×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Replicant OS Developers Find Backdoor In Samsung Galaxy Devices

Soulskill posted about 9 months ago | from the caught-out dept.

Android 126

An anonymous reader writes "Developers of the Free Software Foundation-endorsed Replicant OS have uncovered a backdoor through Android on Samsung Galaxy devices and the Nexus S. The research indicates the proprietary Android versions have a blob handling communication with the modem using Samsung's IPC protocol and in turn there's a set of commands that allow the modem to do remote I/O operations on the phone's storage. Replicant's open-source version of Android does away with the Samsung library to fend off the potential backdoor issue."

Sorry! There are no comments related to the filter you selected.

OTA updates (0)

Anonymous Coward | about 9 months ago | (#46469087)

Anyone? Bueller?

Re:OTA updates (-1)

Anonymous Coward | about 9 months ago | (#46469095)

Burn the freetards!!

Buy buttcoins!! The only digital currency you can shove up your butt!!

Re:OTA updates (0)

Anonymous Coward | about 9 months ago | (#46469103)

here ya go [cyanogenmod.org] .

But seriously, is this a "back door" (ie, an intentionally included method for remote file system access) or just a vulnerability (something left open accidentally). The effect for the end user may be the same technically, but the consequences for Samsung may be very different...

Re:OTA updates (2)

mythosaz (572040) | about 9 months ago | (#46469131)

It was a vulnerability. Now it's a back door.

Re:OTA updates (0)

Anonymous Coward | about 9 months ago | (#46469207)

From TFA:
  "the incriminated RFS messages of the Samsung IPC protocol were not found to have any particular legitimacy nor relevant use-case. However, it is possible that these were added for legitimate purposes, without the intent of doing harm by providing a back-door. Nevertheless, the result is the same and it allows the modem to access the phone's storage."

Seems pretty clear that this is a back door, and not a security bug. If I understand correctly they coded an interface which allows the modem read/write access to the OS. No way that's unintentional

Re:OTA updates (5, Funny)

Anonymous Coward | about 9 months ago | (#46469221)

"Nuts!" said the NSA. "Now we'll have to use one of our 12 other methods!"

Re:OTA updates (1)

davester666 (731373) | about 9 months ago | (#46470049)

Lube up boys. Time to start probing the other back doors.

Re:OTA updates (0)

Anonymous Coward | about 9 months ago | (#46469485)

Seems pretty clear that this is a back door, and not a security bug. If I understand correctly they coded an interface which allows the modem read/write access to the OS. No way that's unintentional

That is if it even works. FTFA:
As the modem is running proprietary software, it is likely that it offers over-the-air remote control, that could then be used to issue the incriminated RFS messages and access the phone's file system.

It's not proven that this even works.

Re:OTA updates (0)

Anonymous Coward | about 9 months ago | (#46469509)

If the modem has such ability and you can't control nor even strictly check what it does, it's already too much.

Re:OTA updates (0)

Anonymous Coward | about 9 months ago | (#46470575)

If the modem has such ability and you can't control nor even strictly check what it does, it's already too much.

You say that but in reality you are wrong. People will still buy them just as they buy iphones, you have to prove that it is a problem rather than just assuming simply because you don't know.

Re:OTA updates (0)

Anonymous Coward | about 9 months ago | (#46471721)

I don't care about "people", I care about me and unreasonable existence of such ability is enough for me to not buy such device.

Re:OTA updates (5, Informative)

supertall (1163993) | about 9 months ago | (#46469161)

Actually, the article states that Cyanogenmod uses the same blob as well.

Re:OTA updates (5, Interesting)

dos1 (2950945) | about 9 months ago | (#46469195)

This is part of their undocumented protocol for communication with the modem. Modem can ask to read or write some file on disk using IPC_RFS_READ_FILE, IPC_RFS_WRITE_FILE, IPC_RFS_LSEEK_FILE, IPC_RFS_CLOSE_FILE, etc. messages and the library will happily do that for the modem. It's hardly unintended.

Re:OTA updates (1)

Anonymous Coward | about 9 months ago | (#46469287)

Who has access to execute these commands? I'm assuming just my carrier?

Re:OTA updates (3, Interesting)

Anonymous Coward | about 9 months ago | (#46469335)

Or anyone who sets up a fake tower? That's a pretty common and relatively easy attack vector now...

Re:OTA updates (4, Interesting)

megabeck42 (45659) | about 9 months ago | (#46469717)

I couldn't agree more. There is no evidence to suggest that it's a malicious backdoor.

A quick strings on my samsung captivate glide's modem firmware, reveals all manner of novel debug messages and log strings:

err/CP_MA_TRACE_%d_%04d%02d%02d%02d%02d%02d.bin
[DUMP] FILE OPEN FAIL
[ERROR]%s,%d,%s
[DUMP] FILE CREATE FAIL
[DUMP] Write MA Trace To /data/efs/err =====
aurrcbp: discard cell due to system information read error
[Net]NV Read Fail! OEM_NVM_TESTBED

etc..

