A developer working on Replicant, an open-source free mobile operating system designed to replace all proprietary Android components with open-source alternatives, has discovered a backdoor in Samsung Galaxy that provides almost full access to user files, camera, microphone and location.
Mobile phones have two processors, one applications processor that handles the operating system, and one that handles the outside communications.
Paul Kocialkowski, a Replicant developer, describes the comms processor as the 'modem.' "This processor always runs a proprietary operating system, and these systems are known to have backdoors that make it possible to remotely convert the modem into a remote spying device," he wrote on a Free Software Foundation blog Wednesday. Since the modem processor is normally continuously connected to the operator's network, it is nearly always accessible, and can necessarily connect to the parts of the device used for communications: such as camera, microphone, and GPS location services.
However, the problem for Android users is the device supplier has full access to the Android operating system and can modify or add to it at will. "While working on Replicant," writes Kocialkowski, "we discovered that the proprietary program running on the applications processor in charge of handling the communication protocol with the modem actually implements a backdoor that lets the modem perform remote file I/O operations on the file system. This program is shipped with the Samsung Galaxy devices and makes it possible for the modem to read, write, and delete files on the phone's storage."
That is, Samsung Galaxy phones open a direct connection between the two processors, giving remote access capabilities to the applications processors' files and user data. It is, says Kocialkowski, "yet another example of what unacceptable behavior proprietary software permits! Our free replacement for that non-free program does not implement this backdoor."
Not everyone is unduly alarmed. Cnet reports, "Although Replicant said that the software could potentially access user data, it appears that it's doing nothing wrong. In fact, the company wrote that there are some features in the software that are 'legitimate.'" This appears to refer to a comment in Replicant's technical discussion on the issue.
The full statement, however, reads, "The incriminated RFS messages of the Samsung IPC protocol were not found to have any particular legitimacy nor relevant use-case. However, it is possible that these were added for legitimate purposes, without the intent of doing harm by providing a back-door. Nevertheless, the result is the same and it allows the modem to access the phone's storage. However, some RFS messages of the Samsung IPC protocol are legitimate (IPC_RFS_NV_READ_ITEM and IPC_RFS_NV_WRITE_ITEM) as they target a very precise file, known as the modem's NV data."
Backdoors do not have to be created by bad people for bad purposes for them to be used by bad people for bad purposes – they need to be closed. Replicant has offered to work with Samsung on the issue, but has yet to hear from the manufacturer. "We are hoping that the reason for the presence of this back-door will be clarified," wrote Kocialkowski in a separate blog post yesterday.
It would certainly seem that the connection found on the Galaxy devices between the two processors is not strictly necessary, and that if a Replicant operating system were installed, it would not 'cooperate' with the modem processor. Nevertheless, so long as the modem processor and its own operating system is proprietary, the potential for a full backdoor remains present. "Replicant does not cooperate with backdoors," said Kocialkowski, "but if the modem can take control of the main processor and rewrite the software in the latter, there is no way for a main processor system such as Replicant to stop it."