If you are a power Android user, chances are you have heard of Replicant, the Android fork that is built with security and encryption at its heart. On Wednesday, its developers published a shocking report that said Samsung’s Galaxy S3, Note 2, and other devices have a backdoor that could give anyone remote access to data stored on the devices, and also cause mischief. The full list also includes the Nexus S and the Galaxy Nexus smartphones, along with the Galaxy S2, Galaxy Note and the two Galaxy Tab slates.
In a published proof-of-concept (POC), Replicant said the code controls the baseband or modem processors of these devices allowing anyone with the right tools to remotely read, write, or modify users’ files. They could theoretically listen in on all your calls, read your messages before they come to you and even force your phone to make calls. This is no doubt a serious allegation and one that could wreck Samsung’s reputation.
“Provided that the modem runs proprietary software and can be remotely controlled, that backdoor provides remote access to the phone’s data, even in the case where the modem is isolated and cannot access the storage directly,” said Paul Kocialkowski of the Free Software Foundation (FSF), which reported the finding. He then went on to rail against proprietary software, before plugging Replicant. “Our free replacement for that non-free program does not implement this backdoor. If the modem asks to read or write files, Replicant does not cooperate with it,” he said.
The Replicant plug seems tasteless given the issue at hand, and some experts say FSF’s reputation of being anti-proprietary software has influenced the maginitude of their claims.
Azimuth Security’s senior researcher Dan Rosenberg told Ars Technica that these claims are a bit far-fetched. Debunking FSF’s report, Rosenberg was quoted as saying. “There is virtually no evidence for the ability to remotely execute this functionality.” He said the proprietary protocol implemented by Samsung is intended to allow communication between the baseband and the application processor, allowing the former to read and write files on the latter, in case of fixing problems with the modem. “However, the authors provide no evidence of such a “remote control” mechanism. The FSF has a known agenda against proprietary software, and I think that agenda resulted in them creating a narrative that would cause perhaps more outrage than is warranted,” he said.
He also said that the amount of data that can be read or written to by this functionality is limited, allowing only access to radio functionality, plus information stored on the SD card. The reason the possibility exists is “to allow the modem to write diagnostic files to Android storage in order to assist with identifying and fixing problems with the modem,” he said. But this doesn’t mean there’s a way a remote attacker could access the same. Even Replicant says that the SELinux module, introduced since Android 4.2 and fortified with ‘Enforcing’ state in Android 4.4, restricts the modem’s access to certain files, including those on the internal SD card. So it would not be of much use to any potential attacker.
Another security expert told XDA Developers on the condition of anonymity that “the way in which the proof-of-concept attack was framed by the Replicant team was a bit misleading.” The source said that if a user is running an updated version of the official firmware, which is the case for high-end devices with the latest software patches, this attack will not work.
We are yet to hear Samsung’s response to these allegations, and with experts picking out the holes in Replicant’s POC, there’s no reason yet to ditch your Galaxy device.