If you've been watching your tech news feed regularly over the past day or so, you've probably come across at least one story making the rounds about a "backdoor" vulnerability in some newer Samsung phones. The original report, published by the Free Software Foundation and written by Paul Kocialkowski, a developer of Replicant, does all but directly accuse Samsung of planting a method of securing remote access to users' devices. A quick read over of the piece makes it rather obvious that the author has a rather significant bone to pick with any and all proprietary software:

Provided that the modem runs proprietary software and can be remotely controlled, that backdoor provides remote access to the phone's data, even in the case where the modem is isolated and cannot access the storage directly. This is yet another example of what unacceptable behavior proprietary software permits! Our free replacement for that non-free program does not implement this backdoor. If the modem asks to read or write files, Replicant does not cooperate with it.

It's easy to see that Kocialkowski has an angle he's working here, and he outright plugs Replicant a handful of times in the piece, which makes this article rather hard to take seriously in the first place. Replicant is a fully open, non-proprietary fork of Android, the development of which is partially financed by the FSF (surprise!). Replicant's philosophy, of course, revolves around the notion that a completely open operating system has many advantages over one that is not completely open. Non-open aspects of Android include things like Google Apps, as many of us know, but also low-level firmware for the cellular modem, Bluetooth, and other hardware modules. The very existence of this proprietary code is apparently irritating to Replicant.

So when the team came across what actually seems to be a relatively innocuous and convoluted security vulnerability in a number of Samsung Galaxy devices, they took to the pedestal, and cried "backdoor!" The problem for Replicant is that, according to well-known Android security expert Dan Rosenberg (former rooter of all things Motorola), there is very little to no chance that the vulnerability would be exploited in the first place.

The vulnerability, in layman's terms, is this: using a function embedded in a phone's baseband processor (AKA the radio), the baseband can send commands to the application processor, some of which could endanger a user's data - potentially. The vulnerability has also only been proven on custom firmware so far, firmware where some of the host device's security features have been removed or disabled.

Beyond these points of fact, this is where Rosenberg and Kocialkowski quickly part ways.

Dan's first problem with this "backdoor" is that the publishers actually provide no mechanism of action for the exploit to be able to be initiated remotely in the first place, saying "[t]here is virtually no evidence for the ability to remotely execute this functionality." Kocialkowski merely says in his piece that there is "likely" some over-the-air mechanism in place to take advantage of the flaw, but he clearly has not identified said mechanism. Strike one.

In addition, the exploit only allows the baseband processor to exert a very limited degree of control over the application processor, because the function being exploited runs under the "radio" user in the Android OS. This means the radio only has access to 1.) radio functions (duh), and 2.) the SD card (and as of Android 4.4, it would only have read access to the SD card). It wasn't until the authors used a directory traversal attack that the modem was able to be used outside this capacity, which Dan intuits to mean that this "backdoor" isn't actually a backdoor at all, just some sloppy Samsung coding. (Eg, why would Samsung leave a backdoor that required a second exploit in order to actually work?)

According to Dan, the reason this feature is there in the first place is simply to send diagnostic files to the phone storage that can then be used to identify and fix issues with the radio. He also says that this particular exploit is very likely not the only extant example of a method by which the modem processor can "mess" with the application processor, even if it's not exactly best practice to allow this sort of behavior. The same code is in the baseband processors for the Galaxy Note 3 and S4, too. Dan says he did not find it any non-Samsung devices.

The real nail in the coffin, though, seems to be that taking advantage of this exploit would require the ability to execute arbitrary code on a device's baseband processor in the first place. This is where things go from shaky to outright ridiculous. As one commenter on the piece put it, it's a bit like saying you have a security flaw because a thief who has already broken into your house can take things from the refrigerator. If you can access the baseband modem to this extent, it's likely that a user's device is already so compromised that this exploit would be worthless in any practical sense.

To read more about the flaw, head over to ArsTechnica at the link below.


David Ruddock
David's phone is whatever is currently sitting on his desk. He is an avid writer, and enjoys playing devil's advocate in editorials, and reviewing the latest phones and gadgets. He also doesn't usually write such boring sentences.

  • Abhijeet Mishra

    Like I wrote in my post at SamMobile, this reeked of nothing but a ploy to (hopelessly) try to make Samsung open source its modem drivers/blobs, probably because Replicant was having issues making the radio work properly on its ROMs (I hear they're trying to take Replicant to a higher version of Android). Good thing Dan (and some mysterious security expert talking to XDA) cleared this out.