I do know that a lot of data persistence for the radio is done with dotfiles scattered around and throughout /data and /efs (because real nvram is expensive).

I'm curious what functionality is affected, if any is, by rejecting any of these IPC_RFS_ I/O.

I don't think it's clearly a backdoor. But, I do believe the concern is warranted. The radio/modem's firmware blob is not auditable. Perhaps a combination of logging/auditing filesystem requests and limiting which files are accessible by the RILD? Actually, isn't the rild run as an unprivileged user, radio? (Possibly for this very reason?)

Re:OTA updates (3, Insightful)

s.petry (762400) | about 9 months ago | (#46471073)

I couldn't agree more. There is no evidence to suggest that it's a malicious backdoor.

No evidence to the contrary either, and worth questioning since this is a common theme. Motorola was found to be sending all kinds of data to Motorola servers without user knowledge, including specific authentication information in plain text, Apple's SSL mess up, Countless MS back doors in just about everything they make. Then you have other players that made horrible decisions costing them their phone business.

At a point we should at least wonder if these things are really just accidental and sloppy, or are they working as influenced/intended. The more we find that companies are doing the same things, the less plausible the "accidental" theory looks.

How to actually find out is the hard part. Any company doing things for a fat check and favors from a government realizes that whistle blowers will lose future checks and favors. I'd be very interested in seeing all the files the government has on this, especially things like how many employees on Government payroll are working at places like Intel, Samsung, Apple, Microsoft, etc (if any).. It's too bad the CIA and Senate fight won't do anything to open that door.

Re:OTA updates (2)

teslar (706653) | about 9 months ago | (#46472725)

I'm curious what functionality is affected, if any is, by rejecting any of these IPC_RFS_ I/O.

Remotely wiping a stolen mobile phone perhaps? It's just a guess - but by definition that would require the ability to do stuff to the phone's file system without the current user's knowledge or permission.

Re:OTA updates (0)

Anonymous Coward | about 9 months ago | (#46472795)

> There is no evidence to suggest that it's a malicious backdoor.

What on earth? A back door is a back door, and it doesn't matter if it's malicious or not. It's an evasion of privacy, unethical, and they have absolutely have no right to do such a thing and keep it secret. If they do want to create backdoors, at least have the decency and the ethics to make sure everyone knows about it. Then let the consumer decide if they are happy with purchasing such a device or not.

Re:OTA updates (4, Insightful)

bug1 (96678) | about 9 months ago | (#46469983)

This is part of their undocumented protocol for communication with the modem. Modem can ask to read or write some file on disk using ...

And "undocumented protocol for communication" is different than a Backdoor how ?

Re:OTA updates (1)

dos1 (2950945) | about 9 months ago | (#46470041)

It's not.

Re:OTA updates (2)

cheater512 (783349) | about 9 months ago | (#46470395)

Where exactly would you expect the documentation for something like that to be in a consumer device?

Re:OTA updates (1)

bug1 (96678) | about 9 months ago | (#46470457)

Where exactly would you expect the documentation for something like that to be in a consumer device?

e.g. We arent sure where to put all that TCP/IP documentation, so dont bother writting it all down.

Re:OTA updates (0)

Anonymous Coward | about 9 months ago | (#46470625)

When I was a kid the computers my parents purchased came with 3 paper books that came with my OS, the first was basic usage instructions, the second detailed instructions of how to use every software that came with the OS including all extra flags, options, and known bugs. The third book was the advanced manual and contained a listing of ever file, what it did, and what all the system libraries where that could be called should you desire to build a program using a language of your choice.

These where of course the new fangled computers with keyboards and fancy electronic displays. Previous to this the computers the schools had for instance operated by sticking in instruction cards with holes punched in them and reading off a series of lights and comparing it to instruction books for the results of your operations. I was lucky enough to be in the last group that got to use those punch machines and was one of the first in my class to try out math blaster with its amazing color graphics. I was very young though, and did not realize the significance to any of that being in only 3rd grade.

Re:OTA updates (0)

Anonymous Coward | about 9 months ago | (#46471933)

Fortunately, for some values of device and OS, you can still find such documents online [kernel.org] . They've just become too large to print and ship with the devices.

Re:OTA updates (0)

Anonymous Coward | about 9 months ago | (#46472389)

Time for your nap now grandpa simpson

Re:OTA updates (1)

kbg (241421) | about 9 months ago | (#46472017)

On the included SD card? On the manufacturer website?

Re:OTA updates (0)

Anonymous Coward | about 9 months ago | (#46470597)

Well how is a documented protocol for communication different from a backdoor? Is it somehow that anything that is undocumented is malicious?

