Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

Samsung Galaxy Security Alert: Android Backdoor Discovered

Samsung's flavor of Android has a backdoor that can be remotely exploited by attackers, Android developers warn.

Security alert: Attackers can remotely exploit a software-based backdoor -- present in at least nine different models of Samsung smartphones and tablets -- to steal files and location data or surreptitiously activate a microphone or camera.

That warning was sounded Wednesday by members of the Replicant project, which builds free versions of Android to replace the proprietary versions installed by most carriers and manufacturers.

Replicant researchers said they found that the radio modems on some Samsung devices will execute remote file system (RFS) commands. "We discovered that the proprietary program running on the applications processor in charge of handling the communication protocol with the modem actually implements a backdoor that lets the modem perform remote file I/O operations on the file system," said Replicant developer Paul Kocialkowski in a blog post on the Free Software Foundation site.

"This program is shipped with the Samsung Galaxy devices and makes it possible for the modem to read, write, and delete files on the phone's storage," he added. "On several phone models, this program runs with sufficient rights to access and modify the user's personal data."

[Looking for a more secure device? See Smartphone Security: Two Shades Of Black.]

Samsung didn't immediately respond to an emailed request for comment about Replicant's findings or to questions about which models might be affected and whether it planned to patch vulnerable devices.

But, according to Replicant, so far it's identified nine different types of Samsung devices that have the vulnerability: the Nexus S, Galaxy S, Galaxy S 2, Galaxy Note, Galaxy Nexus, Galaxy Tab 2 7.0, Galaxy Tab 2 10.1, Galaxy S 3, and Galaxy Note 2. It cautioned that more devices may be affected.

Galaxy Tab 2 7.0
Galaxy Tab 2 7.0

It's not clear if the code that introduces the vulnerability is a bug, was meant to support some types of features, or might relate to diagnostic data-gathering conducted by Samsung or its business partners. But Kocialkowski warned that the backdoor could be used by any remote attacker -- such as criminals or intelligence agencies -- to turn the devices into remote spying tools. "The spying can involve activating the device's microphone, but it could also use the precise GPS location of the device and access the camera, as well as the user data stored on the phone," he said. "Moreover, modems are connected most of the time to the operator's network, making the backdoors nearly always accessible."

The researchers published a demonstration of the vulnerability in the form of a patch that can be applied to the Replicant 4.2 kernel that instructs the modem to open, read, and close a local file. According to the researchers, it would be relatively easy for attackers to use this bug to access any file stored on the device, albeit with some caveats. "Note that the files are opened with the [baseband] software's user permissions, which may be root on some devices," according to Replicant's teardown of the backdoor. "On other cases, its runs as an unprivileged user that can still access the user's personal data" that's stored on removable media. "Finally, some devices may implement SELinux, which considerably restricts the scope of possible files that the modem can access, including the user's personal data."

Kocialkowski called on Samsung to eliminate the RFS backdoor, which he said could be fixed with just a software patch. Alternately, users of the vulnerable devices can replace the Samsung-built version of Android with Replicant's free, "pure" version, which he said "does not implement this backdoor" and also blocks the modem from being able to access files. "If the modem asks to read or write files, Replicant does not cooperate with it," he said.

Still, Kocialkowski cautioned that the baseband processors installed on most mobile devices run proprietary software, which an attacker might be able to exploit remotely not just to issue file-access commands, but also to rewrite the software running the device's main processor.

Theoretically, manufacturers could build firewalls to prevent a baseband processor from being able to access the main processor, microphone, camera, or similar components. But in practice that's rarely done. "It is possible to build a device that isolates the modem from the rest of the phone so it can't mess with the main processor or access other components such as the camera or the GPS," Kocialkowski said. "Very few devices offer such guarantees. In most devices, for all we know, the modem may have total control over the applications processor and the system, but that's nothing new."

Is Amazon Web Services always the best choice for an infrastructure-as-a-service partner? Register for this InformationWeek editorial webinar and learn about the key differentiators that can mean success for your IaaS project -- or defeat. The How To Choose An IaaS Partner webinar happens March 14. Registration is free.

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
3/27/2014 | 6:43:02 PM
Update: Samsung dismisses vulnerability report
A Samsung spokeswoman, asked to comment about the bug report, offered the following response via email:  

"Samsung takes consumer privacy and security very seriously and we'd like to assure consumers that our products are safe to use. We are able to confirm that the matter reported by the Free Software Foundation is based on an incorrect understanding of the software feature that enables communication between the modem and the AP chipset."

 

Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3830
PUBLISHED: 2021-09-26
btcpayserver is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-21742
PUBLISHED: 2021-09-25
There is an information leak vulnerability in the message service app of a ZTE mobile phone. Due to improper parameter settings, attackers could use this vulnerability to obtain some sensitive information of users by accessing specific pages.
CVE-2020-20508
PUBLISHED: 2021-09-24
Shopkit v2.7 contains a reflective cross-site scripting (XSS) vulnerability in the /account/register component, which allows attackers to hijack user credentials via a crafted payload in the E-Mail text field.
CVE-2020-20514
PUBLISHED: 2021-09-24
A Cross-Site Request Forgery (CSRF) in Maccms v10 via admin.php/admin/admin/del/ids/<id>.html allows authenticated attackers to delete all users.
CVE-2016-6555
PUBLISHED: 2021-09-24
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP trap supplied data. By creating a malicious SNMP trap, an attacker can store an XSS payload which will trigger when a user of the web UI views the events list page. This issue was fixed in ver...