Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

Samsung Galaxy Security Alert: Android Backdoor Discovered

Samsung's flavor of Android has a backdoor that can be remotely exploited by attackers, Android developers warn.

Security alert: Attackers can remotely exploit a software-based backdoor -- present in at least nine different models of Samsung smartphones and tablets -- to steal files and location data or surreptitiously activate a microphone or camera.

That warning was sounded Wednesday by members of the Replicant project, which builds free versions of Android to replace the proprietary versions installed by most carriers and manufacturers.

Replicant researchers said they found that the radio modems on some Samsung devices will execute remote file system (RFS) commands. "We discovered that the proprietary program running on the applications processor in charge of handling the communication protocol with the modem actually implements a backdoor that lets the modem perform remote file I/O operations on the file system," said Replicant developer Paul Kocialkowski in a blog post on the Free Software Foundation site.

"This program is shipped with the Samsung Galaxy devices and makes it possible for the modem to read, write, and delete files on the phone's storage," he added. "On several phone models, this program runs with sufficient rights to access and modify the user's personal data."

[Looking for a more secure device? See Smartphone Security: Two Shades Of Black.]

Samsung didn't immediately respond to an emailed request for comment about Replicant's findings or to questions about which models might be affected and whether it planned to patch vulnerable devices.

But, according to Replicant, so far it's identified nine different types of Samsung devices that have the vulnerability: the Nexus S, Galaxy S, Galaxy S 2, Galaxy Note, Galaxy Nexus, Galaxy Tab 2 7.0, Galaxy Tab 2 10.1, Galaxy S 3, and Galaxy Note 2. It cautioned that more devices may be affected.

Galaxy Tab 2 7.0
Galaxy Tab 2 7.0

It's not clear if the code that introduces the vulnerability is a bug, was meant to support some types of features, or might relate to diagnostic data-gathering conducted by Samsung or its business partners. But Kocialkowski warned that the backdoor could be used by any remote attacker -- such as criminals or intelligence agencies -- to turn the devices into remote spying tools. "The spying can involve activating the device's microphone, but it could also use the precise GPS location of the device and access the camera, as well as the user data stored on the phone," he said. "Moreover, modems are connected most of the time to the operator's network, making the backdoors nearly always accessible."

The researchers published a demonstration of the vulnerability in the form of a patch that can be applied to the Replicant 4.2 kernel that instructs the modem to open, read, and close a local file. According to the researchers, it would be relatively easy for attackers to use this bug to access any file stored on the device, albeit with some caveats. "Note that the files are opened with the [baseband] software's user permissions, which may be root on some devices," according to Replicant's teardown of the backdoor. "On other cases, its runs as an unprivileged user that can still access the user's personal data" that's stored on removable media. "Finally, some devices may implement SELinux, which considerably restricts the scope of possible files that the modem can access, including the user's personal data."

Kocialkowski called on Samsung to eliminate the RFS backdoor, which he said could be fixed with just a software patch. Alternately, users of the vulnerable devices can replace the Samsung-built version of Android with Replicant's free, "pure" version, which he said "does not implement this backdoor" and also blocks the modem from being able to access files. "If the modem asks to read or write files, Replicant does not cooperate with it," he said.

Still, Kocialkowski cautioned that the baseband processors installed on most mobile devices run proprietary software, which an attacker might be able to exploit remotely not just to issue file-access commands, but also to rewrite the software running the device's main processor.

Theoretically, manufacturers could build firewalls to prevent a baseband processor from being able to access the main processor, microphone, camera, or similar components. But in practice that's rarely done. "It is possible to build a device that isolates the modem from the rest of the phone so it can't mess with the main processor or access other components such as the camera or the GPS," Kocialkowski said. "Very few devices offer such guarantees. In most devices, for all we know, the modem may have total control over the applications processor and the system, but that's nothing new."

Is Amazon Web Services always the best choice for an infrastructure-as-a-service partner? Register for this InformationWeek editorial webinar and learn about the key differentiators that can mean success for your IaaS project -- or defeat. The How To Choose An IaaS Partner webinar happens March 14. Registration is free.

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
3/27/2014 | 6:43:02 PM
Update: Samsung dismisses vulnerability report
A Samsung spokeswoman, asked to comment about the bug report, offered the following response via email:  

"Samsung takes consumer privacy and security very seriously and we'd like to assure consumers that our products are safe to use. We are able to confirm that the matter reported by the Free Software Foundation is based on an incorrect understanding of the software feature that enables communication between the modem and the AP chipset."

 

Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15540
PUBLISHED: 2019-08-25
filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2.2 in CDemu does not validate the part size, triggering a heap-based buffer overflow that can lead to root access by a local Linux user.
CVE-2019-15538
PUBLISHED: 2019-08-25
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a ...
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.