If you've been watching your tech news feed regularly over the past day or so, you've probably come across at least one story making the rounds about a "backdoor" vulnerability in some newer Samsung phones. The original report, published by the Free Software Foundation and written by Paul Kocialkowski, a developer of Replicant, does all but directly accuse Samsung of planting a method of securing remote access to users' devices. A quick read over of the piece makes it rather obvious that the author has a rather significant bone to pick with any and all proprietary software:
Provided that the modem runs proprietary software and can be remotely controlled, that backdoor provides remote access to the phone's data, even in the case where the modem is isolated and cannot access the storage directly. This is yet another example of what unacceptable behavior proprietary software permits! Our free replacement for that non-free program does not implement this backdoor. If the modem asks to read or write files, Replicant does not cooperate with it.
It's easy to see that Kocialkowski has an angle he's working here, and he outright plugs Replicant a handful of times in the piece, which makes this article rather hard to take seriously in the first place. Replicant is a fully open, non-proprietary fork of Android, the development of which is partially financed by the FSF (surprise!). Replicant's philosophy, of course, revolves around the notion that a completely open operating system has many advantages over one that is not completely open. Non-open aspects of Android include things like Google Apps, as many of us know, but also low-level firmware for the cellular modem, Bluetooth, and other hardware modules. The very existence of this proprietary code is apparently irritating to Replicant.
So when the team came across what actually seems to be a relatively innocuous and convoluted security vulnerability in a number of Samsung Galaxy devices, they took to the pedestal, and cried "backdoor!" The problem for Replicant is that, according to well-known Android security expert Dan Rosenberg (former rooter of all things Motorola), there is very little to no chance that the vulnerability would be exploited in the first place.
The vulnerability, in layman's terms, is this: using a function embedded in a phone's baseband processor (AKA the radio), the baseband can send commands to the application processor, some of which could endanger a user's data - potentially. The vulnerability has also only been proven on custom firmware so far, firmware where some of the host device's security features have been removed or disabled.
Beyond these points of fact, this is where Rosenberg and Kocialkowski quickly part ways.
Dan's first problem with this "backdoor" is that the publishers actually provide no mechanism of action for the exploit to be able to be initiated remotely in the first place, saying "[t]here is virtually no evidence for the ability to remotely execute this functionality." Kocialkowski merely says in his piece that there is "likely" some over-the-air mechanism in place to take advantage of the flaw, but he clearly has not identified said mechanism. Strike one.
In addition, the exploit only allows the baseband processor to exert a very limited degree of control over the application processor, because the function being exploited runs under the "radio" user in the Android OS. This means the radio only has access to 1.) radio functions (duh), and 2.) the SD card (and as of Android 4.4, it would only have read access to the SD card). It wasn't until the authors used a directory traversal attack that the modem was able to be used outside this capacity, which Dan intuits to mean that this "backdoor" isn't actually a backdoor at all, just some sloppy Samsung coding. (Eg, why would Samsung leave a backdoor that required a second exploit in order to actually work?)
According to Dan, the reason this feature is there in the first place is simply to send diagnostic files to the phone storage that can then be used to identify and fix issues with the radio. He also says that this particular exploit is very likely not the only extant example of a method by which the modem processor can "mess" with the application processor, even if it's not exactly best practice to allow this sort of behavior. The same code is in the baseband processors for the Galaxy Note 3 and S4, too. Dan says he did not find it any non-Samsung devices.
The real nail in the coffin, though, seems to be that taking advantage of this exploit would require the ability to execute arbitrary code on a device's baseband processor in the first place. This is where things go from shaky to outright ridiculous. As one commenter on the piece put it, it's a bit like saying you have a security flaw because a thief who has already broken into your house can take things from the refrigerator. If you can access the baseband modem to this extent, it's likely that a user's device is already so compromised that this exploit would be worthless in any practical sense.
To read more about the flaw, head over to ArsTechnica at the link below.