Samsung Galaxy back-door allows for over-the-air filesystem access


#1

[Permalink]


#2

I suppose if we really wanted to treat tech security like public-health science, these guys should have submitted their findings to a peer-reviewed publication before going public with it.


#3

So, anyone know if this affects AOSP based roms or just the stock roms?


#4

The way I read it, this will still affect AOSP and Cyanogenmod releases because the affected binary code (libsec-ril.so) is still used by them.


#5

The replicant page describing the behavior says that it does not work on devices running replicant and (to the best of my reading) the filesystem-access capabilities are built into the driver that the modem communicates with, not into the modem itself(which would be theoretically possible; but require that the modem have access to the memory space, the flash, or both, and onboard processing power sufficient to implement multiple filesystems and avoid potentially messy concurrent-write issues with the primary OS, which assumes that it is the only software with the filesystem mounted).

So, anything running a driver that implements Samsung's modem command set is vulnerable; but the mere presence of a Samsung modem, if running with a sane subset of things-a-modem-should-be-able-to-do, would not be an issue.

Thanks a whole goddamn lot, future, no flying cars and my modem is a rootkit. Any other surprises?


#6

Maybe it's my pre-coffee brain at fault, but I can't find any mention of the Galaxy S4 being affected--but also no mention that it's not affected. A strange omission, given that it's Samsung's flagship phone.


#7

Sorry, which law is it that prohibits public health specialists from reporting preliminary results without peer review? i'm not familiar with it.


#8

The Replicant page lists Galaxy models that were affected, but the S4 is not on there. This article has a picture of the S4 at the top.


#9

I'm not familiar with laws that require peer review for anything, so I'm not sure what you're trying to say here (as opposed to in your editorial, which suggested that peer-review in the health sciences is a good thing, even though not a legal requirement).


#10

So, in plain English... HOW do I get to fix this particularly back-door???


#11

Frankly, I think treating technology in such a way would be a good thing. But your comment implies that the authors of the article are incorrect in some fashion and that a peer-reviewed journal would have corrected said errors. Is that what you are saying?


#12

There is no fix except to replace the binary blob(s) delivered by Samsung - at this point it means installing replicant since those haven't been replaced in the other custom ROMs yet either. I'm not sure they can be - at least not easily, since they interact on a low-level proprietary hardware level. Meaning, if you take it out, things will break. I'm not sure things will even run.

It seems the replicant project has rewritten it - or is attempting too reverse-engineer it - and that's when they found these suspect library function titles.

The question to me is if this stuff is accessible, accessible remotely, etc. I'm sure Samsung didn't put this in at the behest of the NSA but I can bet that if they didn't know about it before, they'll be all over it now.

The lesson is, never trust code you can't see.


#13

I'm not saying the article is incorrect in any way, just that if peer review is a good thing and should be the standard one aspires to, then that's exactly what it should be. A lack of peer review doesn't imply anything negative about any particular report, article, paper, or whatever, although it's certainly true that peer review will catch some mistakes and generally raise the quality of publications in terms of their factualness and analytic quality (though it will also keep out some perfectly fine papers that don't meet some standard of newsworthiness or robustness, even if they are true and accurate).

I do think that this illustrates a major problem with a robust implementation of the scientific method in the tech context, though: they move at very different speeds. Peer review and the like takes time and money. And if you want to treat tech like public health, consider the major time and expense of getting FDA approval for drugs: 10 years and a billion dollars isn't uncommon. This might be an extreme example, but try to imagine Cory's beloved startups in Silicon Roundabout being forced to negotiate these sorts of hurdles. These are not considerations that young entrepreneurs want to be forced to go through, especially when they're scrounging pennies and want to get something to the market as quick as possible.


#14

It appears that the S4 might not have been evaluated since it is not one of their target devices at this time.
I would assume that it has the same instruction set in its driver.


#15

As an epidemiologist who has published in both peer review and non-peer review formats I call shenanigans on your comment. Shenanigans I say!


#16

Wait for an official update to be pushed out to you. Since it's all open source and Samsung is better than Apple, I'm sure it'll happen in about 10 days, give or take a few.

smile


#17

Headline is deceptive. It allows for OTA filesystem access - as the 'radio' user, which can't access shit.

Except on the Galaxy S (the first one), in which it has root access, and this is a huge security hole.


#18

Did you read the rest?

On other cases, its runs as an unprivileged user that can still access the user's personal data (/sdcard).


#19

The lesson is, never trust code you can't see.

I hear ya, but I don't trust "open" code I can see, either.


#20

Well, with the webview bug one could mitigate - don't use the built-in browser or apps you don't trust and don't go to websites you don't trust with your phone (which is actually always good advice.) The fix was also in the next version of Cyanogenmod - so, theoretically, you could update your phone although most people didn't. Google's reaction to this was bad - basically a "meh" - which is why it took so long to fix.

And with the gnuTLS bug I guess it should be: "never trust code you can't see or can't understand." Or, cynically: "never trust code."

I can't see Samsung coming out with a fix for this bug for any existing phone - I guess the upside is that it can only be exploited through the tower (or the fake one someone sets up) so it's difficult (at this point) for any non-governmental actor. Easy for the three-letter organizations though.

The alternative is trusting whatever mega corporation who is trying to sell you units to do right... in secret.

I think I'm going back to a dumb phone.
I'm hoping the Ubuntu phones are better. I'm not very hopeful though.