Project

General

Profile

SamsungGalaxyBackdoor » History » Version 19

Paul Kocialkowski, 03/12/2014 09:13 PM

1 1 Paul Kocialkowski
h1. Samsung Galaxy Back-door
2
3 3 Paul Kocialkowski
This page contains a technical description of the back-door found in Samsung Galaxy devices.
4 19 Paul Kocialkowski
For a general description of the issue, please refer to the "statement posted on the Free Software Foundation's website":http://www.fsf.org/blogs/community/replicant-developers-find-and-close-samsung-galaxy-backdoor.
5 1 Paul Kocialkowski
6
*This back-door is present in most proprietary Android systems running on the affected Samsung Galaxy devices, including the ones that are shipped with the devices. However, when Replicant is installed on the device, this back-door is not effective: Replicant does not cooperate with back-doors.*
7
8
h2. Abstract
9
10 9 Paul Kocialkowski
Samsung Galaxy devices running proprietary Android versions come with a back-door that provides remote access to the data stored on the device.
11
In particular, the proprietary software that is in charge of handling the communications with the modem, using the Samsung IPC protocol, implements a class of requests known as RFS commands, that allows the modem to perform remote I/O operations on the phone's storage. As the modem is running proprietary software, it is likely that it offers over-the-air remote control, that could then be used to issue the incriminated RFS messages and access the phone's file system.
12 1 Paul Kocialkowski
13 7 Paul Kocialkowski
h2. Known affected devices
14
15
The following table shows which devices are known to contain this back-door as part of the software they ship with.
16
Please contact us if you know about some other device that could be concerned by this back-door or have more information on one of the listed devices!
17
18
|_. Device |_. Incriminated program running as root |_. SELinux enabled |_. libsamsung-ipc support |_. Replicant support |
19
| Nexus S (I902x) | No | Possible with Android 4.2 and later | Yes | Yes |
20
| Galaxy S (I9000) | Yes | ? | Yes | Yes |
21
| Galaxy S 2 (I9100) | No | ? | Yes | Yes |
22
| Galaxy Note (N7000) | No | ? | Yes | Yes |
23 18 Paul Kocialkowski
| Galaxy Nexus (I9250) | No | Possible with Android 4.2 and later | Yes | Yes |
24 7 Paul Kocialkowski
| Galaxy Tab 2 7.0 (P31xx) | No | ? | Yes | Yes |
25
| Galaxy Tab 2 10.1 (P51xx) | No | ? | Yes | Yes |
26
| Galaxy S 3 (I9300) | No | ? | Yes | Yes |
27
| Galaxy Note 2 (N7100) | No | ? | Yes | Yes |
28
29 12 Paul Kocialkowski
h2. Back-door sample
30 11 Paul Kocialkowski
31 1 Paul Kocialkowski
In order to investigate the back-door and check what it actually lets the modem do, some code was added to the modem kernel driver to make it craft and inject requests using the incriminated messages and check its results.
32 12 Paul Kocialkowski
33 15 Paul Kocialkowski
The following patch: attachment:0001-modem_if-Inject-and-intercept-RFS-I-O-messages-to-pe.patch (to apply to the SMDK4412 Replicant 4.2 kernel) implements a sample use of the back-door that will:
34 12 Paul Kocialkowski
* open the @/data/radio/test@ file
35
* read its content
36
* close the file
37
38
This demonstrates that the incriminated software will execute these operations upon modem request. Note that the software implementation appends @/efs/root/@ to the provided path, but it's fairly simple to escape that path and request any file on the file system (using @../../@). Note that the files are opened with the incriminated software's user permissions, which may be root on some devices. On other cases, its runs as an unprivileged user that can still access the user's personal data (@/sdcard@). Finally, some devices may implement SELinux, which considerably restricts the scope of possible files that the modem can access, including the user's personal data (@/sdcard/@).
39
40 16 Paul Kocialkowski
The following sample was obtained on a Galaxy Note 2 (N7100) running CyanogenMod 10.1.3.