    • h4rr4r

      With a closed radio you have no idea what it is doing. It could send all kinds of data about you. It does not need to talk to the application CPU to do that.

    • Guest

      I'm afraid some Android users are starting to sound like Apple fanboys excusing even the most clear security flaw. I don't doubt the FSF would prefer open source modem driver, but that doesn't change what is a very real exploit.

      • Justin Case

        Then proof it on a production device without modification to the firmware, I think that is a fair request in this situation. Proofing on a highly modified device is deceptive at best.

        • Dmitri Smirnov

          What's there to prove? That samsung's firmware allows modem blob to do whatever it wants on device's memory? I think FSF researchers have proven that.

          If you are asking for a working exploit - if you can't use the backdoor, it doesn't mean that someone with a key can't. And in this case - there's a shady character in ski mask at your backdoor, telling you he won't let anyone in, but he'll hold on to the key to it "just in case".

          • Justin Case

            Did you even read it? They did NOT prove it (not saying it doesn't work). They did no remote exploitation, they did no local exploitation on a non compromised device. They patched a pre-compromised device to "proof" it. That is not how you do it my friend.

          • Dmitri Smirnov

            Did you even understand what they wrote? They found a vulnerability, that would allow modem firmware to do anything it wanted to phone's memory.
            That's the same as saying that a pre-installed public key on your linux server is not a backdoor, since you can't use it to log in to it.

          • Justin Case

            I do understand what they wrote, enough to understand that they didn't do a proper proof of it. Obviously more so than you.

            That is like me taking my Cyanogenmod exploit, putting CM on an HTC One, saying "look the HTC One is vulnerable" without ever proofing it on actual HTC firmware. I'm not saying it won't work, but I am saying that proofing it on modified, PRE COMPROMISED, firmware with disabled security features is a joke.

            Only two reasons for proofing it that way, either it doesn't work on a non pre-compromised device, or they lacked the ability to do it.

            They failed to proof the vulnerability on a stock device, period.

          • Dmitri Smirnov

            You keep saying "vulnerability". It's not a vulnerability per se, it's a undocumented acces that can be exploited by manufacturer or anyone having access to modem control (and that can be anybody).

            Please re-read the original post by developers and try to understand it too.

          • Justin Case

            I keep saying vulnerability, because it is a classic directory transversal vulnerability.

            The modem has write access to the EFS directory, they used a directory transversal VULNERABILITY to break out of that. Please do tell me how a directory transversal vulnerability is not a vulnerability.

            Since my background in mobile security obviously isn't enough, I will refer to Rosenberg, as I doubt many can honestly refute his expertise in this field.

          • Dmitri Smirnov

            Well, gotta know when you're beaten.
            I tip my hat to you and your expertise sir, you were right after all.

          • Guest
          • Hexagonal

            1. Why modem needs to read/write files on the main device? For diagnostics? Why then it's not disabled in release build?
            2. We have seen backdoors masked as vulnerabilities. Or vulnerabilities crafted to be used as backdoors.
            3. You say it can't be exploited on commercial firmware. For external hacker, it may be true, but what about Samsung itself, in cooperation with government agencies?
            4. In any case binary blobs and firmwares can't be trusted.

          • King_Anonymous

            It's "proving" you stupid dumbass. No such thing as "proofing" fucking moron. All of you are stupid.

          • Justin Case

            No such thing as proofing? Its the act of validating, checking for errors. Check out a dictionary, no its not the definition about baking bread.

          • King_Anonymous

            Fucking idiot, it's called "proving". Forget dictionaries, get an education.

          • Justin Case

            Sorry, in this case it would be proofing their work.

          • King_Anonymous

            Wrong again, idiot.

  • zxo0oxz

    Can't say I'm surprised. Getting pretty tired of this tinfoil BS.

    • DavidRuddocksBrowserHistory

      Read a newspaper and you won't be able to call any of these privacy concerns "tinfoil BS."

  • bungadudu

    It's a trend to accuse and troll Samsung nowadays..
    Some are even proud of this :-|

  • Mike Reid

    Consider all the Snowden revelations. Consider that they are the "tip of the iceberg".

    The US, Russian, Chinese and other spook agencies have capabilities that even the most technical of us would be surprised about, if we knew them all.

    The closed modem/radio side of things has very "interesting" capabilities on many phones.

