
Samsung Galaxy Back-door - wfn
http://redmine.replicant.us/projects/replicant/wiki/SamsungGalaxyBackdoor
======
flyinglizard
My understanding is that there's simply filesystem access for the modem,
through some Samsung supplied kernel driver. Replicant implies Samsung may
have _another_ backdoor in the modem itself, allowing to remotely issue
commands accessing the phone's filesystem. That is pure speculation and FUD.

"Samsung Galaxy devices running proprietary Android versions come with a back-
door that provides remote access to the data stored on the device. In
particular, the proprietary software that is in charge of handling the
communications with the modem, using the Samsung IPC protocol, implements a
class of requests known as RFS commands, that allows the modem to perform
remote I/O operations on the phone's storage. As the modem is running
proprietary software, _it is likely that it offers over-the-air remote
control_ , that could then be used to issue the incriminated RFS messages and
access the phone's file system."

Nothing substantiated there, just speculation.

Edit: This is not even interesting, and I'll explain why: normally, any
component that has a kernel driver can already access all your data. The
network interface in your PC can already do just the same - it has some
proprietary firmware running on it, as well as a privileged OS driver that can
see anything the system does; and it's connected to the internet.

Most likely, Samsung placed the driver there for providing a convenient
storage area for the modem's firmware, in case it requires one (for logging,
updating or whatever).

~~~
ChuckMcM
Any thoughts on whether or not this is part of the OTA update infrastructure?
Seems like having the modem be able to put data into the file system at a
particular place that the boot loader/flasher knows to look for would be a
typical sort of "install firmware when the firmware is broken" kind of thing.

~~~
swetland
Typically these services are intended to allow the modem to access factor
calibration data, possibly page firmware in, or to store nonvolatile
information it needs longer term. They _should_ be restricted to just storing
data on behalf of the modem and not providing broader filesystem access
(that's at the very least (assuming incompetence rather than malice) a bug).

~~~
tmzt
Brian Swetland! Source of great wisdom in the early days of Android.

------
jmomo
This reads mostly like an advert for Replicant.

"However, when Replicant is installed on the device, this back-door is not
effective: Replicant does not cooperate with back-doors."

I am sure that people who run alternative ROMs/OSes would like to know if they
are affected or not, but there doesn't seem to be much mention of that...
except this line, which seems to indicate that at least Cyanogen IS affected:

"Alternatively, the kernel could block the incriminated RFS requests and keep
a trace of them in the logs for the record. That option would work for
CyanogenMod, where the incriminated proprietary blob is still used."

I've heard about Replicant before and am interested in it, but something about
a self-serving warning like that turns me off.

EDIT: Okay, my bad. I thought this was like a public announcement, not just a
wiki page. That makes the context different, so my comments about reading like
an advert are not nearly as applicable.

------
undoware
I know this will not be a popular thing to hear, but the scope of the problem
has convinced me that this won't end until _everything_ is open. The only
trustable stack is one that begins with open hardware and ends with creative
commons content in ogg in VLC on linux.

I love open source, but.... it's going to be damn hard to turn a buck.

So, which do we want more: the ability to make money and the right to be paid
for our work, or liberty and privacy?

That is one _hell_ of a would-you-rather. Thanks, NSA, for forcing a
disgusting thought experiment into the real world.

~~~
kansface
An open stack is not enough because you can't trust any compiled software. In
practice, even if we had a completely open stack and no binaries, we can't
even begin to write error free code. Defeating the NSA [via software], a
billion dollar agency with the power to ruin your life is completely
unrealistic. Any real change must come through political action.

~~~
badinker
Political action? How has voting worked for you? My hope is as the dollar
starts to inflate away (like every other fiat currency that has ever existed)
we all instead turn to a block chain currency. Something that can't be
manipulated. Something that can't be stolen from us and used to fund three
letter agencies.

~~~
vacri
_used to fund three letter agencies._

I mean apart from sanitation, medicine, education, wine, public order,
irrigation, roads, the fresh water system and public health, what have the
[government] ever done for us?

If you really want no tax, go move to Vanuatu. It's a lovely, sunny place, the
people are happy, the army and the police are the same thing and only 800
strong, the government is small, it's off the political radar so draws little
interest from TLAs, English is an official language... and there is no income
tax (with the exception of landlords), nor are there several other taxes on
businesses (as it's a tax haven).

You don't want money 'stolen' from you? Then here is a realistic option
available to you, one that is entirely achievable rather than pretending that
it's possible to turn a country with a major economy into a tax-free zone, and
wringing your hands that it obviously can't be done.

~~~
dmix
Property tax could be enough to fund most of the essential things you listed
and is still enforceable even if a cryptocurrency is a primary currency. While
your currency and income might be hidden, you still need to live in a house on
land.

ala
[https://en.wikipedia.org/wiki/Geolibertarianism](https://en.wikipedia.org/wiki/Geolibertarianism)

Despite the extremely common misinterpretation by the public, ~90% of
libertarians are _not_ anarchists who completely oppose taxation. They are
"small government" (aka minarchist), not "no government".

------
higherpurpose
So it seems our biggest worry, that the modem firmware could be backdoored was
very warranted indeed. We need to push OEMs and modem makers to open source
the firmware for their modems.