Re:OTA updates (1)

bill_mcgonigle (4333) | about 9 months ago | (#46470885)

Well how is a documented protocol for communication different from a backdoor?

On a house, how is the back door different than the front door, other than being on the back side of the house?

Re:OTA updates (0)

Anonymous Coward | about 9 months ago | (#46471941)

The fence around the back with the signs stating "Beware of Dog" and "No Trespassing".

Re: OTA updates (0, Troll)

Anonymous Coward | about 9 months ago | (#46471615)

Because it's Samsung and Android instead of Apple, perhaps?

If Apple did this, it would be an absolute Apple hate-fest. People here are defending Samsung's actions and debating whether this was an intentional back door or not. Who are the fan-boys again?

Re: OTA updates (1)

Ronin Developer (67677) | about 9 months ago | (#46472747)

Wow! Someone states an apparent truth and it gets marked down to -1 so nobody sees it - it's not the message the Android and Samsung fans want to hear, apparently. But, the original poster is correct, if this happened on with Apple, there would be no "mis-understanding" as to whether this was intentional or not on this site.

Re:OTA updates (0)

Anonymous Coward | about 9 months ago | (#46470117)

Maybe the functions used by the baseband processor to fetch its firmware when upgrading the radio firmware?

How remote is remote? (1)

WyrdOne (96731) | about 9 months ago | (#46469135)

How remote is remote? Are we talking over the internet/sms or are we talking if you control a cell tower?

Re:How remote is remote? (2, Funny)

MightyMartian (840721) | about 9 months ago | (#46469151)

How remote is remote? Are we talking over the internet/sms or are we talking if you control a cell tower?

Yes

RMS was right (5, Insightful)

Anonymous Coward | about 9 months ago | (#46469607)

This is what you get for essentially renting a a black box with audiovideo and communication capability and letting 3rd parties control it fully: a personal tracker better than what the worst totalitarian regime could dream. There is no reason why operating systems or essential drivers should be shipped as binary blobs, not this day and age, not after the NSA revelations.

Re:RMS was right (0)

Anonymous Coward | about 9 months ago | (#46472091)

What... you trust your compiler?

Re:How remote is remote? (5, Informative)

dos1 (2950945) | about 9 months ago | (#46469233)

Modem can ask the APU app to write/read selected files and do some other file system operations. Why would modem want to read/write arbitrary files on user's file system and what and how could invoke such behavior of the modem? The answer is up to your imagination.

Well, in fact many other phones don't need any backdoor to do the same as lots of them have modems directly connected to main RAM, exposing it to monitoring or even manipulation by the closed and strictly secured modem firmware.

That's why projects like Neo900 opt for clear APU<->modem separation as host<->peripheral, together with power and antenna usage monitoring and fully free software stack on APU side.

Re:How remote is remote? (0)

Anonymous Coward | about 9 months ago | (#46469477)

Why would modem want to read/write arbitrary files on user's file system and what and how could invoke such behavior of the modem?
and
Or anyone who sets up a fake tower? That's a pretty common and relatively easy attack vector now...
and
previously reported incidents of cops using fake towers (short range) to track suspects' cell phones

Leads to: cops (feds, whoever) load incriminating files (kiddie pr0n, whatever) on to undesirable person's cell phones to be used as evidence against them. For added hilarity, do it when they're about to cross a border.

Re:How remote is remote? (1)

SuricouRaven (1897204) | about 9 months ago | (#46471677)

Ask who controls the modem. It's not Samsung - it's the carriers. In the US market, some of them might like this capability for things like detecting who has uncrippled their bundled handset and enabled tethering rather than pay for the higher tier service.

Re:How remote is remote? (2)

Jane Q. Public (1010737) | about 9 months ago | (#46469285)

"How remote is remote? Are we talking over the internet/sms or are we talking if you control a cell tower?"

Doesn't matter. Nobody likes to get "backdoored" without their consent.

sxex with a HOMO (-1)

Anonymous Coward | about 9 months ago | (#46469299)

Contaminated while it wiil be among similarly g$risly

what do u mean they have a "blob"??? (-1)

Anonymous Coward | about 9 months ago | (#46469301)

the google shills on slashdot told me android was teh open sourse!!!

Workaround? (0)

Anonymous Coward | about 9 months ago | (#46469323)

There are no other results on google for the keywords (RxRFS_WriteFile, IPC_RFS_WRITE_FILE, etc). This is probably the first public disclosure of this backdoor (though I think we all expected this capability existed)

Seeing as Replicant is not quite ready for full-time use (GPS doesn't work yet), can anyone provide a workaround for this backdoor?

Better yet, port Replicant's Samsung-RIL library back into a standard Android build.

I would happily pay developers to work on Replicant, if there were a way to do so.

