Slashdot Mirror

← Back to Stories (view on slashdot.org)

Replicant Hackers Find and Close Samsung Galaxy Back-door

Posted by timothy on from the in-their-spare-time dept.

gnujoshua writes "Paul Kocialkowski (PaulK), a developer for the Replicant project, a fully free/libre version of Android, wrote a guest blog post for the Free Software Foundation announcing that whlie hacking on the Samsung Galaxy, they "discovered that the proprietary program running on the applications processor in charge of handling the communication protocol with the modem actually implements a back-door that lets the modem perform remote file I/O operations on the file system." They then replaced the proprietary program with free software.

While it may be a while before we can have a 100% free software microcode/firmware on the the cellular hardware itself, isolating that hardware from the rest of your programming and data is a seemingly important step that we can take right now. At least to the FSF anyhow. What do others think: is a 100% free software mobile device important to you?"

81 comments

  1. Who's behind that back-door ? by Taco+Cowboy · · Score: 2

    NSA ?

    GCHQ ?

    Or their equivalent from South Korea ?

    --
    Muchas Gracias, Señor Edward Snowden !
    1. Re:Who's behind that back-door ? by Gaygirlie · · Score: 5, Interesting

      When I heard this news earlier today I couldn't help but think that it's not really a back-door. Samsung has had a service on their phones for years that allows you to track your phone and remotely wipe it if someone stole it or you lost it or something. Performing file I/O on the system? Well, that sounds exactly like something you'd need to do if you were to wipe the phone clean!

    2. Re:Who's behind that back-door ? by jason.sweet · · Score: 3, Funny

      NSA ?

      GCHQ ?

      Or their equivalent from South Korea ?

      AT&T

    3. Re:Who's behind that back-door ? by RabidReindeer · · Score: 1

      NSA ?

      GCHQ ?

      Or their equivalent from South Korea ?

      AT&T

      AT&T would be redundant for NSA.

    4. Re:Who's behind that back-door ? by Cenan · · Score: 1

      This was my exact thought when I read it earlier. I've used that functionality myself before. On top of that, what they replaced the Samsung Android version with was a crippled, no hardware acceleration piece of crap. But I think they already knew that, and they knew exactly why that "backdoor" was there, but now their obscure "alternative" to stock installs is all over the nerd news.

      --
      ... whatever ...
    5. Re:Who's behind that back-door ? by Forty+Two+Tenfold · · Score: 0

      Apple. It's one of the 5 patents they want $40 a phone for in royalties.

      --
      Upward mobility is a slippery slope - the higher you climb the more you show your ass.
    6. Re:Who's behind that back-door ? by Lumpy · · Score: 1

      Sorry but AT&T is far more evil than the NSA.

      --
      Do not look at laser with remaining good eye.
    7. Re: Who's behind that back-door ? by peragrin · · Score: 1

      Not really.

      You pay AT&T to rape you. The NSA does it for free.

      --
      i thought once I was found, but it was only a dream.
    8. Re: Who's behind that back-door ? by Cenan · · Score: 1

      I'd provide a link to the NSA budget, alas that is classified. But rest assured that they are being paid, you can stop sending them your food stamps now.

      --
      ... whatever ...
    9. Re:Who's behind that back-door ? by Anonymous Coward · · Score: 0

      What is so ironic is that if Apple went from $40 to $2-3, like Microsoft does... Apple would have a windfall.

    10. Re: Who's behind that back-door ? by Anonymous Coward · · Score: 0

      Not really.

      You pay AT&T to rape you. The NSA does it for free.

      And AT&T even sends their people to your door step even though you've never been under contact for their services and paid them for anything. Preemptive, free, home raping by AT&T!

    11. Re:Who's behind that back-door ? by Anonymous Coward · · Score: 0

      even if that's the reason, that doesn't make it any less of a backdoor

    12. Re:Who's behind that back-door ? by RabidReindeer · · Score: 1

      Sorry but AT&T is far more evil than the NSA.

      True. As another poster has observed, the NSA rapes you as part of your basic taxpayer services at no additional cost.

      Plus, the NSA doesn't employ telemarketers to call you up 5 times a day 7 days a week year after year, exploiting the loopholes in the "Do Not Call" registry. To say nothing of the junk mail.

    13. Re:Who's behind that back-door ? by MachineShedFred · · Score: 2

      They shouldn't need to expose full filesystem I/O for a remote wipe. They should only need to expose a locked up command that triggers the wipe within the local OS.

