
Replicant developers find and close Samsung Galaxy backdoor  - dn2k
https://www.fsf.org/blogs/community/replicant-developers-find-and-close-samsung-galaxy-backdoor
======
fullofstack
from
[http://www.reddit.com/r/netsec/comments/209h4d/samsung_galax...](http://www.reddit.com/r/netsec/comments/209h4d/samsung_galaxy_backdoor/cg1gy3l)
: This is not a backdoor. It's a feature, and a reasonably common one for
Qualcomm based devices. It's an interface to allow the modem access to a
persistent data store (ie. eMMC modem partitions) even though only the
application processor may access the MMC controller. Have a look at the
rmt_storage client documentation found in a Qualcomm kernel tree. It used to
be pretty common to ship a rmt_storage daemon to do the very same thing
Samsung is being accused of here (hint: Nexus 5 still uses it), I don't know
about other recent devices, but I'd imagine they'd employ something similar.
Also, there are many more ways for the baseband to compromise the application
processor, without an explicit interface.

~~~
throwaway7767
> This is not a backdoor. It's a feature, and a reasonably common one for
> Qualcomm based devices

Are these really mutually exclusive? I don't doubt that qualcomm had good
reasons to add this interface, but clearly it can be used as a backdoor, and
since the user is not made aware of it, I'd say this meets all the
qualifications of a backdoor.

They could have easily designed this in a way that allowed the baseband
processor to only write to a designated area instead of giving it full access.

You are right that that the baseband in phones _usually_ has many other ways
to directly access sensitive data from the main processor (DMA is the obvious
one). But this differs from phone to phone, depending on the hardware design.
There are phones where the baseband talks to the main processor through a
serial interface with no access to DMA.

~~~
eli
Any security bug or potential security bug _could_ be a backdoor. I don't
think it's fair to say you "closed a backdoor" every time you fix one.

~~~
mindslight
"Bug" implies a mistake/oversight where the additional functionality was known
to noone, and then discovered. This functionality was deliberately created,
thus it's a "backdoor".

Based on what seemingly passes for "accepted practice" in the mobile world
(download QPST for tons of fun!), the only sane way to have a trustable mobile
device is with a separate cell-modem and a well-defined interface.

~~~
eli
I mean, maybe I'm confused, but this sounds like they closed one method (among
others) that could potentially be used to create a backdoor by, I guess, a
carrier or OEM.

There's no evidence that anyone's phone was open to remote exploit at any
time.

~~~
mindslight
It seems as if you're using a weird definition - "backdoor" just implies that
the functionality exists, not that it has necessarily been utilized.

------
kppi
Nope: [http://arstechnica.com/security/2014/03/virtually-no-
evidenc...](http://arstechnica.com/security/2014/03/virtually-no-evidence-for-
claim-of-remote-backdoor-in-samsung-galaxy-phones/)

~~~
pessimizer
>1) There is virtually no evidence for the ability to remotely execute this
functionality. The write-up states, "As the modem is running proprietary
software, it is likely that it offers over-the-air remote control that could
then be used to issue the incriminated RFS messages and access the phone's
file system."

summary: there's no evidence of how it can be used, because it's all closed
source.

>2) The amount of data that can be read or written to by this functionality is
very limited. On all affected models except the original Galaxy S, which was
released 4 years ago, the affected radio software is running under the "radio"
user. As a result, this can only be used to access data specifically related
to radio functionality, plus information stored on the SD card (because this
is also readable by every application on the phone).

summary: it can read and write to all that the radio user is allowed to
access, and your entire SD card.

>3) The specifics of the vulnerability suggest that it was poorly programmed
legitimate functionality rather than a secret backdoor. The authors had to
leverage a directory traversal flaw in the handling of modem commands in order
to cause the radio software to write outside of the /efs/root directory, which
contains radio-related files. This suggests that the intended purpose of this
functionality was rather mundane and not at all malicious, and that it was
simply poorly implemented.

summary: the backdoor was poorly written, and allowed _complete_ access when
combined with a known exploit.

 _Nope?_

~~~
eli
I think the "Nope" refers to headline, which is not supported by facts.

If there's no evidence that it was intentional then you can't call it a
backdoor. Otherwise every security flaw (or potential security flaw) is a
backdoor.

------
MrBuddyCasino
2 months old, previously:
[https://news.ycombinator.com/item?id=7389258](https://news.ycombinator.com/item?id=7389258)

~~~
vezzy-fnord
/r/netsec thread is also of interest:
[http://www.reddit.com/r/netsec/comments/209h4d/samsung_galax...](http://www.reddit.com/r/netsec/comments/209h4d/samsung_galaxy_backdoor/)

------
RafiqM
For a split second I thought the developers were replicants.

------
rabino
They say it so it must be true.

~~~
rabino
Not sure why I'm getting downvoted.

See [http://arstechnica.com/security/2014/03/virtually-no-
evidenc...](http://arstechnica.com/security/2014/03/virtually-no-evidence-for-
claim-of-remote-backdoor-in-samsung-galaxy-phones/)

~~~
eli
Without the link in the original comment, it came off as flippant sniping.

