SamsungGalaxyBackdoor » History » Version 6
Paul Kocialkowski, 01/29/2014 09:50 PM
| 1 | 1 | Paul Kocialkowski | h1. Samsung Galaxy Back-door |
|---|---|---|---|
| 2 | |||
| 3 | 3 | Paul Kocialkowski | This page contains a technical description of the back-door found in Samsung Galaxy devices. |
| 4 | For a general description of the issue, please refer to the following statement: |
||
| 5 | 1 | Paul Kocialkowski | |
| 6 | *This back-door is present in most proprietary Android systems running on the affected Samsung Galaxy devices, including the ones that are shipped with the devices. However, when Replicant is installed on the device, this back-door is not effective: Replicant does not cooperate with back-doors.* |
||
| 7 | |||
| 8 | h2. Abstract |
||
| 9 | |||
| 10 | Samsung Galaxy devices running proprietary Android versions come with a back-door that gives remote access to the data stored on the device. |
||
| 11 | 4 | Paul Kocialkowski | In particular, the proprietary software that is in charge of handling the communications with the modem, using the Samsung IPC protocol, implements a class of requests known as RFS commands, that allows the modem to perform remote I/O operations on the phone's storage. |
| 12 | 1 | Paul Kocialkowski | |
| 13 | 5 | Paul Kocialkowski | *Disclaimer: We are not security researchers and cannot establish the absolute certainty that the incriminated software actually contains the back-door we describe. However, everything apparently points in that direction and we believe the information at our disposal is relevant enough to constitute a solid-enough basis for us to issue a statement about this presumed back-door. If you have any indication that would prove our statement wrong, do not hesitate contacting us.* |
| 14 | |||
| 15 | 1 | Paul Kocialkowski | h2. Analysis |
| 16 | 2 | Paul Kocialkowski | |
| 17 | The following analysis was conducted using the @libsec-ril.so@ binary file (the incriminated proprietary software) as extracted from the CyanogenMod 10.1.3 system zip for the Galaxy S 3 (I9300), from location @system/lib/libsec-ril.so@. |
||
| 18 | |||
| 19 | 1 | Paul Kocialkowski | *The developers involved in the present analysis did not ever agree to any sort of End User License Agreement that explicitly prohibited the reverse engineering and decompiling operations of the incriminated binary. The reverse engineering operations that lead to these findings originally took place during the development of [[Samsung-RIL]], the free software replacement for the incriminated program. Hence, we believe these operations were conducted for the sole purpose of interoperability and not with the intent of creating a competing product. As the involved developers were based in Europe, we believe the legality of these operations is granted by article 6 of the 1991 EU Computer Programs Directive.* |
| 20 | |||
| 21 | 6 | Paul Kocialkowski | As a first approach, using the @strings@ tool against the incriminated program reveals numerous suspicious command names that appear to be Samsung IPC protocol definitions: |
| 22 | <pre> |
||
| 23 | IPC_RFS_READ_FILE |
||
| 24 | IPC_RFS_WRITE_FILE |
||
| 25 | IPC_RFS_LSEEK_FILE |
||
| 26 | IPC_RFS_CLOSE_FILE |
||
| 27 | IPC_RFS_PUT_FILE |
||
| 28 | IPC_RFS_GET_FILE |
||
| 29 | IPC_RFS_RENAME_FILE |
||
| 30 | IPC_RFS_GET_FILE_INFO |
||
| 31 | IPC_RFS_UNLINK_FILE |
||
| 32 | IPC_RFS_MAKE_DIR |
||
| 33 | IPC_RFS_REMOVE_DIR |
||
| 34 | IPC_RFS_OPEN_DIR |
||
| 35 | IPC_RFS_READ_DIR |
||
| 36 | IPC_RFS_CLOSE_DIR |
||
| 37 | IPC_RFS_OPEN_FILE |
||
| 38 | IPC_RFS_FTRUNCATE_FILE |
||
| 39 | IPC_RFS_GET_HANDLE_INFO |
||
| 40 | IPC_RFS_CREATE_FILE |
||
| 41 | </pre> |
||
| 42 | 4 | Paul Kocialkowski | |
| 43 | 6 | Paul Kocialkowski | The names of these commands make it obvious that they let the modem perform I/O operations. |
| 44 | 1 | Paul Kocialkowski | |
| 45 | 6 | Paul Kocialkowski | The @strings@ utility also reveals matching function names that seem to implement the handling of these commands: |
| 46 | <pre> |
||
| 47 | RxRFS_GetFile |
||
| 48 | RxRFS_CreateFile |
||
| 49 | RxRFS_ReadDirectory |
||
| 50 | RxRFS_OpenDirectory |
||
| 51 | RxRFS_RenameFile |
||
| 52 | RxRFS_Default |
||
| 53 | RxRFS_OpenFile |
||
| 54 | RxRFS_ReadFile |
||
| 55 | RxRFS_FtruncateFile |
||
| 56 | RxRFS_WriteFile |
||
| 57 | RxRFS_GetFileInfoByHandle |
||
| 58 | RxRFS_GetFileInfo |
||
| 59 | RxRFS_PutFile |
||
| 60 | RxRFS_LseekFile |
||
| 61 | RxRFS_CloseFile |
||
| 62 | RxRFS_DeleteFile |
||
| 63 | RxRFS_MakeDirectory |
||
| 64 | RxRFS_CloseDirectory |
||
| 65 | RxRFS_RemoveDirectory |
||
| 66 | TxRFS_CfrmCreateFile |
||
| 67 | TxRFS_CfrmPutFile |
||
| 68 | TxRFS_CfrmOpenDirectory |
||
| 69 | TxRFS_CfrmGetFileInfo |
||
| 70 | TxRFS_CfrmReadDirectory |
||
| 71 | TxRFS_CfrmRenameFile |
||
| 72 | TxRFS_CfrmCloseFile |
||
| 73 | TxRFS_CfrmFtruncateFile |
||
| 74 | TxRFS_CfrmGetFileInfoByHandle |
||
| 75 | TxRFS_CfrmDeleteFile |
||
| 76 | TxRFS_CfrmCloseDirectory |
||
| 77 | TxRFS_CfrmRemoveDirectory |
||
| 78 | TxRFS_CfrmMakeDirectory |
||
| 79 | TxRFS_CfrmGetFile |
||
| 80 | TxRFS_CfrmReadFile |
||
| 81 | TxRFS_CfrmWriteFile |
||
| 82 | TxRFS_CfrmLseekFile |
||
| 83 | TxRFS_CfrmOpenFile |
||
| 84 | </pre> |
||
| 85 | 1 | Paul Kocialkowski | |
| 86 | |||
| 87 | |||
| 88 | 6 | Paul Kocialkowski | h2. Notes |
| 89 | 1 | Paul Kocialkowski | |
| 90 | 6 | Paul Kocialkowski | Our free software replacement for the incriminated binary is [[Samsung-RIL]] which relies on [[Libsamsung-ipc|libsamsung-ipc]] and it is used in Replicant. |
| 91 | 1 | Paul Kocialkowski | |
| 92 | 6 | Paul Kocialkowski | The affected devices have modems that use the Samsung IPC protocol, mostly Intel XMM6160 and Intel XMM6260 modems. Note that despite this back-door, the devices using these modems are most likely to have good modem isolation, compared to other devices using Qualcomm platforms. Bear in mind that this back-door is implemented in software and can easily be removed by installing a free replacement for the incriminated software, for instance by installing Replicant. Hence, we don't consider the incriminated devices as bad targets for Replicant because of this back-door. |