      Either this is a back door, or they are the worst software engineers ever.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    14. Re:Who's behind that back-door ? by Gaygirlie · · Score: 3, Insightful

      Either this is a back door, or they are the worst software engineers ever.

      A back-door is something that was placed there with the specific intent of providing access to the system even against the system owner's wish, so that's my point: it doesn't seem like that was the intent. It just sounds like it was there for this service, but they never really fully thought out the scheme and just went with whatever they first came up with. Granted, I'm only guessing here, but for once I'm going to go with the "it's incompetence, not malicious intent" - defense.

    15. Re: Who's behind that back-door ? by Anonymous Coward · · Score: 0

      "Sorry but AT&T is far more evil than the NSA."

      Get a clue, thay are the exact same thing, far more so than you know!

      On another note: you do realize that the NSA has semiconductor fabs, so it's mostly in the hardware not the software!

    16. Re:Who's behind that back-door ? by Anonymous Coward · · Score: 0

      "it's incompetence, not malicious intent"

      From the outside you can not tell the difference. As the result is the same.

    17. Re:Who's behind that back-door ? by Anonymous Coward · · Score: 0

      When you're not in control of your phone anymore, how can you ensure the command is executed? Of course the modem software can be replaced as well, but until now no one (phone thieves) knew it was necessary.

    18. Re:Who's behind that back-door ? by NemosomeN · · Score: 1

      No. But it certainly makes it less sinister.

      --
      I hate grammar Nazi's.
    19. Re:Who's behind that back-door ? by Andy+Dodd · · Score: 3, Insightful

      "Never attribute to malice that which can be attributed to stupidity."

      My guess, after years of working with Samsung's poor-quality platform software and multiple runins with their utterly piss-poor configuration management processes (as in, the Korean divisions at Samsung Mobile don't seem to have any, as evidenced by numerous situations during the Superbrick fiasco):

      Samsung probably put this into the RIL library to facilitate modem debugging. e.g. the modem can read/write to /efs/root/ in order to make it easier for a developer to track state changes of the modem or whatever. (Why do this instead of using whatever debugging functions are built into the modem such as maybe JTAG? This is probably for late-stage development where they wanted to test finishing touches on the modem using final hardware and the modem's debugging functions weren't physically available.)

      Keep in mind that, based on the reverse engineering effort, Samsung *intended* this feature to only access files within /efs/root/ - the EFS partition is specifically reserved for device-specific state and calibration data (most notably the phone's IMEI is stored in the EFS partition, and with the exception of some miscellaneous other config data such as MAC addresses for wifi and BT, it's almost entirely for modem-related items. I may be wrong about the MAC data, I'm a bit rusty and haven't poked around at my EFS partitions in a long time.) It's only due to a screwup (lack of sanitization of escape sequences such as ../../ ) that someone can in theory access files outside of /efs/root

      So at some point, Samsung probably removed the corresponding components on the baseband firmware side (no one has yet to confirm anything on the modem side that sends these commands, nor has anyone caught any of these commands being issued - the behavior of the library was verified by injecting extra commands with a kernel patch in the driver between the modem and the library), but someone forgot to remove them from the RIL library on the applications processor side. Forgetting to remove dead code and/or leaving epic security holes in place (remember that in late 2012, someone realized that Samsung left a world readable/writable device node that effectively mapped all system memory to that device file - allowing anyone to read or write any part of memory. For more, do a Google search for "exynos-abuse" ) is pretty typical for Samsung.

      As to my experience here - I was one of the Cyanogenmod maintainers for the Exynos 4210 (I9100, I777, N7000) handset family, and also did some work on 4412 devices (primarily the Note 10.1 - GT-N8013) throughout 2012 and the first half of 2013. I'm 90% retired from working with Haxxinos these days and was (along with the majority of the rest of the Exynos maintainers) one of the people who left the project to start Omni after the Focal relicensing attempt fiasco.

      An interesting question is - what architecture is the XMM626x's baseband processor? Is it custom or an ARM variant making it easier to analyze the baseband firmware itself? More than two years of working with that family of devices and I never personally looked in detail at what was running on the baseband side.

      --
      retrorocket.o not found, launch anyway?
    20. Re:Who's behind that back-door ? by dos1 · · Score: 2

      That "obscure alternative" is one of the only ones consisting of entirely free software. Instead of whining that something doesn't work you should rather help implementing what's missing, either by direct contributions, money donations or even just a good word to the developers. Otherwise the rarity of free mobile systems like SHR, QtMoko or Replicant will become even more rare and none of them will be ever usable for anyone else than hardcore geeks.