For those with more free time than money, check out their code wishlist: http://redmine.replicant.us/projects/replicant/wiki/Tasks

Re:Workaround? (1)

fuzzyfuzzyfungus (1223518) | about 9 months ago | (#46471925)

On phones that use Samsung's RIL; but either custom firmware or substantially-modifiable rooted firmware, the SELinux capabilities that they (fairly recently, was it 4.2?) could presumably be used to nuke most of the risk. Assuming it uses the filesystem commands at all, the legitimate day-to-day uses are presumably a few specific 'we were too cheap for NVRAM' locations that (if not documented, should at least be empirically determinable) you could then restrict it to.

Now, if you just need a few megs of cheap storage and don't want to bump the BoM, building an arbitrary filesystem access mechanism seems so sloppy and unconcerned with actual security as to make me wonder what else they fucked up; but SELinux is pretty powerful, if a pain, at granular lockdown of lousy or dangerous software.

Is this testing whether the OS is Replicant (1, Funny)

Ukab the Great (87152) | about 9 months ago | (#46469333)

or a lesbian?

Re:Is this testing whether the OS is Replicant (1)

grub (11606) | about 9 months ago | (#46469623)

ha ha very good!

Re:Is this testing whether the OS is Replicant (1)

greeze (985712) | about 9 months ago | (#46470919)

Let me tell you about my mother.

Re:Is this testing whether the OS is Replicant (1)

circletimessquare (444983) | about 9 months ago | (#46471477)

go home Sean Young, you're drunk

No contract, wifi-only (1)

dpilot (134227) | about 9 months ago | (#46469387)

So if I'm using my no-contract Samsung Galaxy phone as a wifi-only device, and have never inserted the SIM card at all, I believe I'm safe from this particular vulnerability.

Tin-hatters, am I wrong on that?
Explain,

Re:No contract, wifi-only (1)

Anonymous Coward | about 9 months ago | (#46469533)

With no SIM card you have no service plan, no encryption key to verify that you are a subscriber, and the towers have every right to refuse communication from you.

That doesn't mean that a tower absolutely cannot talk to your device in a non-subscriber cleartext mode, if they choose to do so. Also you THINK you turned off your radio, are you willing to trust the guys that have already been caught hiding deeply invasive crap to not violate that too? It could just turn on for a quick download of skynet directives every other month, how would you ever know?

Re:No contract, wifi-only (5, Informative)

Charliemopps (1157495) | about 9 months ago | (#46469643)

No. The modem can write to your OS. Anyone can communicate with your modem, even Ham radio operators. Granted, exploiting this would be a huge technological challenge... unless of course this was placed there intentionally and they know exactly what to send to your modem to get it to do what they want.

Re:No contract, wifi-only (1)

ChunderDownunder (709234) | about 9 months ago | (#46469741)

Not if you set it to flight mode.

Re:No contract, wifi-only (4, Interesting)

TheGavster (774657) | about 9 months ago | (#46470139)

Does anyone do verification on the "airplane mode" setting of phones? The FCC and FAA seem to have come to the conclusion that there's no way you can detect active radios via undesired behavior of an aircraft, and are down to sorting out the social ramifications of phone use on planes. I'd like to see an independent (and preferably paranoid) lab check to make sure that "all radios off" means that the radios are off, and not just that they stop passing traffic from the PDA OS.

Re:No contract, wifi-only (1)

L4t3r4lu5 (1216702) | about 9 months ago | (#46472735)

Faraday Cage in a Faraday Cage, take the phone inside both, hook up the in internal cage to $SensitiveEquipment and look for induced current from the radio still being operational?

IANAScientist, but it seems reasonable enough to me.

Re:No contract, wifi-only (1)

BronsCon (927697) | about 9 months ago | (#46470569)

That stops it from transmitting, but there's nothing stopping it from receiving. Blast out a message across all active towers (go ahead and translate JSON to whatever the phone will actually understand):

{"IMEI": "[your phone's IMEI]", "eval": "[code to execute]"}

Your phone can kick back out of flight mode when it's done, to acknowledge that it received the message and executed the instruction, then kick back into flight mode, and you'll quite likely be none the wiser.

Re:No contract, wifi-only (0)

Anonymous Coward | about 9 months ago | (#46471785)

Flight mode works for real on phones where it powers down (not off) the baseband. And you will know it, because it locks down the SIM (thus requires manual unlocking to register again with the carrier network) and drains a LOT less battery.

Interestingly enough, all my sansungs do exactly that.

This crap is samsungs usual incompetence at coming up with safe ways to do whatever stuff they think they need done.

Re:No contract, wifi-only (0)

Anonymous Coward | about 9 months ago | (#46472365)

Funnily enough, none of my Verizon Samsung phones have ever done anything remotely like that. A GNex and Note 2 fwiw.