41 12 Paul Kocialkowski
42
h3. Sample file
43
44
The sample file used for this demonstration (@/data/radio/test@) is filled with "Hello World!":
45
<pre>
46
root@android:/ # hexdump -C /data/radio/test
47
00000000  48 65 6c 6c 6f 20 57 6f  72 6c 64 21 0a           |Hello World!.|
48
0000000d
49
</pre>
50
51
h3. Kernel log
52
53
<pre>
54
<3>[   62.712637] c0 mif: rx_iodev_skb: rx_iodev_skb: Dropping RFS frame
55
<3>[   62.712808] c0 mif: rfs_craft_start: rfs_craft_start: Crafting open
56
<3>[   62.712966] c0 mif: rfs_craft_start: rfs_craft_start: Adding SKB to queue
57
<3>[   62.713122] c0 mif: rx_iodev_skb: rx_iodev_skb: Dropping RFS frame
58
<3>[   62.744690] c0 mif: misc_write: misc_write: Intercepted RFS response
59
<3>[   62.744867] c0 mif: rfs_craft_write: rfs_craft_write: Open response: fd=21, errno=0
60
<3>[   62.745116] c0 mif: rfs_craft_write: rfs_craft_write: Adding SKB to queue
61
<3>[   62.792888] c0 mif: misc_write: misc_write: Intercepted RFS response
62
<3>[   62.793026] c0 mif: rfs_craft_write: rfs_craft_write: Read response: 12 bytes read
63
<3>[   62.793154] c0 mif: mif_print_data: 0000: 48 65 6c 6c  6f 20 57 6f  72 6c 64 21  
64
<3>[   62.793284] c0 mif: rfs_craft_write: rfs_craft_write: Adding SKB to queue
65
<3>[   62.796168] c0 mif: misc_write: misc_write: Intercepted RFS response
66
<3>[   62.796269] c0 mif: rfs_craft_write: rfs_craft_write: Rx RFS message with command 0x6 and size 14
67
<3>[   62.796422] c0 mif: mif_print_data: 0000: 00 00 00 00  00 00 00 00  
68
</pre>
69
70
The relevant part is the response to the read request:
71
<pre>
72
<3>[   62.793026] c0 mif: rfs_craft_write: rfs_craft_write: Read response: 12 bytes read
73
<3>[   62.793154] c0 mif: mif_print_data: 0000: 48 65 6c 6c  6f 20 57 6f  72 6c 64 21  
74
</pre>
75
which matches the content of the @/data/radio/test@ file, hence making it obvious that the incriminated software implements the back-door.
76
77
h3. Incriminated software log
78
79
<pre>
80
E/RIL     ( 1927): processRFS: received standalone RFS frame. len 35
81
E/RIL     ( 1927): ipc_recv_rfs()
82
E/RIL     ( 1927): get_wakelock: 1. on 1, ril_WakeLock_Mask 0
83
E/RIL     ( 1927): get_wakelock: 2. on 1, ril_WakeLock_Mask 1
84
E/RIL     ( 1927): RxRFS_OpenFile: 
85
E/RIL     ( 1927): RxRFS_OpenFile: open file "/efs/root/../../data/radio/test" flag O_RDWR (0x00000002)
86
E/RIL     ( 1927): check dir '/efs/root/../../data/radio'
87
E/RIL     ( 1927): A directory already exists.
88
E/RIL     ( 1927): RxRFS_OpenFile: length 14
89
E/RIL     ( 1927): TxRFS_CfrmOpenFile()
90
E/RIL     ( 1927): TxRFS_CfrmOpenFile(): length 14
91
E/RIL     ( 1927): IPC_send_singleRfsIPC: fd 16 sendto 14 bytes rfs_hdr =6
92
E/RIL     ( 1927): get_wakelock: 1. on 0, ril_WakeLock_Mask 1
93
E/RIL     ( 1927): get_wakelock: 2. on 0, ril_WakeLock_Mask 0
94
E/RIL     ( 1927): set_wakelock: secril_rfs-interface 0
95
E/RIL     ( 1927): set_wakelock: secril_fmt-interface 1
96
E/RIL     ( 1927): processIPC: Single IPC plen 23, pkt 23
97
</pre>
98
99
<pre>
100
E/RIL     ( 1927): processRFS: received standalone RFS frame. len 14
101
E/RIL     ( 1927): ipc_recv_rfs()
102
E/RIL     ( 1927): get_wakelock: 1. on 1, ril_WakeLock_Mask 0
103
E/RIL     ( 1927): get_wakelock: 2. on 1, ril_WakeLock_Mask 1
104
E/RIL     ( 1927): RxRFS_ReadFile: 
105
E/RIL     ( 1927): RxRFS_ReadFile: length 4110
106
E/RIL     ( 1927): TxRFS_CfrmReadFile()
107
E/RIL     ( 1927): TxRFS_CfrmReadFile(): length 4110
108
E/RIL     ( 1927): IPC_send_singleRfsIPC: fd 16 sendto 4110 bytes rfs_hdr =6
109
</pre>
110
111
<pre>
112
E/RIL     ( 1927): processRFS: received standalone RFS frame. len 10
113
E/RIL     ( 1927): get_wakelock: 1. on 0, ril_WakeLock_Mask 1
114
E/RIL     ( 1927): get_wakelock: 2. on 0, ril_WakeLock_Mask 0
115
E/RIL     ( 1927): set_wakelock: secril_rfs-interface 0
116
E/RIL     ( 1927): [EVT]:Req(0), RX(0)
117
E/RIL     ( 1927): ipc_recv_rfs()
118
E/RIL     ( 1927): get_wakelock: 1. on 1, ril_WakeLock_Mask 0
119
E/RIL     ( 1927): get_wakelock: 2. on 1, ril_WakeLock_Mask 1
120
E/RIL     ( 1927): RxRFS_CloseFile: 
121
E/RIL     ( 1927): RxRFS_CloseFile: length 14
122
E/RIL     ( 1927): TxRFS_CfrmCloseFile()
123
E/RIL     ( 1927): TxRFS_CfrmCloseFile(): length 14
124
E/RIL     ( 1927): IPC_send_singleRfsIPC: fd 16 sendto 14 bytes rfs_hdr =6
125
</pre>
126 11 Paul Kocialkowski
127 1 Paul Kocialkowski
h2. Analysis
128
129 2 Paul Kocialkowski
The following analysis was conducted using the @libsec-ril.so@ binary file (the incriminated proprietary software) as extracted from the CyanogenMod 10.1.3 system zip for the Galaxy S 3 (I9300), from location @system/lib/libsec-ril.so@.
