Multiple models of Samsung Galaxy smartphones could contain a backdoor for remote data access, a developer team has alleged, potentially leaving personal files open to clandestine browsing. The security loophole stems from a proprietary app Samsung created to run on the modem’s application processor, which can access and modify software running on the phones and, in at least nine cases, have unfettered access to personal data as well.
The issue was discovered by the team behind Replicant, a project to build a more secure smartphone OS based on Android.
The developers found that Samsung codes its own software for the application processor that’s part of the modem, separate from the main processor that runs Android itself. That app is granted permission to modify the phone’s applications, including deleting them, but on some devices checked also has the same permissions for user-data.
“While working on Replicant, a fully free/libre version of Android, we discovered that the proprietary program running on the applications processor in charge of handling the communication protocol with the modem actually implements a backdoor that lets the modem perform remote file I/O operations on the file system. This program is shipped with the Samsung Galaxy devices and makes it possible for the modem to read, write, and delete files on the phone’s storage. On several phone models, this program runs with sufficient rights to access and modify the user’s personal data” Paul Kocialkowski, developer, Replicant
Affected devices include the Galaxy S 3 and Galaxy Note 2, as well as the Galaxy Tab 2 10.1 and Galaxy Tab 2 7.0. It’s unclear whether more recent handsets, like the Galaxy S4 and the freshly-announced Galaxy S5, also demonstrate the loophole.
The concern is that, with over-the-air access, the modem app could be used to give remote users a doorway into user’s personal information. On the nine most affected phones and tablets, it runs with full root access; however, others run it as an “unprivileged user” which still has access to some data.
Still missing from the puzzle is exactly how that backdoor might be utilized. Kocialkowski suggests that “as the modem is running proprietary software, it is likely that it offers over-the-air remote control” though there’s no guarantee that this is necessarily the case.
It’s not the first time Samsung’s custom software has been blamed for leaving users at possible risk. Back in early 2013 several hacks taking advantage of flaws in the custom lockscreen were identified, though Samsung later patched them with updates.
Update: Ars Technica got a second opinion from Azimuth Security researcher Dan Rosenberg, who suggested that the Galaxy Note 3 and Galaxy S4 both share the same potential loophole. However, he also echoes questions around whether there is, indeed, any way of remotely exploiting the poorly-coded software (and ascribes its existence to sloppy implementation rather than malicious intent on Samsung’s developers’ part).