Security alert: Attackers can remotely exploit a software-based backdoor -- present in at least nine different models of Samsung smartphones and tablets -- to steal files and location data or surreptitiously activate a microphone or camera.

That warning was sounded Wednesday by members of the Replicant project, which builds free versions of Android to replace the proprietary versions installed by most carriers and manufacturers.

Replicant researchers said they found that the radio modems on some Samsung devices will execute remote file system (RFS) commands. "We discovered that the proprietary program running on the applications processor in charge of handling the communication protocol with the modem actually implements a backdoor that lets the modem perform remote file I/O operations on the file system," said Replicant developer Paul Kocialkowski in a blog post on the Free Software Foundation site.

"This program is shipped with the Samsung Galaxy devices and makes it possible for the modem to read, write, and delete files on the phone's storage," he added. "On several phone models, this program runs with sufficient rights to access and modify the user's personal data."

[Looking for a more secure device? See Smartphone Security: Two Shades Of Black.]

Samsung didn't immediately respond to an emailed request for comment about Replicant's findings or to questions about which models might be affected and whether it planned to patch vulnerable devices.

But, according to Replicant, so far it's identified nine different types of Samsung devices that have the vulnerability: the Nexus S, Galaxy S, Galaxy S 2, Galaxy Note, Galaxy Nexus, Galaxy Tab 2 7.0, Galaxy Tab 2 10.1, Galaxy S 3, and Galaxy Note 2. It cautioned that more devices may be affected.

Galaxy Tab 2 7.0

It's not clear if the code that introduces the vulnerability is a bug, was meant to support some types of features, or might relate to diagnostic data-gathering conducted by Samsung or its business partners. But Kocialkowski warned that the backdoor could be used by any remote attacker -- such as criminals or intelligence agencies -- to turn the devices into remote spying tools. "The spying can involve activating the device's microphone, but it could also use the precise GPS location of the device and access the camera, as well as the user data stored on the phone," he said. "Moreover, modems are connected most of the time to the operator's network, making the backdoors nearly always accessible."

The researchers published a demonstration of the vulnerability in the form of a patch that can be applied to the Replicant 4.2 kernel that instructs the modem to open, read, and close a local file. According to the researchers, it would be relatively easy for attackers to use this bug to access any file stored on the device, albeit with some caveats. "Note that the files are opened with the [baseband] software's user permissions, which may be root on some devices," according to Replicant's teardown of the backdoor. "On other cases, its runs as an unprivileged user that can still access the user's personal data" that's stored on removable media. "Finally, some devices may implement SELinux, which considerably restricts the scope of possible files that the modem can access, including the user's personal data."

Kocialkowski called on Samsung to eliminate the RFS backdoor, which he said could be fixed with just a software patch. Alternately, users of the vulnerable devices can replace the Samsung-built version of Android with Replicant's free, "pure" version, which he said "does not implement this backdoor" and also blocks the modem from being able to access files. "If the modem asks to read or write files, Replicant does not cooperate with it," he said.

Still, Kocialkowski cautioned that the baseband processors installed on most mobile devices run proprietary software, which an attacker might be able to exploit remotely not just to issue file-access commands, but also to rewrite the software running the device's main processor.

Theoretically, manufacturers could build firewalls to prevent a baseband processor from being able to access the main processor, microphone, camera, or similar components. But in practice that's rarely done. "It is possible to build a device that isolates the modem from the rest of the phone so it can't mess with the main processor or access other components such as the camera or the GPS," Kocialkowski said. "Very few devices offer such guarantees. In most devices, for all we know, the modem may have total control over the applications processor and the system, but that's nothing new."

Is Amazon Web Services always the best choice for an infrastructure-as-a-service partner? Register for this InformationWeek editorial webinar and learn about the key differentiators that can mean success for your IaaS project -- or defeat. The How To Choose An IaaS Partner webinar happens March 14. Registration is free.