    Over 10 years ago, with "dumb" phones, US authorities were listening to the microphones on some Mafia phones. This is proven in court documents.

    The rest we can only guess about. We "knew" about many of the Snowden revelations year ago, but were still shocked about the extent when they were leaked. In 10 years we will be shocked again when we find out what was happening in 2014.

    No tinfoil required. Very real. Consider Stuxnet.

    • andy_o

      Completely unrelated dubious assertions, therefore conspiracy is true.

    • DavidRuddocksBrowserHistory

      Ruddock seems to have an axe of his own to grind on all things security/privacy related. Previous posts of his reveal that he doesn't care much for legitimate privacy concerns.

  • h4rr4r

    The FSF is totally right. If the modem is running a binary blob you have no control over what it does. It could be sending copies of all interesting packets to someone else without telling the OS. No need to do anything to the application processor at all.

  • Guest

    Come on, I'm a fan of Android like anyone else, but this is clearly a security flaw. We shouldn't try to whitewash the issue by shooting the messenger -- there's clearly an intentional effort to allow the manufacturer backdoor access to the SD card. And I'm personally not okay with that. I won't be using any Samsung devices until this issue is patched.

  • DrakeTungsten

    Holy crap! I have to get a lock for my fridge!

  • Tim24

    that is one big pile of shit...

  • dogulas

    LOVED that opening picture. Thanks for the laugh.

  • http://www.scottcolbert.com ScottColbert

    I see all the Alex Jones sheep are out and about today.

    • ScottColbertsBrowserHistory

      Did Alex Jones leak actual classified documents showing vast intrusive goverment surveillance of US and foreign persons? Your characterization of people who care about privacy as "Alex Jones sheep" just shows your dishonesty. You don't care about facts.

      • http://www.scottcolbert.com ScottColbert

        Jones wouldn't know a fact if it bit him on the ass. Same with you. Get a life.

        • ScottColbertsBrowserHistory

          You're the only one who seems to care about Alex Jones. No one with concerns over privacy needs to even know who Alex Jones is. You're just making up idiotic dichotomies for some mysterious reason. I'd suggest you're the one who needs to improve his sad simplistic worldview. What a sorry existence you must live that you reject the real information that everyone from privacy experts to government intelligence agencies acknowledge. But, yes, by all means, let's pretend this is a case of Alex Jones versus the Scott Colbert, if that makes you feel safe in willful ignorance (or denial).

          "All's good. No one's trying to violate anyone else's rights or restrict liberties. Just relax and eat your smothered burrito."

    • screwscottcolbert

      shut it douche bag.

  • SK

    Claiming it's a backdoor is completely retarded. This is like claiming if PC A mounts a directory from another PC B using NFS or Samba, then suddenly PC B has a backdoor.

    The modem is just storing it's files under a sub directory of the main storage instead of creating a separate partition and potentially wasting main storage space. It's doing that through RFS (Remote File System?).

    Looks like they found an exploit that can be executed on the main processor (exploit that had to be run on PC B) that allows the RFS code running under radio group (NFS server running under NFS group) to access all the files. That doesn't make RFS (or NFS) a backdoor!

  • Albert

    Boooooring. Samsung fixes "backdoor" (actually just a sloppy security bug). Samsung pushes OTA update. Done. Complaint sunk.

    I'm an open source fanatic, releasing FOSS works and using Linux all the time, and this disgusts me. Actually, pretty much everything the FSF does or says these days disgust me.

    None of what they said has convinced me to throw Replicant on my phone anytime soon. Just some good ol' FUD to pressure Samsung to release source for the silly developers there.

    Citation: http://www.replicant.us/2014/03/unveiling-the-samsung-galaxy-back-door/
    "We have yet to hear from Samsung about this issue, as we are hoping that the reason for the presence of this back-door will be clarified. In that regard, we’d be very glad to work with Samsung in order to make things right, for instance through releasing free software or documentation that would make it easy for community Android versions to get rid of the incriminated blob."

    With only two developers (really just one) left, and FSF becoming even more irrelevant, we gotta do some sensationalism, eh?

    Attract me (and others) with a well designed Android OS alternative, not with your FUD and ideological hack job. Then you might actually attract real users and support.

    • Dmitri Smirnov

      This is the stuff the FSF managed to dig out. If Samsung open-sourced the modem drivers, then there would be something to talk about.

  • Hypocrite

    There was another article that said that every baseband has a OS of itself and is completely closed sourced making the phone susceptible to hacking through hidden backdoors