    21. Re:Who's behind that back-door ? by Andy+Dodd · · Score: 1

      Another article on this, I agree with Dan's assessment - http://arstechnica.com/securit...

      --
      retrorocket.o not found, launch anyway?
    22. Re:Who's behind that back-door ? by sjames · · Score: 1

      Why would a wipe my data function need the ability to read a file and transmit it over the modem? Why would it need a download this and save it here function?

    23. Re:Who's behind that back-door ? by Anonymous Coward · · Score: 0

      Very true!

    24. Re: Who's behind that back-door ? by Anonymous Coward · · Score: 0

      Not really.

      You pay AT&T to rape you. The NSA does it

      with tax dollars.

      While you aren't making a conscious choice to pay for it out of pocket, you're still paying for it.

    25. Re:Who's behind that back-door ? by jmcvetta · · Score: 1

      Really? So what's the point of being able to read files belonging to the owner? If the backdoor only permitted nuking of the filesystem, then it wouldn't be a big deal. This is pretty clearly an application to facilitate surveillance of citizens, and therefore can be fairly described as sinister.

  2. Dupe by Desler · · Score: 5, Informative

    Yeah we know.

    http://mobile.slashdot.org/sto...

    1. Re:Dupe by Anonymous Coward · · Score: 0

      timothy just wanted to really emphasize this one, that's all.

    2. Re:Dupe by Anonymous Coward · · Score: 0

      timothy just wanted to really emphasize this one, that's all.

      Yep, it's a Scroogling time again. Get ready for the two minutes of hate.

      Slashdot is being paid by Microsoft to help "Just fucking kill Google".

    3. Re:Dupe by Anonymous Coward · · Score: 1

      It's a Replicant article. Every time someone says the D word it Replicates itself.

    4. Re:Dupe by wonkey_monkey · · Score: 4, Insightful

      Replicant OS Developers Find Backdoor In Samsung Galaxy Devices
      Replicant Hackers Find and Close Samsung Galaxy Back-door

      Totally different story.

      --
      systemd is Roko's Basilisk.
    5. Re:Dupe by cant_get_a_good_nick · · Score: 4, Funny

      This story is a replicant...

    6. Re:Dupe by noh8rz10 · · Score: 1

      isn't this article an evolution of the last one? The last one was all "holy shiitzors there's a back hole!" this one is all "fuzxors we fixed it for ya!"

    7. Re:Dupe by Desler · · Score: 1

      No. It merely links directly to the FSF pos while the first one linked to other articles linking to the FSF post.

    8. Re:Dupe by the_povinator · · Score: 1
      I didn't realize replicants existed at all, much less replicant hackers.

      Does anyone know if they are working on ... a pleasure model?

      --
      The .sig is dead, and I believe I had a hand in killing it.
  3. Wow! Two backdoors in one day? by Anonymous Coward · · Score: 3, Funny

    Wow! Two backdoors in one day? The Replicant team is really on a roll! And both of the backdoors in the exact same place! Impressive.

    1. Re:Wow! Two backdoors in one day? by tomkost · · Score: 1

      You can't really get enough backdoor can you?

    2. Re:Wow! Two backdoors in one day? by unixisc · · Score: 1

      All backdoors should be licensed under AGPL3

  4. First Post FAIL! by Anonymous Coward · · Score: 1

    This article was already posted once before on slashdot today!

  5. Slashdot editors by coofercat · · Score: 2

    Slashdot editors fail to spot dupe, and fail to fix it - even though it's on the frikkin' home page. Wow, that really is news ;-)

    Timothy, you've surpassed yourself. Tonight, when you go home to your SO and they ask you "how was your day, dear", you can proudly say "I really rocked today - I did some awesome stuff, I really moved the needle, I pushed the envelope, I really excelled!".

    1. Re:Slashdot editors by Threni · · Score: 1

      There's always this:

      http://soylentnews.org/

      Perhaps it'll free us from the laughable beta, and non-news for nerd clickbait too?

    2. Re:Slashdot editors by Anonymous Coward · · Score: 0

      Goes to show, Slashdot sucks so much, even the editors don't read it.

    3. Re:Slashdot editors by inasity_rules · · Score: 1

      I have seen a dupe or two there. Still in two minds about whether it'll free us or dupe us... :P

      --
      I have determined that my sig is indeterminate.
    4. Re:Slashdot editors by Threni · · Score: 1

      I only discovered it very recently; competition is good, right? Not sure why it started exactly, but it's good to know that there's somewhere similar in case this one continues to get worse.

