"Samsung Galaxy devices running proprietary Android versions come with a back-door that provides remote access to the data stored on the device.
In particular, the proprietary software that is in charge of handling the communications with the modem, using the Samsung IPC protocol, implements a class of requests known as RFS commands, that allows the modem to perform remote I/O operations on the phone's storage. As the modem is running proprietary software, it is likely that it offers over-the-air remote control, that could then be used to issue the incriminated RFS messages and access the phone's file system."
Nothing substantiated there, just speculation.
Edit: This is not even interesting, and I'll explain why: normally, any component that has a kernel driver can already access all your data. The network interface in your PC can already do just the same - it has some proprietary firmware running on it, as well as a privileged OS driver that can see anything the system does; and it's connected to the internet.
Most likely, Samsung placed the driver there for providing a convenient storage area for the modem's firmware, in case it requires one (for logging, updating or whatever).
Now, if that's correct, then this is in fact significant, because the baseband processor would not otherwise have such access to the filesystem (since it's not, as I understand it, running in the kernel as a driver).
All that being said, the entire thing hinges upon what really goes on in the baseband processor? There are certainly legitimate engineering uses for such filesystem access (as pointed out elsewhere in these comments), so is there really a corresponding backdoor in the modem to allow an attacker full filesystem access on Galaxy devices?
We may never know...
However, I will say that a lot of the FSF's/GNU project's platform is based on the idea that, with unchecked closed-source code running on a device, such backdoors are possible. (Call it FUD if you like.) Fifteen years ago in the days of Windows '98, that might have seemed ridiculous or improbable, but I believe that in the present climate their concerns have become more relevant than ever. In that sense I think that this Replicant project is really interesting, and I'll probably be paying attention to it in the future.
That being said, they surely aren't making any friends at Samsung by doing this, which could hurt them in the long run (compare to the relatively fruitful, although sometimes tumultuous, relationship between Cyanogen Mod and Google).
Also, the elephant in the room here is still the unchecked software running on the baseband processor, no matter which way you look at it.
You'd think so... The baseband processor is actually integrated on the die of current gen SoCs from Qualcomm and plenty of the teardowns I've seen for high end phones use them. I haven't used these chips but everything I've read leads me to believe that there is a lot more integration between the radio and processor (that's the point)... and as a result, a larger attack surface.
Some further research I did since this thread started has shown that in some phones, even the microphone and camera are under the direct control of the baseband processor. In others, it's not. But in most phones, the CPU and BB share memory, which opens the door for the BB to do all sorts of nasty things to the OS on the CPU.
I'm not a close friend of his, but I've met him on multiple occasions and felt confident he was telling the truth.
Even if Qualcomm has patched all their vulns and isn't in cahoots with the NSA (a laughable claim), it still needs to prove that to the users.
Otherwise it's just the word of some anonymous person on the internet who "knows a guy at Qualcomm" ....
I'm glad you trust the guy but I'd rather not waste time on this. The world needs a modern, auditable, free RTOS for baseband processors.
For example, this is how firmware is treated: https://news.ycombinator.com/item?id=7336248
Have https keys in memory? Now so does the modem firmware if it wishes.
What's an example of exploiting system services?
Exploiting system services - you can attack any kind of non encrypted traffic flowing through the modem. Such as unsecured applications running with broad permissions. Or you can inject data into kernel services that communicate directly with the modem.
I don't know if on these phones the modem presents itself as a simple serial device, or if it has its own kernel driver (/dev/modem). If it does have its own kernel driver running in the phone, then this driver becomes an easy target for attack, granting full system access.
If you really think they're the same thing, I have some baseband software for you.
That's the key. There is no news here because every phone running every OS is back-doored. Completely, totally back-doored. This includes every single phone "replicant" has ever been installed on.
There is a computer in your phone, that you cannot access, running a closed source, proprietary OS that your carrier controls, that has (in many cases) DMA access to your "actual" phone.
Your carrier has total control over that computer in your pocket.
 With the very tiny exceptions of calypso-based motorola phones running osmocom and possibly the neo freerunner phones ... but I could be wrong about those...
And whats the difference to other entry points in the android operating system itself, a apologist may ask? First of all you have control over this portion of the device, you can read and audit the source code and employ selinux to harden the OS. The baseband processor on the other hand does a _LOT_ of complex parsing of huge binary protocols, exactly the point where you would want to have open source auditable software, the opposite is the case: The baseband firmware is largely a black box, nobody (not even the manufacturer of your phone) has access to the source code and can independently audit the security and remove backdoors placed there by the manufacturer hinthint.
"normally, any component that has a kernel driver can already access all your data" bullshit.
In modern qualcomm devices the primary boot loader (PBL) can usually only boot from it's own area of the eMMC (embedded SD card essentially, but based on MMC 4.0 not SD 2.0), possibly from a connected microSD card, and from an authenticated (and probably signed) download over USB or serial. This is controlled by one time use fuses (called Qfuses or Efuses).
The PBL loads and authenticates the secondary bootloader, SBL/QCSBL which runs a more advanced version of the download protocol and normally will launch the userland bootloader. (I'm not sure where the modem software is started here. The SBL may very well support the same or similar RFS IPCs from filesystem access to the eMMC, though I don't know of any RE that indicates that.
Of course, a compromised firmware could also reprogram pins and bitbang the eMMC, or just use it's own MMC interface as the bootloader can, rendering much of this moot.
I'm sure saurik or comex could add a lot more to this discussion.
The other way around is also imaginable - where the modem temporarily stores new firmware on the RFS upon reception, before updating itself, to reduce its own (likely expensive NOR-based) flash memory requirements.
"However, when Replicant is installed on the device, this back-door is not effective: Replicant does not cooperate with back-doors."
