Security researchers are reporting a so-called backdoor security issue in Samsung Galaxy devices. The report comes from the Replicant project. Replicant develops free versions of Android to take the place of the proprietary versions that manufacturers and carriers install on most smartphones.
While working on Replicant, developer Paul Kocialkowski said he discovered that the proprietary program running on the applications processor in charge of handling the communication protocol with the modem also implements a backdoor. That backdoor, he explained, lets the modem perform remote file I/O on the file system.
"This program is shipped with the Samsung Galaxy devices and makes it possible for the modem to read, write, and delete files on the phone's storage," Kocialkowski said. "On several phone models, this program runs with sufficient rights to access and modify the user's personal data. A technical description of the issue, as well as the list of known affected devices, is available at the Replicant wiki."
If the modem runs proprietary software and can be remotely controlled, he continued, that backdoor provides remote access to the phone's data -- even in the case where the modem is isolated and cannot access the storage directly. He called it "another example of what unacceptable behavior proprietary software permits" and used it to argue his case for Replicant, which does not implement the backdoor.
Security Analyst: 'It's Very Serious'
We caught up with Craig Young, a security researcher for IT security software firm Tripwire, to find out what he had to say about the discovery. He told us the threat of vulnerabilities or backdoors within the baseband processor of a smartphone is very serious.
"This is essentially a separate computer system running next to the processor that powers your smartphone OS," Young said. "Dr. Charlie Miller leaked NSA documents that have revealed that baseband attacks can be very effective for compromising a phone and turn it into a perfect listening device."
In this particular case, Young said the researchers are claiming that at a minimum, received radio messages can contain commands to retrieve data from the phone's storage. Unfortunately, he explained, most white hat security researchers do not have the means to research this type of threat because it typically requires specialized equipment, a radio shielded room -- a sensitive compartmented isolation facility -- and possibly FCC approval.
Hijacking Associated Accounts
At the same time, Young continued, black-hat security researchers with malicious intentions that want to launch real attacks can acquire the technology necessary for this attack for less than $1,000, making this a realistic threat for corporate espionage and can be used in a variety of other targeted attacks.
"In my previous research into Android, presented at DEF CON 21, an attacker with root access to the Android device file system can easily hijack Google or other accounts associated with the device," Young said. "'Replicant' is suggesting that this is the case for the popular but older Galaxy S, which is an I9000 handset."