Re:No contract, wifi-only (0)

Anonymous Coward | about 9 months ago | (#46472609)

Hang on, you mean your Verizon phone doesn't lock down the SIM in flight mode? Tell me more ...

Re:No contract, wifi-only (3, Informative)

megabeck42 (45659) | about 9 months ago | (#46469857)

Two things, "Even Ham radio operators?" When did they become the retards of the RF world - I thought that title belonged to CB'ers? Honestly, hams are not interested in your phone.

While, yes, technically anyone can communicate with your modem; anyone can communicate with your wifi card or your bluetooth adapter as well. And it would appear that the samsung radio interface IPC layer at least has a modicum less access to the entirety of your device than your wifi driver - which is in the kernel. People have, in the past, exploited mistakes in wifi drivers and wifi card firmware to remote exploit via wifi. (*: The specific instance I remember, was with an old intel 802.11b/g card and specially crafted management frames which could be trivially spoofed and didn't need to be encrypted to be accepted by the wireless card. The proof of concept was able to issue busmaster DMA read/writes which, ostensibly, would allow rewriting arbitrary kernel ram, etc.)

Across the scope of samsung phones I was able to check (ok, two of them), the radio interface, the android host side of this communications channel, runs as uid 1001 (radio). As far as my cursory inspection revealed, meant that the radio/modem can read/write the files in /efs and only read a number of other places, such as /sdcard. Granted, /sdcard contains a lot of your personal data. My point is that, in this case, a compromised modem is still less privileged than a compromised android service or, worse, compromised driver/kernel. Also, given that these IPC instructions are used for reading/writing modem "nvram" data such as the handset IMEI, to describe them as a "backdoor" is horribly inappropriate.

So, yeah, as you said, "huge technological challenge." Agreed. But, the idea that a data modem may be exploitable is by no means new.

Re:No contract, wifi-only (4, Interesting)

ShaunC (203807) | about 9 months ago | (#46470301)

Two things, "Even Ham radio operators?" When did they become the retards of the RF world - I thought that title belonged to CB'ers? Honestly, hams are not interested in your phone.

He wasn't calling hams retards, quite the contrary. He was pointing out that people with absolutely no control over your cellular carrier's towers, and thus no legitimate path into your cellphone, could give you problems despite not being an "authorized" party. Those people would still need to be extremely technically adept, familiar with radio, etc. so hams was a pretty good example IMO.

Re:No contract, wifi-only (1)

IamTheRealMike (537420) | about 9 months ago | (#46471521)

It's also just wrong. From 3G onwards phones authenticate the cell towers. Even with a full stack running you wouldn't be easily able to force a phone to associate to your tower, at least not without jamming all the other towers in your vicinity.

Re:No contract, wifi-only (1)

cdrudge (68377) | about 9 months ago | (#46472283)

As soon as backdoors or any other security related "features" get involved, I tend to think that anything is possible despite how things are suppose to operate.

Re:No contract, wifi-only (0)

Anonymous Coward | about 9 months ago | (#46472371)

https://www.google.com/search?q=stingray

Oh really? Doesn't seem to be that difficult...

Re:No contract, wifi-only (1)

Anonymous Coward | about 9 months ago | (#46472391)

https://www.google.com/search?q=stingray#q=stingray+cell+tower

Sorry, full search link.

Re:No contract, wifi-only (1)

squiggleslash (241428) | about 9 months ago | (#46472789)

I believe all Galaxy devices are capable of connecting to 2G towers. So assuming the message can be transmitted via 2GSM, the sophisticated hacker (I assume) would need to spoof such a tower at a time when the targetted phone would need to avoid 3G for some reason (say, lack of signal or too poor a signal)

Re:No contract, wifi-only (1)

Anonymous Coward | about 9 months ago | (#46471319)

Also, given that these IPC instructions are used for reading/writing modem "nvram" data such as the handset IMEI,

I took your post as "informative" and even "insightfull" right upto this remark. With it you forfitted all your credibility.

The above might be the publicized (or maybe even "naivily assumed") usage, but if it can as easily be used to access other files (system, log, personal, etc) it is a bad oversight (if that is what it is) indeed.

to describe them as a "backdoor" is horribly inappropriate.

Maybe you're right and it should be called "criminal negligence" instead.

You've been describing something like a key thats supposed to only access a gate in the fence of your backyard (something rather benign), but turns out to also open the doors of your house and fits the vault in the master bedroom too ...

By the way: Being able to silently, remotely overwrite the IMEI ? I see joe-jobs coming up ... (a criminal cloning his phones compromized IMEI to someone elses phone, letting the plod chase an innocent bystander for a while).

Re:No contract, wifi-only (1)

mysidia (191772) | about 9 months ago | (#46471425)

When did they become the retards of the RF world - I thought that title belonged to CB'ers? Honestly, hams are not interested in your phone.

