Samsung Galaxy backdoor allows files access on the mobile’s storage

Pierluigi Paganini March 13, 2014

Replicant developers Kocialkowski has discovered a backdoor inside Samsung Galaxy which allows file access on the mobile’s storage.

Android is the open source operating system most diffused, but being an open project, there are many customized versions that run  on mobile devices.
Almost every mobile phone manufacturer commercializes its devices with a version of the Android OS that includes its software component, pre-installed application and factory settings.
Samsung, for example, provides a customized Android version which includes some pre-installed proprietary software, but as usually happen in these cases, no one has the possibility to analyze in details the added components through an efficient code review process. Pre-installed components could include a backdoor to spy on users or to remotely gain complete control of the device. On the
Replicant OS is an open source operating system based on the Google Android, and  available for several Smartphones and tablet computers, which replace all proprietary Android components with their free software counterparts.

The developer of the open source operating system Replicant OS, Paul Kocialkowski, has uncovered a backdoor pre-installed on Samsung Galaxy devices and the Nexus S that allows remote access to all the data in the device.
Samsung galaxy family
The researcher revealed that many Samsung devices are affected by this flaw, including Nexus S, Galaxy S, Galaxy S2, Galaxy Note, Galaxy Tab 2, Galaxy S 3, and Galaxy Note 2.

As highlighted in the blog post, modern handsets come with two separate processors, a general-purpose application processor that runs the main operating system and another component  in charge of communications with the mobile telephony network. Modem processor is usually targeted by attackers because it always runs a proprietary operating system, and the presence of a backdoor makes possible to remotely surveillance activities.

“Today’s phones come with two separate processors: one is a general-purpose applications processor that runs the main operating system, e.g. Android; the other, known as the modem, baseband, or radio, is in charge of communications with the mobile telephony network. This processor always runs a proprietary operating system, and these systems are known to have backdoors that make it possible to remotely convert the modem into a remote spying device. The spying can involve activating the device’s microphone, but it could also use the precise GPS location of the device and access the camera, as well as the user data stored on the phone. Moreover, modems are connected most of the time to the operator’s network, making the backdoors nearly always accessible.”

Kocialkowski has discovered that a Samsung’s IPC protocol runs in the background in the communications processor and allows the modem component to remotely the user’s phone storage. Samsung IPC protocol allows to read, write, and delete files implementing a class of requests (RFS commandsto execute remote I/O operations on the phone’s storage.

we discovered that the proprietary program running on the applications processor in charge of handling the communication protocol with the modem actually implements a backdoor that lets the modem perform remote file I/O operations on the file system. This program is shipped with the Samsung Galaxy devices and makes it possible for the modem to read, write, and delete files on the phone’s storage. On several phone models, this program runs with sufficient rights to access and modify the user’s personal data. A technical description of the issue, as well as the list of known affected devices is available at the Replicant wiki.” states the blog post.

We cannot demonstrate that the backdoor was specifically designed, neither that it might have been placed there wrongly, but in both cases user’s privacy is at risk.

“The incriminated RFS messages of the Samsung IPC protocol were not found to have any particular legitimacy nor relevant use-case. However, it is possible that these were added for legitimate purposes, without the intent of doing harm by providing a backdoor.” “However, some RFS messages of the Samsung IPC protocol are legitimate (IPC_RFS_NV_READ_ITEM and IPC_RFS_NV_WRITE_ITEM) as they target a very precise file, known as the modem’s NV data.” the researcher added.

Replicant has published a patch ‘0001-modem_if-Inject-and-intercept-RFS-I-O-messages-to-pe.patch‘ for your Samsung Smartphone, which replace the legitimate Samsung-RIL library.

Kocialkowski also encourage Samsung Galaxy owners to appeal publicly to SamsungMobile for an explanation.

Pierluigi Paganini

(Security Affairs – Samsung, mobile)

you might also like

leave a comment