weird how Android phone branding is working lately?

Re:Any contacts at Samsung we can call?

[mrchaotica]

Or an LG Nexus, if he wants a phone instead of a tablet.

The important question, which I am keenly interested in as the owner of a Nexus 5, is whether LG phones have a similar backdoor.

Re:Any contacts at Samsung we can call?

[AC-x]

Well, given the recent Nexus phones have been by LG with Qualcomm modems, I'm pretty sure they're free of this Samsung/Infineon modem firmware.

Of course what security issues the LG/Qualcomm firmware do contain are anyone's guess.

Great for defense lawyers!

[ShaunC]

This will be wonderful news for criminal defense attorneys. Is your client accused of having a couple of terrorists in his phone's contact list? Did a customs official conveniently find child porn pictures on your client's phone during a border crossing? Did the prosecutor haul out telco logs "proving" that your client was sending text messages to arrange a heroin deal?

Sounds to me like it's quite plausible that someone else put that $ILLEGAL_SHIT on your client's phone. After all, the capability was built right into the phone by Samsung.

Re:OTA updates

[cheater512]

Where exactly would you expect the documentation for something like that to be in a consumer device?

NSA_backdoor_trojan into America

[strstr]

NSA_backdoor_trojan:

AMD processors were found to have similar vulnerabilities.

Mascarading as a debug mode, all hardware and thus software security features can be bypassed. Essentially allowing both stealth software operation, bypassing root and administrator authentication restrictions, and more. Intel is known to have similar functionality, but its not publically disclosed yet.. http://hardware.slashdot.org/s...

NSA compiled and uses all these exploits whether it was installed there for them or not.

Windows also has NSAKEY installed and all vulnerabilities and the source code of Windows is turned over to the NSA before the things can be patched, allowing NSA to locate and exploit vulnerabilities for hacking us and everyone else. http://www.washingtonsblog.com...

RSA also put in exploits so SSL / Etc would be vulnerable to their attack, as the leaks indicated. http://it.slashdot.org/story/1...

Stuxnet virus was created by NSA. http://rt.com/news/snowden-nsa...

NSA and GCHQ are recording us masturbating. http://www.theguardian.com/wor...

FBI records us even when our devices are powered off. http://www.washingtonsblog.com...

NSA is ceiling cat watching us masturbate with space capability and electron imaging/radar systems. They are recording all calls and saving the content, not just metadata. http://www.pbs.org/newshour/bb... and http://youtu.be/d6m1XbWOfVk

NSA has Thought Amplifier and Mind Interface (patented by Robert Malech in 1974, deployed in all radar in 1976), aka Remote Neural Monitoring first disclosed in Nexus Magazine in 1996 by John St Claire Akwei. Backed up today by Dr. Robert Duncan who helped invented these weapons, being used to attack and control us. http://www.oregonstatehospital... http://www.oregonstatehospital...

TAO hacking unit, NSA: http://www.spiegel.de/internat...

Obama is raping and murdering and torturing thousands of his own citizens, committing acts of Genocide worse than any dictator ever before. He has killed his own people and covered it up. http://www.obamasweapon.com/

Re:NSA_backdoor_trojan into America

[strstr]

I was insinuating that this Samsung Galaxy phone backdoor was an NSA hack, which undoubtably they're using along with the FBI to hack us. Oops!

Re:NSA_backdoor_trojan into America

[swb]

Obama is raping and murdering and torturing thousands of his own citizens, committing acts of Genocide worse than any dictator ever before.

That's a pretty tall order. The Germans managed something like 6 million and Stalin something like 7 million. Pol Pot didn't reach those nominal figures but on a percentage of total population he probably outdid both, killing something like 1 in 3.

Are you really sure Obama has exceeded 6 million dead via outright acts of genocide, excluding combat against armed adversaries?

Re:OTA updates

[bug1]

Where exactly would you expect the documentation for something like that to be in a consumer device?

e.g. We arent sure where to put all that TCP/IP documentation, so dont bother writting it all down.

