Mobile
3/13/2014
12:09 PM
Connect Directly
RSS
E-Mail
50%
50%

Samsung Galaxy Security Alert: Android Backdoor Discovered

Samsung's flavor of Android has a backdoor that can be remotely exploited by attackers, Android developers warn.

Security alert: Attackers can remotely exploit a software-based backdoor -- present in at least nine different models of Samsung smartphones and tablets -- to steal files and location data or surreptitiously activate a microphone or camera.

That warning was sounded Wednesday by members of the Replicant project, which builds free versions of Android to replace the proprietary versions installed by most carriers and manufacturers.

Replicant researchers said they found that the radio modems on some Samsung devices will execute remote file system (RFS) commands. "We discovered that the proprietary program running on the applications processor in charge of handling the communication protocol with the modem actually implements a backdoor that lets the modem perform remote file I/O operations on the file system," said Replicant developer Paul Kocialkowski in a blog post on the Free Software Foundation site.

"This program is shipped with the Samsung Galaxy devices and makes it possible for the modem to read, write, and delete files on the phone's storage," he added. "On several phone models, this program runs with sufficient rights to access and modify the user's personal data."

[Looking for a more secure device? See Smartphone Security: Two Shades Of Black.]

Samsung didn't immediately respond to an emailed request for comment about Replicant's findings or to questions about which models might be affected and whether it planned to patch vulnerable devices.

But, according to Replicant, so far it's identified nine different types of Samsung devices that have the vulnerability: the Nexus S, Galaxy S, Galaxy S 2, Galaxy Note, Galaxy Nexus, Galaxy Tab 2 7.0, Galaxy Tab 2 10.1, Galaxy S 3, and Galaxy Note 2. It cautioned that more devices may be affected.

Galaxy Tab 2 7.0
Galaxy Tab 2 7.0

It's not clear if the code that introduces the vulnerability is a bug, was meant to support some types of features, or might relate to diagnostic data-gathering conducted by Samsung or its business partners. But Kocialkowski warned that the backdoor could be used by any remote attacker -- such as criminals or intelligence agencies -- to turn the devices into remote spying tools. "The spying can involve activating the device's microphone, but it could also use the precise GPS location of the device and access the camera, as well as the user data stored on the phone," he said. "Moreover, modems are connected most of the time to the operator's network, making the backdoors nearly always accessible."

The researchers published a demonstration of the vulnerability in the form of a patch that can be applied to the Replicant 4.2 kernel that instructs the modem to open, read, and close a local file. According to the researchers, it would be relatively easy for attackers to use this bug to access any file stored on the device, albeit with some caveats. "Note that the files are opened with the [baseband] software's user permissions, which may be root on some devices," according to Replicant's teardown of the backdoor. "On other cases, its runs as an unprivileged user that can still access the user's personal data" that's stored on removable media. "Finally, some devices may implement SELinux, which considerably restricts the scope of possible files that the modem can access, including the user's personal data."

Kocialkowski called on Samsung to eliminate the RFS backdoor, which he said could be fixed with just a software patch. Alternately, users of the vulnerable devices can replace the Samsung-built version of Android with Replicant's free, "pure" version, which he said "does not implement this backdoor" and also blocks the modem from being able to access files. "If the modem asks to read or write files, Replicant does not cooperate with it," he said.

Still, Kocialkowski cautioned that the baseband processors installed on most mobile devices run proprietary software, which an attacker might be able to exploit remotely not just to issue file-access commands, but also to rewrite the software running the device's main processor.

Theoretically, manufacturers could build firewalls to prevent a baseband processor from being able to access the main processor, microphone, camera, or similar components. But in practice that's rarely done. "It is possible to build a device that isolates the modem from the rest of the phone so it can't mess with the main processor or access other components such as the camera or the GPS," Kocialkowski said. "Very few devices offer such guarantees. In most devices, for all we know, the modem may have total control over the applications processor and the system, but that's nothing new."

Is Amazon Web Services always the best choice for an infrastructure-as-a-service partner? Register for this InformationWeek editorial webinar and learn about the key differentiators that can mean success for your IaaS project -- or defeat. The How To Choose An IaaS Partner webinar happens March 14. Registration is free.

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
3/27/2014 | 6:43:02 PM
Update: Samsung dismisses vulnerability report
A Samsung spokeswoman, asked to comment about the bug report, offered the following response via email:  

"Samsung takes consumer privacy and security very seriously and we'd like to assure consumers that our products are safe to use. We are able to confirm that the matter reported by the Free Software Foundation is based on an incorrect understanding of the software feature that enables communication between the modem and the AP chipset."

 

Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Containing Corporate Data on Mobile Devices
Containing Corporate Data on Mobile Devices
If youíre still focused on securing endpoints, youíve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.