Someone who happens to be a Ham operator, might use a radio-based exploit to attack their phone as a proof of concept.

But it's not likely..... they can't be transmitting on cell phone frequencies from their station anyways, as the transmission outside frequencies within their operating privileges would be a FCC violation that could get their station licenses revoked.

Re:No contract, wifi-only (1)

zeugma-amp (139862) | about 9 months ago | (#46472881)

But it's not likely..... they can't be transmitting on cell phone frequencies from their station anyways, as the transmission outside frequencies within their operating privileges would be a FCC violation that could get their station licenses revoked.

Yup. So they couldn't do so openly. These days, there are plenty of ways to do so anonymously. Given some of the cool tools out there in the Ham world for connecting radios, I wouldn't be at all surprised to find an Elmer who could do some interesting things with cell phones if they wanted to.

Yeah, I'm a ham, but I'd never put my callsign on /.

Re:No contract, wifi-only (1)

dpilot (134227) | about 9 months ago | (#46470115)

As ChunderDownUnder reminds me, I forgot to mention that this phone has never been out of airplane mode, in addition to never having a SIM card plugged in. Flashing out of T-Mobile software was also one of the first things I did, and the other night I flashed CyanogenMod 11 M4. (Of course some of the guys on IRC suggest that even that is too commercial, and that I should go to snapshots over on xda-developers, to be safer.)

I keep my tinfoil hat handy, just like I tend to channel RMS and ESR. But there are practical limits...

Re:No contract, wifi-only (1)

horm (2802801) | about 9 months ago | (#46471079)

As long as your phone is unable to connect to a cell tower/rogue femtocell/etc. you should be fine. The backdoor that was found is in the Radio Interface Layer (RIL), which governs communications between the Phone app and the radio. Wifi/bluetooth aren't managed by the RIL.

Third-party ROMs (0)

Anonymous Coward | about 9 months ago | (#46469423)

Yet one more reason to install a third-party ROM then. Most (all?) of them are better than the stock ROM put on Android phones by any manufacturer, and most of them are made by users who are more interested in making a good ROM packed with functionality and features rather than backdoors. No guarantees of course - it's possible some ROM developers are a bit mischievous and throw in their own bit of dodgy code, but most of the popular ROMs are made by people who've developed a trusted reputation and also make the code to their ROM freely available. I'd much rather trust a single person or a small group of developers to some faceless corporate entity at this point.

Re:Third-party ROMs (5, Insightful)

dos1 (2950945) | about 9 months ago | (#46469469)

Most of the popular ROMs are made using the very same closed drivers the article is talking about to provide hardware compatibility - otherwise they would be exactly where Replicant is now.
Any third-party ROM for Galaxy devices that uses Samsung's library to communicate with the modem is vulnerable - so almost all of them are, including CyanogenMod.

Re:Third-party ROMs (1)

pruss (246395) | about 9 months ago | (#46472121)

Aren't there legal problems with CM and other ROMs including these blobs, since they're presumably copyrighted? Or are they licensed by Samsung under the GPL along with the kernel? But in the latter case, shouldn't Samsung be including source?

Re:Third-party ROMs (0)

Anonymous Coward | about 9 months ago | (#46472933)

Aren't there legal problems with CM and other ROMs including these blobs, since they're presumably copyrighted?

BLOBs can't be copyrighted. Source can, but that's not even in the equation here.

Or are they licensed by Samsung under the GPL along with the kernel? But in the latter case, shouldn't Samsung be including source?

Even if these were under the GPL, good luck with that. If you got it, any modifications would have to go through FCC approval, too, so double-GLWT.

remote recover/wipe data for lost stolen phones (0)

Anonymous Coward | about 9 months ago | (#46469471)

I'm more likely to think it has to do with Samsung's recover/delete data that you can do on samsung s web site cyogenmod has the same feature.
So that a lost or stolen device can be wiped remotely

Leave it in? (1)

LeonPierre (305002) | about 9 months ago | (#46469567)

Why not leave the library in but alert the user to allow/deny the reads & writes when they occur? Perhaps even sandbox the writes for further examination.

Re:Leave it in? (1)

dos1 (2950945) | about 9 months ago | (#46469593)

Why not use and/or enhance already existing free software replacement, used by projects like freesmartphone.org or... Replicant?

Re:Leave it in? (1)

elmer at web-axis (697307) | about 9 months ago | (#46469711)

Check out the status page... I don't see any phone that they support that they have everything working.. hardly 4.2 release.. more like 0.0.42 release... Why would i spend $1000 on a phone for it to only be able to send sms and call.. 2D graphics, 3D graphics, Sound, Telephony, Mobile data, Wi-Fi, Bluetooth, NFC, GPS, Sensors, Camera and Hardware media encoding/decoding all need to be working before anybody would bother with non-manufacture software.. also anyone who stores sensitive information on a phone without encryption is asking for trouble..

