Samsung Galaxy back-door allows for over-the-air filesystem access

[Permalink]

I suppose if we really wanted to treat tech security like public-health science, these guys should have submitted their findings to a peer-reviewed publication before going public with it.

So, anyone know if this affects AOSP based roms or just the stock roms?

1 Like

The way I read it, this will still affect AOSP and Cyanogenmod releases because the affected binary code (libsec-ril.so) is still used by them.

The replicant page describing the behavior says that it does not work on devices running replicant and (to the best of my reading) the filesystem-access capabilities are built into the driver that the modem communicates with, not into the modem itself(which would be theoretically possible; but require that the modem have access to the memory space, the flash, or both, and onboard processing power sufficient to implement multiple filesystems and avoid potentially messy concurrent-write issues with the primary OS, which assumes that it is the only software with the filesystem mounted).

So, anything running a driver that implements Samsungā€™s modem command set is vulnerable; but the mere presence of a Samsung modem, if running with a sane subset of things-a-modem-should-be-able-to-do, would not be an issue.

Thanks a whole goddamn lot, future, no flying cars and my modem is a rootkit. Any other surprises?

8 Likes

Maybe itā€™s my pre-coffee brain at fault, but I canā€™t find any mention of the Galaxy S4 being affectedā€“but also no mention that itā€™s not affected. A strange omission, given that itā€™s Samsungā€™s flagship phone.

Sorry, which law is it that prohibits public health specialists from reporting preliminary results without peer review? iā€™m not familiar with it.

5 Likes

The Replicant page lists Galaxy models that were affected, but the S4 is not on there. This article has a picture of the S4 at the top.

1 Like

Iā€™m not familiar with laws that require peer review for anything, so Iā€™m not sure what youā€™re trying to say here (as opposed to in your editorial, which suggested that peer-review in the health sciences is a good thing, even though not a legal requirement).

So, in plain Englishā€¦ HOW do I get to fix this particularly back-door???

1 Like

Frankly, I think treating technology in such a way would be a good thing. But your comment implies that the authors of the article are incorrect in some fashion and that a peer-reviewed journal would have corrected said errors. Is that what you are saying?

1 Like

There is no fix except to replace the binary blob(s) delivered by Samsung - at this point it means installing replicant since those havenā€™t been replaced in the other custom ROMs yet either. Iā€™m not sure they can be - at least not easily, since they interact on a low-level proprietary hardware level. Meaning, if you take it out, things will break. Iā€™m not sure things will even run.

It seems the replicant project has rewritten it - or is attempting too reverse-engineer it - and thatā€™s when they found these suspect library function titles.

The question to me is if this stuff is accessible, accessible remotely, etc. Iā€™m sure Samsung didnā€™t put this in at the behest of the NSA but I can bet that if they didnā€™t know about it before, theyā€™ll be all over it now.

The lesson is, never trust code you canā€™t see.

7 Likes

Iā€™m not saying the article is incorrect in any way, just that if peer review is a good thing and should be the standard one aspires to, then thatā€™s exactly what it should be. A lack of peer review doesnā€™t imply anything negative about any particular report, article, paper, or whatever, although itā€™s certainly true that peer review will catch some mistakes and generally raise the quality of publications in terms of their factualness and analytic quality (though it will also keep out some perfectly fine papers that donā€™t meet some standard of newsworthiness or robustness, even if they are true and accurate).

I do think that this illustrates a major problem with a robust implementation of the scientific method in the tech context, though: they move at very different speeds. Peer review and the like takes time and money. And if you want to treat tech like public health, consider the major time and expense of getting FDA approval for drugs: 10 years and a billion dollars isnā€™t uncommon. This might be an extreme example, but try to imagine Coryā€™s beloved startups in Silicon Roundabout being forced to negotiate these sorts of hurdles. These are not considerations that young entrepreneurs want to be forced to go through, especially when theyā€™re scrounging pennies and want to get something to the market as quick as possible.

It appears that the S4 might not have been evaluated since it is not one of their target devices at this time.
I would assume that it has the same instruction set in its driver.

As an epidemiologist who has published in both peer review and non-peer review formats I call shenanigans on your comment. Shenanigans I say!

1 Like

Wait for an official update to be pushed out to you. Since itā€™s all open source and Samsung is better than Apple, Iā€™m sure itā€™ll happen in about 10 days, give or take a few.

:slight_smile:

2 Likes

Headline is deceptive. It allows for OTA filesystem access - as the ā€˜radioā€™ user, which canā€™t access shit.

Except on the Galaxy S (the first one), in which it has root access, and this is a huge security hole.

2 Likes

Did you read the rest?

On other cases, its runs as an unprivileged user that can still access the userā€™s personal data (/sdcard).

2 Likes

The lesson is, never trust code you canā€™t see.

I hear ya, but I donā€™t trust ā€œopenā€ code I can see, either.

Well, with the webview bug one could mitigate - donā€™t use the built-in browser or apps you donā€™t trust and donā€™t go to websites you donā€™t trust with your phone (which is actually always good advice.) The fix was also in the next version of Cyanogenmod - so, theoretically, you could update your phone although most people didnā€™t. Googleā€™s reaction to this was bad - basically a ā€œmehā€ - which is why it took so long to fix.

And with the gnuTLS bug I guess it should be: ā€œnever trust code you canā€™t see or canā€™t understand.ā€ Or, cynically: ā€œnever trust code.ā€

I canā€™t see Samsung coming out with a fix for this bug for any existing phone - I guess the upside is that it can only be exploited through the tower (or the fake one someone sets up) so itā€™s difficult (at this point) for any non-governmental actor. Easy for the three-letter organizations though.

The alternative is trusting whatever mega corporation who is trying to sell you units to do rightā€¦ in secret.

I think Iā€™m going back to a dumb phone.
Iā€™m hoping the Ubuntu phones are better. Iā€™m not very hopeful though.