Is There a Backdoor in Samsung Galaxy Devices?

Is there a vulnerability in Samsung Galaxy smartphones and tablets that could let an attacker remotely access your files, or even send commands to your phone?

So says Paul Kocialkowski, a developer on Replicant, an alternative build of Google's Android operating system. According to Kocialkowski, Samsung Galaxy devices give their carriers too much access to users' files.

MORE: 7 Ways to NSA-Proof Your Smartphone

Here's how it works: When you use a smartphone or tablet, the user-facing operating system and its apps are usually all you see. But there's another operating system that works alongside Android, iOS or Windows Phone: the embedded, or "baseband" firmware that handles the physical radio signals used to connect to cellular, Wi-Fi and Bluetooth networks.

The two components are mostly separate, but in order for the phone or tablet to operate, the baseband firmware has to have "hooks" in the user-facing operating system.

Kocialkowski argues that in the case of Samsung Galaxy devices running both stock and Samsung-tweaked Android, these hooks are way too deep — so deep, in fact, that they constitute a "backdoor" by which an attacker who knew of the vulnerability could gain remote access to users' personal files.

"As the modem is running proprietary software, it is likely that it offers over-the-air remote control, that could then be used to ... access the phone's file system," Kocialkowski writes in a report on the project's wiki.

That's because the wireless carrier can access the phone's baseband operating system, and the baseband operating system in turn can access Android's file system while the phone is running.

Does this constitute a backdoor — a secret method of deliberately undermining software security? Kocialkowski seems to think so.

"This is yet another example of what [kind of] unacceptable behavior proprietary software permits," he wrote yesterday (March 12) in a post on the Free Software Foundation blog summarizing his findings.

MORE: Mobile Security Guide: Everything You Need to Know

Kocialkowski said it was also conceivable that the baseband software could take control of the phone's main processor and rewrite some or all of its software. That claim has yet to be proven.

He stopped just short of accusing Samsung of deliberately implanting a backdoor in its own devices. Yet there are perfectly legitimate reasons for baseband firmware to access the files of the user-facing operating system.

For example, when smartphone users encounter a problem and call their wireless carrier for help, carrier technicians can use the baseband-OS interface to remotely access and fix devices.

Kocialkowski may have even gotten some flak from a fellow Replicant developer, who read of the purported backdoor on the British tech-news site The Register.

The reader, who calls himself "TJ1" in The Register's comments section and claimed to be a part of the Replicant project, calls Kocialkowski's report "misguided sensationalism."

TJ1 wrote that the baseband operating system needs access to the phone's internal memory when powering on, but then hands control back to the application operating system — in this case, Android — once that step is complete.

Kocialkowski's original wiki entry admits that the vulnerability could be benign. 

"It is possible that these were added for legitimate purposes, without the intent of doing harm by providing a backdoor," he wrote. "Nevertheless, the result is the same and it allows the modem to access the phone's storage." 

Kocialkowski doesn't exactly have a neutral stake in the issue. His report claims that replacing the standard Android operating system with Replicant will prevent the baseband operating system from accessing Replicant's filesystem.

So far, a proof of concept for this alleged vulnerability has not been created.

Email or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Create a new thread in the Streaming Video & TVs forum about this subject
This thread is closed for comments
    Your comment
  • Why would the developer reveal this vulnerability for all hackers to see? Logic?
  • At least one company is happy to get free advertisement for making up that closed source software is unsafe. I would think Samsung's lawyers are probably looking at whether they should just bankrupt Replicant in court or just ignore them and let them wither away like most other open source projects without a good business strategy.
  • of course their devices have a backdoor. It even has a name - google.