    5. Re:Slashdot editors by Anonymous Coward · · Score: 0

      Yet here you are, reading it. That's got to say something about your character. Not sure what, probably something flattering. Yeah that's it, flattering.

    6. Re:Slashdot editors by Forty+Two+Tenfold · · Score: 0

      home to your SO and they ask you

      In this case, it's "OS", as in Other Self.

      --
      Upward mobility is a slippery slope - the higher you climb the more you show your ass.
    7. Re:Slashdot editors by inasity_rules · · Score: 1

      Worse? I would say you must be new here, but I can read useids... It was started by the whole "Fuck Beta" group which confused me (beta, was and as far as I know remains optional), and like all things borne of "violent" revolution suffers a bit from some infighting. Hopefully they'll resolve that, but it remains to be seen if they can build a decent community. I am registered and do read there, but comment more here, which says something.

      --
      I have determined that my sig is indeterminate.
    8. Re:Slashdot editors by PPH · · Score: 1

      Timothy, you've surpassed yourself. Tonight, when you go home to your SO

      There will already be another Timothy there.

      --
      Have gnu, will travel.
    9. Re:Slashdot editors by erikkemperman · · Score: 1

      Same here. I joined soylent and pipe, for good measure. For the time being though I still read /. more regularly and I haven't posted to either soylent or pipe so far. Soylent has already witnessed quite some drama (an ousted leader has used the phrase "palace revolt", I kid you not).

      --
      Gosh, thanks. That must be why the other ships call me Meatfucker -- GCU Grey Area (Eccentric)
    10. Re:Slashdot editors by Anonymous Coward · · Score: 0

      I'm a loser. I admit it. I also am fascinated by mediocrity. You think I'm kidding... I am quite serious. I find mediocrity comforting, and feel right at home here on the dot.

  6. oh for crying out loud timothy by Anonymous Coward · · Score: 1

    Evidently the editors don't read the front page - given that there's *already* a story on there about this precise issue, using precisely the same blog.

  7. Replicants? by rossdee · · Score: 3, Funny

    Someone call Harrison Ford

    1. Re:Replicants? by Anonymous Coward · · Score: 0

      Someone needs to retire those skin jobs.

  8. Wow by Charliemopps · · Score: 2

    I'm used to the dupes being weeks or months old... maybe Days for really bad ones. But this was like 12hrs ago? Do the editors even read slashdot anymore?

    1. Re:Wow by Anonymous Coward · · Score: 0

      Anymore?
       
      You're new around here, ain't ya?

    2. Re:Wow by Desler · · Score: 1

      I think the better question is: Are the editors even functionally literate?

    3. Re:Wow by Anonymous Coward · · Score: 0

      Quoth the Raven, "anymore".

    4. Re:Wow by Dixie_Flatline · · Score: 1

      Yeah, see my UID? This has been happening for as long as I've been here. :)

  9. Replicant hackers? by JockTroll · · Score: 0

    Oh well, if you can't retire them just wait 4 years and they'll be gone.

    --
    Geeks are so full of shit that "beating the crap out of them" takes a whole new meaning.
  10. Re:God is behind every backdoor by Anonymous Coward · · Score: 1

    I really hope you didn't type that out.

  11. Modem already has full debugger access in hardware by Anonymous Coward · · Score: 0

    I thought, from reading other stuff on the Replicant site, that all these modems had full access to the phone's host CPU bus the same as the IPMI modules the NSA uses in servers for "stealth" and "persistence", and unlike the USB modems in laptops where exploits are contained to the modem (modulo host USB stack bugs which are probably rampant).

  12. Two words by Swampash · · Score: 1

    Android

    1. Re:Two words by Bill,+Shooter+of+Bul · · Score: 1

      Either there is a whoosh sound, its under my threshold of hearing, or your counting skills suck.

      --
      Well.. maybe. Or Maybe not. But Definitely not sort of.
  13. Re:God is behind every backdoor by Anonymous Coward · · Score: 1

    Holy batshit, er, batman.