130
131 9 Paul Kocialkowski
*The developers involved in the present analysis did not ever agree to any sort of End User License Agreement that explicitly prohibited the reverse engineering and decompiling operations of the incriminated binary. The reverse engineering operations that led to these findings originally took place during the development of [[Samsung-RIL]], the free software replacement for the incriminated program. Hence, we believe these operations were conducted for the sole purpose of interoperability and not with the intent of creating a competing product. As the involved developers were based in Europe, we believe the legality of these operations is granted by article 6 of the 1991 EU Computer Programs Directive.*
132 1 Paul Kocialkowski
133 6 Paul Kocialkowski
As a first approach, using the @strings@ tool against the incriminated program reveals numerous suspicious command names that appear to be Samsung IPC protocol definitions:
134
<pre>
135
IPC_RFS_READ_FILE
136
IPC_RFS_WRITE_FILE
137
IPC_RFS_LSEEK_FILE
138
IPC_RFS_CLOSE_FILE
139
IPC_RFS_PUT_FILE
140
IPC_RFS_GET_FILE
141
IPC_RFS_RENAME_FILE
142
IPC_RFS_GET_FILE_INFO
143
IPC_RFS_UNLINK_FILE
144
IPC_RFS_MAKE_DIR
145
IPC_RFS_REMOVE_DIR
146
IPC_RFS_OPEN_DIR
147
IPC_RFS_READ_DIR
148
IPC_RFS_CLOSE_DIR
149
IPC_RFS_OPEN_FILE
150
IPC_RFS_FTRUNCATE_FILE
151
IPC_RFS_GET_HANDLE_INFO
152
IPC_RFS_CREATE_FILE
153
</pre>
154 4 Paul Kocialkowski
155 6 Paul Kocialkowski
The names of these commands make it obvious that they let the modem perform I/O operations.
156 1 Paul Kocialkowski
157 6 Paul Kocialkowski
The @strings@ utility also reveals matching function names that seem to implement the handling of these commands:
158
<pre>
159
RxRFS_GetFile
160
RxRFS_CreateFile
161
RxRFS_ReadDirectory
162
RxRFS_OpenDirectory
163
RxRFS_RenameFile
164
RxRFS_Default
165
RxRFS_OpenFile
166
RxRFS_ReadFile
167
RxRFS_FtruncateFile
168
RxRFS_WriteFile
169
RxRFS_GetFileInfoByHandle
170
RxRFS_GetFileInfo
171
RxRFS_PutFile
172
RxRFS_LseekFile
173
RxRFS_CloseFile
174
RxRFS_DeleteFile
175
RxRFS_MakeDirectory
176
RxRFS_CloseDirectory
177
RxRFS_RemoveDirectory
178
TxRFS_CfrmCreateFile
179
TxRFS_CfrmPutFile
180
TxRFS_CfrmOpenDirectory
181
TxRFS_CfrmGetFileInfo
182
TxRFS_CfrmReadDirectory
183
TxRFS_CfrmRenameFile
184
TxRFS_CfrmCloseFile
185
TxRFS_CfrmFtruncateFile
186
TxRFS_CfrmGetFileInfoByHandle
187
TxRFS_CfrmDeleteFile
188
TxRFS_CfrmCloseDirectory
189
TxRFS_CfrmRemoveDirectory
190
TxRFS_CfrmMakeDirectory
191
TxRFS_CfrmGetFile
192
TxRFS_CfrmReadFile
193 1 Paul Kocialkowski
TxRFS_CfrmWriteFile
194 6 Paul Kocialkowski
TxRFS_CfrmLseekFile
195 7 Paul Kocialkowski
TxRFS_CfrmOpenFile
196
</pre>
197
198 9 Paul Kocialkowski
Taking a closer look at these functions, using the @objdump@ decompiler, reveals that they are actually called from the @ipc_recv_rfs@ function, itself called from @process_ipc_notify_message@, which appears to handle the received messages from the modem. Hence we can deduct that the incriminated functions are actually called upon modem request.
