Researchers at the not-for-profit Free Software Foundation discovered this week that Samsung was Samsung Galaxy S smart phones with an intentional back-door protocol in the modem processor.
In the words of the researchers:
“the proprietary software that is in charge of handling the communications with the modem, using the Samsung IPC protocol, implements a class of requests known as RFS commands, that allows the modem to perform remote I/O operations on the phone’s storage”
Smartphone Processors & Software
Every most smart phone comes with two processors. One processor runs your Operating System (Android in this case) and its apps, while the second processor is the modem. The modem processor handles the sending/receiving of data to and from the smart phone.
Smart phone developers usually use the famous open-source Android freeware on the first processor (let’s call it the OS processor), but use proprietary software on the modem processor. This arrangement of processors and their software means that processing protocols on the first processor are more or less transparent, but it is nearly impossible to identify what processes take place on the second processor.
‘Remote’ is the key term here! It means that the processors can be controlled by a third-party that is not necessarily in physical contact with the smart phone.
How Does the Back-Door Work?
The OS processor takes instructions from the modem processor. So with the right code, the modem processor can fool the OS processor into doing whatever it wants. This can include starting or closing an app, switching on the camera or mic, reading or writing data, sending or receiving data. For all intents and purposes, the modem processor is also capable of doing everything that you can do with your smart phone.
This way, the modem doubles as the built-in spy and doesn’t have to go to a third component to send/receive data.
If none of this is worrying you, I invite you to consider the possibilities of exploitation that can arise if somebody else controls your modem processor. Under normal circumstances, your modem processor cannot have the right to read/write files unless you explicitly give it permission. According to researchers at the not-for-profit Free Software Foundation, your modem processor is not being very honest with you.
This is not the First Time
The discovery of the back door raises countless questions about Samsung’s motive behind the back door. It also draws attention to the possibility that the NSA may have successfully infiltrated Samsung for data collection.
This is not the first time that a telecommunications giant has come under fire for alleged cooperation with the NSA to facilitate spying on smart phone users.
The discovery was made during a research into the Samsung Galaxy S (I9000). While further reports are awaited to confirm or deny if other Samsung devices have also been built with the same tap, there is reason to believe that most if not all of Samsung’s 3G enabled devices may house the same built-in back-door.
Keep in mind that no reports of the back-door’s exploitations have surfaced yet. While some will choose consider this to be proof that the backdoor is benign, it is expected that others will install VPNs to secure their data transmissions; thereby making the encrypted data packets useless for intercepting parties.
Then there are the people who recommend switching on ‘Flight mode’ and disconnecting from the rest of the world altogether.
Bright side of that Samsung backdoor, it seems to rely on the backdoor support in the Android RIL, so to secure your phone, use flight mode.
— nine (@justnine) March 12, 2014
What remains to be seen in further reports is if the back door is truly a harmless technicality or we got lucky this time and identified a weakness before somebody used it to hack our smart phones. Unless Samsung Galaxy S users are already being silently hacked of course.
Want to read more? If the general summary of the issue available on Free Software Foundation’s website isn’t enough for you, Android enthusiasts with a working knowledge can read the blog detailing the technical particulars on Replicant’s official Redmine page.