Backdoor in Samsung Galaxy devices 'allows remote access to data'

Backdoor in Samsung Galaxy devices 'allows remote access to data'

Summary: According to one developer, Samsung has committed a big security error by letting its modem write to disk but Samsung says it's a "software feature" that poses no risk to users.


The developers behind Replicant, an Android OS based on CyanogenMod, claim to have found a backdoor in the modem of several of Samsung's Galaxy devices that could allow a remote attacker to manipulate their files and data.

According to Replicant's chief developer Paul Kocialkowski, Samsung software that handles communications on the baseband processor found in several Galaxy devices can be used by an attacker to turn the device into a spying tool.

Android device owners might be familiar with the reference to "baseband", which usually gets updated each time a new Android firmware update is released. One version number refers to the application processor, such as Android 4.2.2, and the other corresponds to the baseband processor, or modem, which supports radio communications.

"We discovered that the proprietary program running on the applications processor in charge of handling the communication protocol with the modem actually implements a backdoor that lets the modem perform remote file I/O operations on the file system," Kocialkowski wrote in a post on the Free Software Foundation's blog.

Affected Samsung Galaxy devices, according to Kocialkowski, include the Nexus S, S, S2, Note, Nexus, the seven-inch Tab 2, the 10.1-inch Tab 2, and the Note 2.

The software in question is Samsung's implementation of the Android Radio Interface Layer (RIL), which handles communications with the modem. While reverse engineering Samsung's RIL to create its own replacement, Kocialkowski found the software uses the Samsung IPC protocol to implement RFS commands and perform remote I/O operations.

"The incriminated RFS messages of the Samsung IPC protocol were not found to have any particular legitimacy nor relevant use-case," Kocialkowski wrote in his technical analysis.

"However, it is possible that these were added for legitimate purposes, without the intent of doing harm by providing a back door. Nevertheless, the result is the same and it allows the modem to access the phone's storage."

Kocialkowski argues that the modem is a powerful tool attack tool since it can be used to activate the device's mic, use the GPS, access the camera, and change data. Also, given that modems are generally connected to an operator's network, it makes such backdoors very accessible.

The impact of the backdoor depends on the permissions the software has. The worst case is where the service is running as root, while there’s a lower impact for devices where it’s running as an unprivileged user or where SELinux is implemented, which restricts the scope of possible files the modem can access.

According to Kocialkowski, the affected devices have modems that use the Samsung IPC protocol, mostly Intel XMM6160 and Intel XMM6260 modems.

Update Sunday 16 March: According to Samsung, the "software feature" exposed by Kocialkowski poses no security risk to users.

"Samsung takes the security of its products extremely seriously. We have investigated the claims that have been made and can confirm that there is no security risk. The Free Software Foundation's recent allegations are based on a false understanding of the software feature that enables communication between the modem and the Application Processor chipset," a Samsung spokesperson said in a statement.

Read more on Samsung

Topics: Security, Android, Samsung

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Intel = the most spread backdoor in every PC

    Intel = the most spread backdoor in every PC

    never trust to Intel's processors = manufactured and designed in the US by NSA
    Jiří Pavelec
    • I noticed you adjusting your tinfoil hat as you wrote that, Jiří Pavelec

      was it too tight?
      • the US under-educated again? :)

        the US under-educated again? :)

        have you ever heard about Snowden or NSA? :)

        "How the NSA Plans to Infect ‘Millions’ of Computers with Malware"

        you live in a cave, right? :)
        Jiří Pavelec
    • smh...

      Wow... just... wow.
      Hallowed are the Ori
  • Intel = the most spread backdoor in every PC

    Intel = the most spread backdoor in every PC

    never trust to Intel's processors = manufactured and designed in the US by NSA
    Jiří Pavelec
    • Samsung Galaxy devices are using Intel chips?

      I thought they are using ARM chips.
      • The modems

        "the affected devices have modems that use the Samsung IPC protocol, mostly Intel XMM6160 and Intel XMM6260 modems"

        As I understand it, these modems also include an embedded proprietary operating system.
        Rabid Howler Monkey
  • Intel inside?

    I'm thinking of buying a Samsung tablet and during my investigations, I was astonished to find that the old (not 2014) Note 10.1 was being promoted with an Intel Inside sticker. Whether that refers to the processor or to the modem or both or was in error I don't know. It wasn't present on the 2014 Note 10.1 so that's the one I hope to buy.
    • re: Note 10.1 and Intel

      I own a 1st gen Note 10.1 the cpu is not Intel. It has the nVidia based cpu/gpu combo. No cell/modem on mine so no intel there as well.
  • Old is Good

    Glad I have stuck with My Tab 1 does every thing I need.
    The BarnOwl
  • Want security?

    Use a BlackBerry.
    • A what?

      I haven't heard that name in years. Do they still exist in the wild?
  • “Virtually no evidence” for claim of remote backdoor in Samsung phones

    “Rosenberg: I think calling this a "backdoor" is a bit far-fetched, much less one that can allow parties to remotely access data from your phone. This claim can be debunked with three crucial facts:”