199 7 Paul Kocialkowski
200 9 Paul Kocialkowski
Taking a closer look at one of these functions, e.g. RxRFS_ReadFile reveals multiple calls to the Procedure Linkage Table (PLT). Hence we believe these calls are linked functions from the libc library, especially I/O-related functions such as (in a general manner) @open@, @close@, @read@, @write@, etc.
201 7 Paul Kocialkowski
202 10 Paul Kocialkowski
h2. Samsung IPC RFS messages
203 7 Paul Kocialkowski
204 10 Paul Kocialkowski
The following table associates each Samsung IPC RFS message with its hexadecimal command value:
205 1 Paul Kocialkowski
206 10 Paul Kocialkowski
|_. Message |_. Hexadecimal command value |
207
| IPC_RFS_NV_READ_ITEM | 0x01 |
208
| IPC_RFS_NV_WRITE_ITEM | 0x02 |
209
| IPC_RFS_READ_FILE | 0x03 |
210
| IPC_RFS_WRITE_FILE | 0x04 |
211
| IPC_RFS_LSEEK_FILE | 0x05 |
212
| IPC_RFS_CLOSE_FILE | 0x06 |
213
| IPC_RFS_PUT_FILE | 0x07 |
214
| IPC_RFS_GET_FILE | 0x08 |
215
| IPC_RFS_RENAME_FILE | 0x09 |
216
| IPC_RFS_GET_FILE_INFO | 0x0a |
217
| IPC_RFS_UNLINK_FILE | 0x0b |
218
| IPC_RFS_MAKE_DIR | 0x0c |
219
| IPC_RFS_REMOVE_DIR | 0x0d |
220
| IPC_RFS_OPEN_DIR | 0x0e |
221
| IPC_RFS_READ_DIR | 0x0f |
222
| IPC_RFS_CLOSE_DIR | 0x10 |
223
| IPC_RFS_OPEN_FILE | 0x11 |
224
| IPC_RFS_FTRUNCATE_FILE | 0x12 |
225
| IPC_RFS_GET_HANDLE_INFO | 0x13 |
226
| IPC_RFS_CREATE_FILE | 0x14 |
227
| IPC_RFS_NV_WRITE_ALL_ITEM | 0x15 |
228
229
h2. Legitimacy
230
231
The incriminated RFS messages of the Samsung IPC protocol were not found to have any particular legitimacy nor relevant use-case. However, it is possible that these were added for legitimate purposes, without the intent of doing harm by providing a back-door. Nevertheless, the result is the same and it allows the modem to access the phone's storage.
232
233
However, some RFS messages of the Samsung IPC protocol are legitimate (IPC_RFS_NV_READ_ITEM and IPC_RFS_NV_WRITE_ITEM) as they target a very precise file, known as the modem's NV data. There should be no particular security concern about these as both the proprietary implementation and its free software replacement strictly limit actions to that particular file.
234
235 14 Paul Kocialkowski
h2. Areas of work
236
237
Some work could be done in order to handle that back-door:
238
* [[Samsung-RIL]] could show a message alerting the user when the back-door is being used, including the requested path and asking the user to save logs and contact us.
239
* Alternatively, the kernel could block the incriminated RFS requests and keep a trace of them in the logs for the record. That option would work for CyanogenMod, where the incriminated proprietary blob is still used.
240
241 1 Paul Kocialkowski
h2. Notes
242
243 13 Paul Kocialkowski
Our free software replacement for the incriminated binary is [[Samsung-RIL]] which relies on [[Libsamsung-ipc|libsamsung-ipc]]: both are used in Replicant.
244 1 Paul Kocialkowski
245 10 Paul Kocialkowski
The affected devices have modems that use the Samsung IPC protocol, mostly Intel XMM6160 and Intel XMM6260 modems. Note that despite this back-door, the devices using these modems are most likely to have good modem isolation, compared to other devices using Qualcomm platforms. Bear in mind that this back-door is implemented in software and can easily be removed by installing a free replacement for the incriminated software, for instance by installing Replicant. Hence, we don't consider the incriminated devices to be inherently bad targets because of this back-door.