  14. Does Deckard Know this? by goombah99 · · Score: 2

    I'm sure Samsung is sending in the blade runner for these replicants hackers

    --
    Some drink at the fountain of knowledge. Others just gargle.
  15. Re:God is behind every backdoor by Anonymous Coward · · Score: 0

    Just a copy paste job :

    https://www.google.de/#q=%22Firstly%2C+the+hypothesis.+If+evolution+is+incorrect%2C+then+it+can+be+demonstrated+to+be+so+by+using+both+living+and+dead+plants+and+animals.+The+following+is+the+way+to+do+so+and+the+logical+alternative+to+the+theory.+The+fossil+record+can+be+used+as+well%2C+but+not+as+evolution+theory+would+have+us+believe.+In+order+to+properly+falsify+something%2C+all+biases+must+be+removed%2C+since+assuming+something+is+correct+without+knowing+how+to+prove+its+false+is+akin+to+the+blind+person+who+can+not+confirm+the+color+of+someones+car.+Since+evolution+has+not+correctly+been+shown+how+to+be+falsified%2C+as+will+be+demonstrated%2C+we+must+be+open+to+other+possibilities+by+way+of+logic%2C+and+ultimately+reject+evolution+by+way+of+evidence%2C+should+the+evidence+lead+us+in+such+a+direction.%22

  16. Re:God is behind every backdoor by Anonymous Coward · · Score: 0
    " if someone said a watermelon is blue on the inside, but turns red when you cut it open, how could you prove them wrong?"

    Simple, drill a hole, or insert a fiber optic camera, or light it with a 10000W carbon-arc searchlight. None of these methods involve "cutting it open".

    Take your batshit ignorant rants elsewhere.

  17. Roy Baty inconsolable by Anonymous Coward · · Score: 0

    When reached by phone and told of the backdoor, replicant Roy Baty replied "I've seen things you people wouldn't believe"

  18. I love the smell of dupes in the morning.... by markhb · · Score: 1

    They smell like... Tacos. Duplicate posts make even Slashdot Beta seem like home.

    --
    Save Maine's economy: write stuff down. All comments are exclusively my own, not my employer.
  19. Re:God is behind every backdoor by Anonymous Coward · · Score: 0

    In order to demonstrate that the Creator is responsible for life and created life diversified to begin with, the word "kind" must be defined. A kind is the original prototype of any ancestral line; that is to say if God created two lions, and two cheetahs, these are distinct kinds. In this scenario, these two cats do not share a common ancestor, as they were created separately, and therefore are not the same kind despite similar appearance and design. If this is the case, evolution theory is guilty of using homogeneous structures as evidence of common ancestry, and then using homogeneous structures to prove common ancestry; this is circular reasoning!

    why is using evidence to prove something circular reasoning?

  20. Dupe? by deadweight · · Score: 1

    I think this is a dupe from about 4 or 5 articles back.

  21. Wow by Anonymous Coward · · Score: 0

    Seems no one can stand Beta.

  22. In a word... by s13g3 · · Score: 1

    > "is a 100% free software mobile device important to you?"

    In a word: Yes.

    The borderline (and sometimes not-so-borderline) criminal behavior of some software/hardware makers, coupled with often exorbitant costs for a device that will either be destroyed (via being cheaply made) or totally obsolete in a few years makes me quite leery of trusting or relying on a modern smartphone, much less actually spending my own money on one. Especially when my company provides me with a phone, POS though it may be.

    --
    "Inveniemus Viam Aut Faciemus" 'We will find a way... Or we will make one!' --Hannibal of Carthage
  23. then Sailfish on Jolla phones? by Herve5 · · Score: 1

    But last I searched details on this, the actual progress and software availability was close to pathetic...

    --
    Herve S.
  24. Yeah I can see that happen by Anonymous Coward · · Score: 0

    OOOooops, I just tripped on my own fingers and inadvertently implemented a backdoor, silly me, lol, I'll leave it there then, and I'll use that rather than the secure standard way, cause you know, lazy and shit.

    1. Re:Yeah I can see that happen by Andy+Dodd · · Score: 1

      You have obviously never worked closely with software written by Samsung before.

      You know, the company that shipped millions of chips that would be damaged permanently if you send them a secure erase command. (Remember http://www.anandtech.com/show/... - What they don't tell you in that article is that Samsung shipped eMMC chips with the SAME EXACT BUG in every single international Galaxy S2 and Galaxy Note sold for many months.)

      This is also the company that had a device file that was chmodded 666 or 777 that allowed you read/write access to the entirety of system memory. (Google exynos-abuse)

      --
      retrorocket.o not found, launch anyway?
  25. Re:God is behind every backdoor by Anonymous Coward · · Score: 0

    Oh my God.

    Get this man to a philosophy class. He's just gone full retard.

  26. Re:God is behind every backdoor by Anonymous Coward · · Score: 0

    drilling a hole counts as cutting it open, idiot.

    lighting it with a very very powerful torch might work tho, anti-idiot