A number of Samsung’s popular Galaxy devices reportedly contain an alleged backdoor that could give attackers remote control of vulnerable handsets, effectively turning successfully exploited phones into mobile spying machines.
If that last sentence reads a bit reluctant, it’s because there’s been some dissent regarding whether or not Paul Kocialkowski’s research constitutes a stand-alone-backdoor-vulnerability.
The vulnerability is said to be present on “most proprietary Android systems” (in other words, almost all the builds that are developed commercially). The Galaxy Nexus S, S2, S4, Note, Note 3, Nexus, both the seven-inch and 10.1-inch Tab 2, and the Note 2 are all among the devices containing the alleged backdoor.
In quite simple and broad terms, these Samsung devices have built-in modems that are capable of reading, writing, and deleting files stored on the phones afflicted by the bug. More specifically, the problem exists in something called “Android’s Radio Interface Layer”. The program is a kind of modem driver installed on all of the above devices. As this radio is a program that runs on each smartphone’s central processing unit, it’s naturally able to read and write files stored on the device filesystem. Replicant developers discovered a set of commands, which could be issued by a modem and executed by the driver in order to manipulate the filesystem.
The researcher who discovered the issue – the developer of an open source Android distribution called Replicant – was not certain whether this set of permissions were built into these devices intentionally or by mistake. Either way, he claims such an allowance unacceptable.
You may be asking yourself, “So the modem can read, write, and delete files, but how do I access the modem in order to perform these actions?” And that is a very important question indeed – one that has been heavily discussed in the days following the initial reporting on this bug.
As was noted by Azimuth Security researcher Dan Rosenberg in an Ars Technica article published on Thursday, the researchers claiming to have discovered the backdoor had to perform a separate exploit to compromise the Samsung devices’ modems in the first place. Beyond that, he claims, the researchers fail to provide any real evidence that an attacker could execute the modem’s functionalities remotely.
Obviously Kocialkowski is making a serious allegation and Rosenberg has come along to claim the allegation is a bit of a reach. This is standard fare in the industry, particularly when the researcher that found the bug, which reportedly exists in “most proprietary Android systems”, very conspicuously works on a pro-open-source project. In other words, there is more than a little conflict of interest at play here.
Either way, backdoor vulnerability or not, the real problem for users of Google’s mobile operating system has to do with Android’s nearly non-existent security update and patching processes.
Because Android is open-source, highly customisable, and installed on a wide-array of different devices built by different companies, each smartphone manufacturer creates its own specific Android build to meet the needs of their particular devices. This reality has a number of ramifications.
First and foremost, there is always the possibility that certain vulnerabilities will affect some Android builds and not others. Once a vulnerability is found and a patch is developed for it, the device manufacturers would have to create their own special and customised firmware update, making sure that the update is compatible with all the specialised software and hardware on the phone in question. After that, the carriers get to look at the update and make sure it won’t negatively impact their networks as well. Once the carrier approves the patch or patches, they (the carrier) then have to push the fix to their users.
Problematically, the carriers and the manufacturers take their sweet time testing these patches. Often, the end-result of this system is that Android handsets just don’t get patched. As a point of comparison, updates for Apple’s iOS come directly from their Cupertino, California headquarters to the phone in your pocket (or possibly to iTunes on the computer on your desk). Once Apple builds the patch, there is virtually nothing keeping them from shipping it.