Mobile
3/13/2014
12:09 PM
50%
50%

Samsung Galaxy Security Alert: Android Backdoor Discovered

Samsung's flavor of Android has a backdoor that can be remotely exploited by attackers, Android developers warn.

Security alert: Attackers can remotely exploit a software-based backdoor -- present in at least nine different models of Samsung smartphones and tablets -- to steal files and location data or surreptitiously activate a microphone or camera.

That warning was sounded Wednesday by members of the Replicant project, which builds free versions of Android to replace the proprietary versions installed by most carriers and manufacturers.

Replicant researchers said they found that the radio modems on some Samsung devices will execute remote file system (RFS) commands. "We discovered that the proprietary program running on the applications processor in charge of handling the communication protocol with the modem actually implements a backdoor that lets the modem perform remote file I/O operations on the file system," said Replicant developer Paul Kocialkowski in a blog post on the Free Software Foundation site.

"This program is shipped with the Samsung Galaxy devices and makes it possible for the modem to read, write, and delete files on the phone's storage," he added. "On several phone models, this program runs with sufficient rights to access and modify the user's personal data."

[Looking for a more secure device? See Smartphone Security: Two Shades Of Black.]

Samsung didn't immediately respond to an emailed request for comment about Replicant's findings or to questions about which models might be affected and whether it planned to patch vulnerable devices.

But, according to Replicant, so far it's identified nine different types of Samsung devices that have the vulnerability: the Nexus S, Galaxy S, Galaxy S 2, Galaxy Note, Galaxy Nexus, Galaxy Tab 2 7.0, Galaxy Tab 2 10.1, Galaxy S 3, and Galaxy Note 2. It cautioned that more devices may be affected.

Galaxy Tab 2 7.0
Galaxy Tab 2 7.0

It's not clear if the code that introduces the vulnerability is a bug, was meant to support some types of features, or might relate to diagnostic data-gathering conducted by Samsung or its business partners. But Kocialkowski warned that the backdoor could be used by any remote attacker -- such as criminals or intelligence agencies -- to turn the devices into remote spying tools. "The spying can involve activating the device's microphone, but it could also use the precise GPS location of the device and access the camera, as well as the user data stored on the phone," he said. "Moreover, modems are connected most of the time to the operator's network, making the backdoors nearly always accessible."

The researchers published a demonstration of the vulnerability in the form of a patch that can be applied to the Replicant 4.2 kernel that instructs the modem to open, read, and close a local file. According to the researchers, it would be relatively easy for attackers to use this bug to access any file stored on the device, albeit with some caveats. "Note that the files are opened with the [baseband] software's user permissions, which may be root on some devices," according to Replicant's teardown of the backdoor. "On other cases, its runs as an unprivileged user that can still access the user's personal data" that's stored on removable media. "Finally, some devices may implement SELinux, which considerably restricts the scope of possible files that the modem can access, including the user's personal data."

Kocialkowski called on Samsung to eliminate the RFS backdoor, which he said could be fixed with just a software patch. Alternately, users of the vulnerable devices can replace the Samsung-built version of Android with Replicant's free, "pure" version, which he said "does not implement this backdoor" and also blocks the modem from being able to access files. "If the modem asks to read or write files, Replicant does not cooperate with it," he said.

Still, Kocialkowski cautioned that the baseband processors installed on most mobile devices run proprietary software, which an attacker might be able to exploit remotely not just to issue file-access commands, but also to rewrite the software running the device's main processor.

Theoretically, manufacturers could build firewalls to prevent a baseband processor from being able to access the main processor, microphone, camera, or similar components. But in practice that's rarely done. "It is possible to build a device that isolates the modem from the rest of the phone so it can't mess with the main processor or access other components such as the camera or the GPS," Kocialkowski said. "Very few devices offer such guarantees. In most devices, for all we know, the modem may have total control over the applications processor and the system, but that's nothing new."

Is Amazon Web Services always the best choice for an infrastructure-as-a-service partner? Register for this InformationWeek editorial webinar and learn about the key differentiators that can mean success for your IaaS project -- or defeat. The How To Choose An IaaS Partner webinar happens March 14. Registration is free.

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
3/27/2014 | 6:43:02 PM
Update: Samsung dismisses vulnerability report
A Samsung spokeswoman, asked to comment about the bug report, offered the following response via email:  

"Samsung takes consumer privacy and security very seriously and we'd like to assure consumers that our products are safe to use. We are able to confirm that the matter reported by the Free Software Foundation is based on an incorrect understanding of the software feature that enables communication between the modem and the AP chipset."

 

Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Containing Corporate Data on Mobile Devices
Containing Corporate Data on Mobile Devices
If you’re still focused on securing endpoints, you’ve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.