Samsung Galaxy Back-door¶

This page contains a technical description of the back-door found in Samsung Galaxy devices.
For a general description of the issue, please refer to the following statement:

This back-door is present in most proprietary Android systems running on the affected Samsung Galaxy devices, including the ones that are shipped with the devices. However, when Replicant is installed on the device, this back-door is not effective: Replicant does not cooperate with back-doors.

Abstract¶

Samsung Galaxy devices running proprietary Android versions come with a back-door that gives remote access to the data stored on the device.
In particular, the proprietary software that is in charge of handling the communications with the modem implements a class of requests, known as RFS, that allows the modem to perform remote I/O operations on the phone's storage.

Analysis¶

The following analysis was conducted using the libsec-ril.so binary file (the incriminated proprietary software) as extracted from the CyanogenMod 10.1.3 system zip for the Galaxy S 3 (I9300), from location system/lib/libsec-ril.so.

*Disclaimer: *

Notes¶

Our free software replacement for the incriminated binary is Samsung-RIL which relies on libsamsung-ipc, used in Replicant.

The affected devices have modems that use the Samsung IPC protocol, mostly Intel XMM6160 and Intel XMM6260 modems. Note that despite this back-door, the devices using these modems are most likely to have good modem isolation, compared to other devices using Qualcomm platforms. Bear in mind that this back-door is implemented in software and can easily be removed by installing a free replacement for the incriminated software, for instance by installing Replicant.

incriminated messages
disclaimer