RIL and EFS

[Technomancer]

I don't find that surprising. When I was playing with CyanogenMod it became obvious to me that RIL reads/writes files from EFS partition on behalf of the modem because settings for the modem, like IMEI, state of network lock, preferred networks etc, are stored there. I am not sure whether the interface is general enough so the modem can ask for any file.
If they are concerned about binary blobs doing unknown stuff, RIL is small potatoes. There is huge GPS daemon binary made by 3rd party. Sensor drivers are linked with closed source processing libraries (AKM/akmd). Camera loads whole bunch of image/video processing libraries which are closed source/3rd party too. Lots of phones also use closed source 3rd party audio processing libraries. Not to mention 16MB of compressed modem firmware, running on modem CPU which is like another little independent computer.

Re:RIL and EFS

[labawi]

This.

It is widely believed older style cell phones have long been mandated to support remote operations/activation by the government/laws/secret service/someone. Local police says phones can be tracked even when off, but they don't use it for lost cell phones, only big crimes, but the capability is present and available.

On smart phones, that are much more software and less fixed hardware, programmable and adaptive, how could that functionality be provided? Perhaps with some features of modem hardware to communicate, but if it's largely a software radio, then the logical place is: binary firmware. Coupled with the capabilities like the new privileges of modern ARM CPUs that provide an über ring0 separate context, unaccessible and hidden from the normal OS - marketed as DRM and security, it can do whatever it likes, on the main CPU and memory, without involving the OS. They still need hardware support to communicate while off, etc. but hidden software is easier than dedicated hardware.

Re:OTA updates

[bill_mcgonigle]

Well how is a documented protocol for communication different from a backdoor?

On a house, how is the back door different than the front door, other than being on the back side of the house?

Re:OTA updates

[s.petry]

I couldn't agree more. There is no evidence to suggest that it's a malicious backdoor.

No evidence to the contrary either, and worth questioning since this is a common theme. Motorola was found to be sending all kinds of data to Motorola servers without user knowledge, including specific authentication information in plain text, Apple's SSL mess up, Countless MS back doors in just about everything they make. Then you have other players that made horrible decisions costing them their phone business.

At a point we should at least wonder if these things are really just accidental and sloppy, or are they working as influenced/intended. The more we find that companies are doing the same things, the less plausible the "accidental" theory looks.

How to actually find out is the hard part. Any company doing things for a fat check and favors from a government realizes that whistle blowers will lose future checks and favors. I'd be very interested in seeing all the files the government has on this, especially things like how many employees on Government payroll are working at places like Intel, Samsung, Apple, Microsoft, etc (if any).. It's too bad the CIA and Senate fight won't do anything to open that door.

Re:Workaround?

[fuzzyfuzzyfungus]

On phones that use Samsung's RIL; but either custom firmware or substantially-modifiable rooted firmware, the SELinux capabilities that they (fairly recently, was it 4.2?) could presumably be used to nuke most of the risk. Assuming it uses the filesystem commands at all, the legitimate day-to-day uses are presumably a few specific 'we were too cheap for NVRAM' locations that (if not documented, should at least be empirically determinable) you could then restrict it to.

Now, if you just need a few megs of cheap storage and don't want to bump the BoM, building an arbitrary filesystem access mechanism seems so sloppy and unconcerned with actual security as to make me wonder what else they fucked up; but SELinux is pretty powerful, if a pain, at granular lockdown of lousy or dangerous software.

Re:OTA updates

[kbg]

On the included SD card? On the manufacturer website?

Re:Third-party ROMs

[pruss]

Aren't there legal problems with CM and other ROMs including these blobs, since they're presumably copyrighted? Or are they licensed by Samsung under the GPL along with the kernel? But in the latter case, shouldn't Samsung be including source?

Re:OTA updates

[teslar]

I'm curious what functionality is affected, if any is, by rejecting any of these IPC_RFS_ I/O.