I am sure that people who run alternative ROMs/OSes would like to know if they are affected or not, but there doesn't seem to be much mention of that... except this line, which seems to indicate that at least Cyanogen IS affected:
"Alternatively, the kernel could block the incriminated RFS requests and keep a trace of them in the logs for the record. That option would work for CyanogenMod, where the incriminated proprietary blob is still used."
I've heard about Replicant before and am interested in it, but something about a self-serving warning like that turns me off.
EDIT: Okay, my bad. I thought this was like a public announcement, not just a wiki page. That makes the context different, so my comments about reading like an advert are not nearly as applicable.
I love open source, but.... it's going to be damn hard to turn a buck.
So, which do we want more: the ability to make money and the right to be paid for our work, or liberty and privacy?
That is one hell of a would-you-rather. Thanks, NSA, for forcing a disgusting thought experiment into the real world.
I mean apart from sanitation, medicine, education, wine, public order, irrigation, roads, the fresh water system and public health, what have the [government] ever done for us?
If you really want no tax, go move to Vanuatu. It's a lovely, sunny place, the people are happy, the army and the police are the same thing and only 800 strong, the government is small, it's off the political radar so draws little interest from TLAs, English is an official language... and there is no income tax (with the exception of landlords), nor are there several other taxes on businesses (as it's a tax haven).
You don't want money 'stolen' from you? Then here is a realistic option available to you, one that is entirely achievable rather than pretending that it's possible to turn a country with a major economy into a tax-free zone, and wringing your hands that it obviously can't be done.
Despite the extremely common misinterpretation by the public, ~90% of libertarians are not anarchists who completely oppose taxation. They are "small government" (aka minarchist), not "no government".
The same is true if you generate a private key with a lower entropy source to simplify encoding (called a brain wallet for some reason.) Yes there a longer passphrases that do have more entropy, but you are still limiting the alphabet and the complexity for dictionary attacks.
I got a nearly 10% raise thanks to a strong Canadian economy and weak American one. Keep it up guys.
According to your chart a year ago 1 CAD got you around 1 USD and today it gets you 0.90 USD. Normally that's not interpreted as a decline in the strength of the dollar.
While you're right about binaries, there is nothing impractical about compiling things (cf ports tree).
Open Source is something that works now, today, here. It's not a great solution -- see above -- but like democracy, it might be the best we've got. (Or in this case, got left.)
Unfortunately it's a huge pain to do with existing toolchains.
One way to mitigate the attack: if your compiler is open source you could compile the compiler with multiple (open source and proprietary) compilers, then compile your application code using the resulting compiler binaries in the deterministic build process. If the resulting application binaries match, then either none of the compilers are compromised, or all of them are. The latter seems highly unlikely.
Also, open source software compiled by the user would be just as vulnerable.
Society has undergone massive economic and cultural changes that most people thought were impossible.
I bet 100 years ago that 98% of people would say "impossible" to the prospect that hospitals would exist that would treat anyone without requiring them to pay.
How about turning a micro Bitcoin with it?
edit: this includes so called "undocumented features" like maintenance access etc.
Hardware can be thought of as hardcoded software. But it's no longer the case that hardware is hardcoded. Hardware is becoming increasingly sophisticated, especially in their ability to be reprogrammed on the fly.
Um.. that's not hardware.
This is in opposition to software backdoors which allow someone sitting in a room 4000km away to own you with no outlay of money or resources on their part.
One problem at a time. Once we get the software stack open, then we can start going after the hardware stack.
Also, maintenance access is one of the easiest backdoors to exploit. The Target credit card breach was done through the maintence access in the HVAC system.
As a linux user, and (very) amateur kernel hacker I've always bought Samsung phones because they've been pretty forecoming with releasing the source for their android devices: http://www.androidcentral.com/samsung-galaxy-s4-kernel-sourc...
Obviously this is a GPL compliance thing, but it enables security minded people like myself to root the device, inspect the underlying source, and secure it pretty much like a regular box.
What alternative do you suggest?
> it enables security minded people like myself to root the device
Actually, having kernel sources doesn't enable you anything except for, possibly (but not certainly), building (but not installing) your own kernel.
You're able to install customized kernel and/or recovery on most Samsung phones, but that's completely unrelated to any FLOSS source code releases. Actually, this is usually done using proprietary tool (ODIN) communicating with proprietary hardware and firmware. They're just generous to allow you to do so (but they tick a flag stating your firmware is unofficial, and recently they started to blow a fuse to prevent unticking)
Voila, there is your operator-level access from the radio side.
I am confused. The Nexus S does not run a proprietary Android version.
This post is from the Replicant project, who are trying to build an open source system on top of the free Android subset.
The concern is that the proprietary code has an API that can access the filesystem. If the MODEM receives a command from the cellular tower, or another device that looks like the cellular tower, it looks as though the radio's processor could be instructed to extract data from your phone and perhaps send it out over the radio to some other party. The reverse could be done as well, putting data on your device.
Since this happens low-level, it communicates with the kernel on your main processor and is outside the normal security measures placed on regular applications running on your device. If the radio firmware doesn't have an explicit way to perform this task, the other concern is that a vulnerability in the radio firmware might be exploited to do this anyway. Because the radio firmware itself is closed source and proprietary, the real implications of this are still not well understood.
The project that discovered this about the radio firmware is trying to create an open-source replacement firmware that runs on your radio's processor. In the course of trying to implement a compatible firmware, they discovered these questionable APIs.
The implication is that even if you completely replaced your ROM on device with a trusted and secure open-sourced one, the proprietary closed-source drivers that are needed to communicate with the hardware, may be able to do things without your permission or detection.
The idea that you have to be an expert in everything before you ask anything runs counter to the point of the site.