~~~
mschuster91
Which doesnt help against silicon-level backdoors, which for all we know,
exist and get exploited :/

edit: this includes so called "undocumented features" like maintenance access
etc.

~~~
yeukhon
That's my least concern to be honest. My rice cooker could have a spy device
installed without me knowing. I think the first priority is software exploits
and backdoors because they are the easiest to implement and the cheapest to
operate with.

~~~
sillysaurus3
Actually, it's sort of a myth that hardware is fundamentally harder than
software. The toolsets simply haven't been as powerful until recently.

Hardware can be thought of as hardcoded software. But it's no longer the case
that hardware is hardcoded. Hardware is becoming increasingly sophisticated,
especially in their ability to be reprogrammed on the fly.

~~~
nathancahill
> "Hardware.. ability to be reprogrammed on the fly."

Um.. that's not hardware.

~~~
drdaeman
FPGAs are pretty much hardware. And they're reprogrammable, as in "re-
wireable".

~~~
nathancahill
Interesting. I did not know that.

------
akiselev
For those who are saying that this isn't a backdoor, you can actually force
execute this command on GSM phones for a few thousand dollars [1] [2].

[1] [http://rangenetworks.com/products/openbts-development-
kit](http://rangenetworks.com/products/openbts-development-kit)

[2]
[https://www.youtube.com/watch?v=RXqQioV_bpo](https://www.youtube.com/watch?v=RXqQioV_bpo)

------
chatman
Free Software Foundation & Richard Stallman always warned everyone of the
potential dangers of non-free software, even as drivers like these modem
drivers.

------
fragsworth
It's not clear to me the important issues: _what_ data can they access (all of
it?), who can access it, and under what circumstances?

~~~
db48x
On phones where the IPC driver is running as root, then it can access any file
on the device. On phones where it is running as the user, then it can access
any file owned by the user. There's a chart.

------
caiob
It's a Samsung. I find hard to believe that Samsung smartphone users have any
concern about privacy and/or security.

~~~
Nanzikambe
Care to elaborate?

As a linux user, and (very) amateur kernel hacker I've always bought Samsung
phones because they've been pretty forecoming with releasing the source for
their android devices: [http://www.androidcentral.com/samsung-
galaxy-s4-kernel-sourc...](http://www.androidcentral.com/samsung-
galaxy-s4-kernel-source-released)

Obviously this is a GPL compliance thing, but it enables security minded
people like myself to root the device, inspect the underlying source, and
secure it pretty much like a regular box.

What alternative do you suggest?

~~~
drdaeman
> releasing the source for their android devices

> it enables security minded people like myself to root the device

Actually, having kernel sources doesn't enable you anything except for,
possibly (but not certainly), building (but not installing) your own kernel.

You're able to install customized kernel and/or recovery on most Samsung
phones, but that's completely unrelated to any FLOSS source code releases.
Actually, this is usually done using proprietary tool (ODIN) communicating
with proprietary hardware and firmware. They're just generous to allow you to
do so (but they tick a flag stating your firmware is unofficial, and recently
they started to blow a fuse to prevent unticking)

------
atulagarwal
In my understanding, it needs operator level access to control the modem, or
is it also possible to control the model using a MITM like scenario (off the
air interception). If the latter is possible, it can become all the worrisome!
Any ideas?

~~~
mschuster91
Yeah, of course. Calls itself IMSI Catcher (the variant used by police/secret
service). You can build one yourself with OsmocomBB and the rest of that open-
source GSM network infrastructure stuff.

Voila, there is your operator-level access from the radio side.

------
SeanLuke
> Samsung Galaxy devices running proprietary Android versions ... > Nexus S

I am confused. The Nexus S does not run a proprietary Android version.

~~~
mey
I may be misreading the link, but proprietary seems to be using to describe
non-open source binary blobs. This is typical of drivers, most chips on
cellphones do not have open source software to control them. Typically these
pieces of software are modem/radio chips etc.

------
exo762
I wonder how many individuals right now are working on exploiting this
potential hole to steal BTC.

------
johnny635
NSA approved phone.

------
hydralist
eli5?

~~~
jmomo
This isn't reddit, and if you are five, then you should be in day care.

~~~
jonalmeida
You shouldn't insult people who are curious to learn and/or shun them.

~~~
acjohnson55
I agree that the response was disrespectful. But I also don't think the
original post showed much intellectual curiosity.