Remotely wiping a stolen mobile phone perhaps? It's just a guess - but by definition that would require the ability to do stuff to the phone's file system without the current user's knowledge or permission.

Re: OTA updates

[Ronin+Developer]

Wow! Someone states an apparent truth and it gets marked down to -1 so nobody sees it - it's not the message the Android and Samsung fans want to hear, apparently. But, the original poster is correct, if this happened on with Apple, there would be no "mis-understanding" as to whether this was intentional or not on this site.

Re:OTA updates

[cboslin]

I'm curious what functionality is affected, if any is, by rejecting any of these IPC_RFS_ I/O.

Remotely wiping a stolen mobile phone perhaps? It's just a guess - but by definition that would require the ability to do stuff to the phone's file system without the current user's knowledge or permission.

That is exactly what I was thinking it could be used for, to wipe the device.

Lebron James, Is this how his Samsung was wiped?

[cboslin]

My phone just erased everything it had in it and rebooted. One of the sickest feelings I've ever had in my life!!! ~ Lebron James via Twitter. He later erased the tweet.

Anyone know if this was how NBA player, Lebron James, Samsung was wiped? Its been covered on CNBC's SqwakonStreet today. For those that had not heard, King James basically tweeted the quote above, yesterday(3/12) at 5:03PM, and later erased the tweet. Guessed he realized as a "Famous Samsung Endorser", that might not look great.

End result, his phone was restored...when they announced this I was wondering when his last backup was taken and how many daysold it might have been.

From a German Twitter user, Shibumi @Sh1bumi #Backdoor in #Samsung Smartphones http://www.golem.de/news/samsu... poster, (thank you Google Translate):

Because the modems are always connected basically with a mobile network operator , the backdoor can be used virtually any time . As a possible attack options Kocialkowski lists, in addition to accessing the device memory, the switch on the microphone, activating the GPS module and the access to the camera.

Re:OTA updates

[mrchaotica]

Remotely wiping a stolen mobile phone ought to still be controlled by the main phone OS. All the modem should be responsible for is receiving the wipe request and passing it to the main OS's monitoring process.

Samsung Kies Air

[northernpaddler]

I think it is highly likely that this blob is the proprietary Samsung Kies Air portal. Kies Air let's you connect your smartphone to your desk-top computer with a wireless connection for back-ups and installs. So, seems like a feature, not a bug. It might have some security holes but the intention seems legitimate

Re:OTA updates

[megabeck42]

It's no more a backdoor than using using static functions in your compiled C. Simply because it's not documented, does not make it a backdoor.

Re:OTA updates

[megabeck42]

Unfortunately, the daemon that opens, reads, and writes files on behalf of the modem, is running as a specific unprivileged user, radio (uid 1001 on my phone.) It could only wipe out the information I have in /efs and a few specific files in /data. Nothing bars it from triggering some other system/daemon/process responsible for more thorough wiping of data.
 

Re:OTA updates

[megabeck42]

I'm replying again because it occurred to me. to check the dictionary.

A backdoor is an indirect and devious system conceived for the purpose of allowing access to resources by circumventing security protections.

This is not. This is a set of IPC requests an "API" to allow the modem firmware to store non-volatile information in a specific location of the host phone's filesystem.

You're absolutely right that a backdoor is a backdoor; however, this is not a backdoor. If they'd really meant to introduce backdoors, don't you think they'd have made even a trivial effort to hide or obfuscate it? For example, D-Link's special request header “xmlset_roodkcableoj28840ybtide” that would bypass the web admin authentication. That's a backdoor. Minterpreting wrappers for read() and write() is not.

Re:OTA updates

[cheater512]

Would you also like them to give you a copy of the GSM specs? TCP/IP? A overview of the Linux kernel? The GPU's docs?

None of that sort of thing is needed by the end users.

I'm sure it is a fully documented feature, in Samsung.
We don't get a full copy of their blueprints just by buying the device however.