Re:Leave it in? (1)

ChunderDownunder (709234) | about 9 months ago | (#46469783)

The release number aligns with the AOSP release, i.e. Replicant 4.2 targets Jelly Bean.

Re:Leave it in? (0)

Anonymous Coward | about 9 months ago | (#46469929)

"2D graphics, 3D graphics, Sound, Telephony, Mobile data, Wi-Fi, Bluetooth, NFC, GPS, Sensors, Camera and Hardware media encoding/decoding all need to be working before anybody would bother with non-manufacture software"

This is why we can't have nice things.

Re:Leave it in? (1)

GTRacer (234395) | about 9 months ago | (#46470391)

Looks like I need to read more about this particular blob. Any ideas if it can be controlled with XPrivacy?

Re:Leave it in? (1)

Arker (91948) | about 9 months ago | (#46470989)

Leaving malware in place and attempting to sandbox it instead of removing it entirely sounds like a very poor idea to me.

Re:Leave it in? (0)

Anonymous Coward | about 9 months ago | (#46471931)

Counter intelligence sounds like a poor idea to you?

demand to be made whole (0)

Anonymous Coward | about 9 months ago | (#46469609)

Contact samsung support and demand to be whole. Demand a refund if they cant make you whole otherwise. They need to feel this in their pocketbooks if they are to learn not to do it again.

OSS devs lack of communication skills (3, Informative)

rubycodez (864176) | about 9 months ago | (#46470213)

not even on their website do its developers explain what Replicant is, or what its goals and purpose are

wikipedia does a better job...

http://en.wikipedia.org/wiki/R... [wikipedia.org]

Re:OSS devs lack of communication skills (0)

Anonymous Coward | about 9 months ago | (#46470511)

what a bunch of jerkoffs eh? srsly if they werent so secretive about their history, what their software is for, and what their motivations are for making their software, I would have been using it long ago... they are no better than the NSA

Re:OSS devs lack of communication skills (0)

Anonymous Coward | about 9 months ago | (#46473551)

Yeah the last time I read about Replicant I scoured their web site and never did figure out what it was from there, I had to use wikipedia. They just assume if you're at their site you know what it is.

Any contacts at Samsung we can call? (2)

slincolne (1111555) | about 9 months ago | (#46470231)

Does anyone have any contacts at Samsung (email addresses, phone numbers, etc.) that can address this issue?

I just got back from looking at a Galaxy Note 3 (thinking form upgrading from by S2).

Now I'm not sure - will probably just go buy a Nexus.

I can't think of a single valid reason for this level of functionality to be available in a device that's sold commercially. I've never heard of any enterprise management tools that can use such functions, and their undisclosed existance is a real worry.

The biggest laugh about this is that Samsung Australia is currently trying to get the Samsung Galaxy Note 10.1, Galaxy Note 2 and S3 onto the Australian Government Endorsed Product List (http://www.asd.gov.au/infosec/epl/index.php ) - I don't like their chances now.

Re:Any contacts at Samsung we can call? (1)

R3d M3rcury (871886) | about 9 months ago | (#46470673)

Now I'm not sure - will probably just go buy a Nexus.

FTFS:

Developers of the Free Software Foundation-endorsed Replicant OS have uncovered a backdoor through Android on Samsung Galaxy devices and the Nexus S.

I can understand not reading the article, but not reading the summary?!

Re:Any contacts at Samsung we can call? (1)

Namarrgon (105036) | about 9 months ago | (#46470963)

The Nexus S [wikipedia.org] was made by Samsung way back in 2010.

It hasn't been on sale for years. I really don't think it's relevant to new buyers.

Re:Any contacts at Samsung we can call? (1)

Anonymous Coward | about 9 months ago | (#46471277)

The fact that the Nexus range has a history of using the same vulnerable firmware is VERY relevant unless you can show definitive proof that it has been actively removed from all current models.

Re:Any contacts at Samsung we can call? (1)

Kremmy (793693) | about 9 months ago | (#46474665)

My guess is that he meant he was going for an Asus Nexus rather than a Samsung Nexus. Isn't it weird how Android phone branding is working lately?

Great for defense lawyers! (3, Insightful)

ShaunC (203807) | about 9 months ago | (#46470323)

This will be wonderful news for criminal defense attorneys. Is your client accused of having a couple of terrorists in his phone's contact list? Did a customs official conveniently find child porn pictures on your client's phone during a border crossing? Did the prosecutor haul out telco logs "proving" that your client was sending text messages to arrange a heroin deal?

Sounds to me like it's quite plausible that someone else put that $ILLEGAL_SHIT on your client's phone. After all, the capability was built right into the phone by Samsung.

NSA_backdoor_trojan into America (1, Funny)

strstr (539330) | about 9 months ago | (#46470405)

NSA_backdoor_trojan:

AMD processors were found to have similar vulnerabilities.

