As highlighted in the blog post, modern handsets come with two separate processors, a general-purpose application processor that runs the main operating system and another component in charge of communications with the mobile telephony network. Modem processor is usually targeted by attackers because it always runs a proprietary operating system, and the presence of a backdoor makes possible to remotely surveillance activities.
“Today’s phones come with two separate processors: one is a general-purpose applications processor that runs the main operating system, e.g. Android; the other, known as the modem, baseband, or radio, is in charge of communications with the mobile telephony network. This processor always runs a proprietary operating system, and these systems are known to have backdoors that make it possible to remotely convert the modem into a remote spying device. The spying can involve activating the device’s microphone, but it could also use the precise GPS location of the device and access the camera, as well as the user data stored on the phone. Moreover, modems are connected most of the time to the operator’s network, making the backdoors nearly always accessible.”
Kocialkowski has discovered that a Samsung’s IPC protocol runs in the background in the communications processor and allows the modem component to remotely the user’s phone storage. Samsung IPC protocol allows to read, write, and delete files implementing a class of requests (RFS commands) to execute remote I/O operations on the phone’s storage.
“we discovered that the proprietary program running on the applications processor in charge of handling the communication protocol with the modem actually implements a backdoor that lets the modem perform remote file I/O operations on the file system. This program is shipped with the Samsung Galaxy devices and makes it possible for the modem to read, write, and delete files on the phone’s storage. On several phone models, this program runs with sufficient rights to access and modify the user’s personal data. A technical description of the issue, as well as the list of known affected devices is available at the Replicant wiki.” states the blog post.
We cannot demonstrate that the backdoor was specifically designed, neither that it might have been placed there wrongly, but in both cases user’s privacy is at risk.
Replicant has published a patch ‘0001-modem_if-Inject-and-intercept-RFS-I-O-messages-to-pe.patch‘ for your Samsung Smartphone, which replace the legitimate Samsung-RIL library.
Kocialkowski also encourage Samsung Galaxy owners to appeal publicly to SamsungMobile for an explanation.
(Security Affairs – Samsung, mobile)