Mascarading as a debug mode, all hardware and thus software security features can be bypassed. Essentially allowing both stealth software operation, bypassing root and administrator authentication restrictions, and more. Intel is known to have similar functionality, but its not publically disclosed yet.. http://hardware.slashdot.org/s... [slashdot.org]

NSA compiled and uses all these exploits whether it was installed there for them or not.

Windows also has NSAKEY installed and all vulnerabilities and the source code of Windows is turned over to the NSA before the things can be patched, allowing NSA to locate and exploit vulnerabilities for hacking us and everyone else. http://www.washingtonsblog.com... [washingtonsblog.com]

RSA also put in exploits so SSL / Etc would be vulnerable to their attack, as the leaks indicated. http://it.slashdot.org/story/1... [slashdot.org]

Stuxnet virus was created by NSA. http://rt.com/news/snowden-nsa... [rt.com]

NSA and GCHQ are recording us masturbating. http://www.theguardian.com/wor... [theguardian.com]

FBI records us even when our devices are powered off. http://www.washingtonsblog.com... [washingtonsblog.com]

NSA is ceiling cat watching us masturbate with space capability and electron imaging/radar systems. They are recording all calls and saving the content, not just metadata. http://www.pbs.org/newshour/bb... [pbs.org] and http://youtu.be/d6m1XbWOfVk [youtu.be]

NSA has Thought Amplifier and Mind Interface (patented by Robert Malech in 1974, deployed in all radar in 1976), aka Remote Neural Monitoring first disclosed in Nexus Magazine in 1996 by John St Claire Akwei. Backed up today by Dr. Robert Duncan who helped invented these weapons, being used to attack and control us. http://www.oregonstatehospital... [oregonstatehospital.net] http://www.oregonstatehospital... [oregonstatehospital.net]

TAO hacking unit, NSA: http://www.spiegel.de/internat... [spiegel.de]

Obama is raping and murdering and torturing thousands of his own citizens, committing acts of Genocide worse than any dictator ever before. He has killed his own people and covered it up. http://www.obamasweapon.com/ [obamasweapon.com]

Re:NSA_backdoor_trojan into America (1)

strstr (539330) | about 9 months ago | (#46470419)

I was insinuating that this Samsung Galaxy phone backdoor was an NSA hack, which undoubtably they're using along with the FBI to hack us. Oops!

Re:NSA_backdoor_trojan into America (1)

swb (14022) | about 9 months ago | (#46473165)

Obama is raping and murdering and torturing thousands of his own citizens, committing acts of Genocide worse than any dictator ever before.

That's a pretty tall order. The Germans managed something like 6 million and Stalin something like 7 million. Pol Pot didn't reach those nominal figures but on a percentage of total population he probably outdid both, killing something like 1 in 3.

Are you really sure Obama has exceeded 6 million dead via outright acts of genocide, excluding combat against armed adversaries?

RIL and EFS (3, Insightful)

Technomancer (51963) | about 9 months ago | (#46470549)

I don't find that surprising. When I was playing with CyanogenMod it became obvious to me that RIL reads/writes files from EFS partition on behalf of the modem because settings for the modem, like IMEI, state of network lock, preferred networks etc, are stored there. I am not sure whether the interface is general enough so the modem can ask for any file.
If they are concerned about binary blobs doing unknown stuff, RIL is small potatoes. There is huge GPS daemon binary made by 3rd party. Sensor drivers are linked with closed source processing libraries (AKM/akmd). Camera loads whole bunch of image/video processing libraries which are closed source/3rd party too. Lots of phones also use closed source 3rd party audio processing libraries. Not to mention 16MB of compressed modem firmware, running on modem CPU which is like another little independent computer.

Re:RIL and EFS (0)

Anonymous Coward | about 9 months ago | (#46471371)

Not to mention 16MB of compressed modem firmware, running on modem CPU which is like another little independent computer.

...with Internet access.

Re:RIL and EFS (1)

labawi (2931497) | about 9 months ago | (#46473303)

This.

It is widely believed older style cell phones have long been mandated to support remote operations/activation by the government/laws/secret service/someone. Local police says phones can be tracked even when off, but they don't use it for lost cell phones, only big crimes, but the capability is present and available.

On smart phones, that are much more software and less fixed hardware, programmable and adaptive, how could that functionality be provided? Perhaps with some features of modem hardware to communicate, but if it's largely a software radio, then the logical place is: binary firmware. Coupled with the capabilities like the new privileges of modern ARM CPUs that provide an über ring0 separate context, unaccessible and hidden from the normal OS - marketed as DRM and security, it can do whatever it likes, on the main CPU and memory, without involving the OS. They still need hardware support to communicate while off, etc. but hidden software is easier than dedicated hardware.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?