SamsungGalaxyBackdoor » History » Revision 9
« Previous |
Revision 9/25
(diff)
| Next »
Paul Kocialkowski, 02/04/2014 06:27 PM
Remove assembly extracts and bring more certainty to the statements
Samsung Galaxy Back-door¶
This page contains a technical description of the back-door found in Samsung Galaxy devices.
For a general description of the issue, please refer to the following statement:
This back-door is present in most proprietary Android systems running on the affected Samsung Galaxy devices, including the ones that are shipped with the devices. However, when Replicant is installed on the device, this back-door is not effective: Replicant does not cooperate with back-doors.
Abstract¶
Samsung Galaxy devices running proprietary Android versions come with a back-door that provides remote access to the data stored on the device.
In particular, the proprietary software that is in charge of handling the communications with the modem, using the Samsung IPC protocol, implements a class of requests known as RFS commands, that allows the modem to perform remote I/O operations on the phone's storage. As the modem is running proprietary software, it is likely that it offers over-the-air remote control, that could then be used to issue the incriminated RFS messages and access the phone's file system.
Known affected devices¶
The following table shows which devices are known to contain this back-door as part of the software they ship with.
Please contact us if you know about some other device that could be concerned by this back-door or have more information on one of the listed devices!
Device | Incriminated program running as root | SELinux enabled | libsamsung-ipc support | Replicant support |
---|---|---|---|---|
Nexus S (I902x) | No | Possible with Android 4.2 and later | Yes | Yes |
Galaxy S (I9000) | Yes | ? | Yes | Yes |
Galaxy S 2 (I9100) | No | ? | Yes | Yes |
Galaxy Note (N7000) | No | ? | Yes | Yes |
Galaxy Tab 2 7.0 (P31xx) | No | ? | Yes | Yes |
Galaxy Tab 2 10.1 (P51xx) | No | ? | Yes | Yes |
Galaxy S 3 (I9300) | No | ? | Yes | Yes |
Galaxy Note 2 (N7100) | No | ? | Yes | Yes |
Analysis¶
The following analysis was conducted using the libsec-ril.so
binary file (the incriminated proprietary software) as extracted from the CyanogenMod 10.1.3 system zip for the Galaxy S 3 (I9300), from location system/lib/libsec-ril.so
.
The developers involved in the present analysis did not ever agree to any sort of End User License Agreement that explicitly prohibited the reverse engineering and decompiling operations of the incriminated binary. The reverse engineering operations that led to these findings originally took place during the development of Samsung-RIL, the free software replacement for the incriminated program. Hence, we believe these operations were conducted for the sole purpose of interoperability and not with the intent of creating a competing product. As the involved developers were based in Europe, we believe the legality of these operations is granted by article 6 of the 1991 EU Computer Programs Directive.
As a first approach, using the strings
tool against the incriminated program reveals numerous suspicious command names that appear to be Samsung IPC protocol definitions:
IPC_RFS_READ_FILE IPC_RFS_WRITE_FILE IPC_RFS_LSEEK_FILE IPC_RFS_CLOSE_FILE IPC_RFS_PUT_FILE IPC_RFS_GET_FILE IPC_RFS_RENAME_FILE IPC_RFS_GET_FILE_INFO IPC_RFS_UNLINK_FILE IPC_RFS_MAKE_DIR IPC_RFS_REMOVE_DIR IPC_RFS_OPEN_DIR IPC_RFS_READ_DIR IPC_RFS_CLOSE_DIR IPC_RFS_OPEN_FILE IPC_RFS_FTRUNCATE_FILE IPC_RFS_GET_HANDLE_INFO IPC_RFS_CREATE_FILE
The names of these commands make it obvious that they let the modem perform I/O operations.
The strings
utility also reveals matching function names that seem to implement the handling of these commands:
RxRFS_GetFile RxRFS_CreateFile RxRFS_ReadDirectory RxRFS_OpenDirectory RxRFS_RenameFile RxRFS_Default RxRFS_OpenFile RxRFS_ReadFile RxRFS_FtruncateFile RxRFS_WriteFile RxRFS_GetFileInfoByHandle RxRFS_GetFileInfo RxRFS_PutFile RxRFS_LseekFile RxRFS_CloseFile RxRFS_DeleteFile RxRFS_MakeDirectory RxRFS_CloseDirectory RxRFS_RemoveDirectory TxRFS_CfrmCreateFile TxRFS_CfrmPutFile TxRFS_CfrmOpenDirectory TxRFS_CfrmGetFileInfo TxRFS_CfrmReadDirectory TxRFS_CfrmRenameFile TxRFS_CfrmCloseFile TxRFS_CfrmFtruncateFile TxRFS_CfrmGetFileInfoByHandle TxRFS_CfrmDeleteFile TxRFS_CfrmCloseDirectory TxRFS_CfrmRemoveDirectory TxRFS_CfrmMakeDirectory TxRFS_CfrmGetFile TxRFS_CfrmReadFile TxRFS_CfrmWriteFile TxRFS_CfrmLseekFile TxRFS_CfrmOpenFile
Taking a closer look at these functions, using the objdump
decompiler, reveals that they are actually called from the ipc_recv_rfs
function, itself called from process_ipc_notify_message
, which appears to handle the received messages from the modem. Hence we can deduct that the incriminated functions are actually called upon modem request.
Taking a closer look at one of these functions, e.g. RxRFS_ReadFile reveals multiple calls to the Procedure Linkage Table (PLT). Hence we believe these calls are linked functions from the libc library, especially I/O-related functions such as (in a general manner) open
, close
, read
, write
, etc.
Areas of work¶
A more decisive proof of these assumptions could be obtained by crafting a packet requesting I/O operations on the device's storage and looking at whether the incriminated binary proceeds or not.
Notes¶
Our free software replacement for the incriminated binary is Samsung-RIL which relies on libsamsung-ipc and it is used in Replicant.
The affected devices have modems that use the Samsung IPC protocol, mostly Intel XMM6160 and Intel XMM6260 modems. Note that despite this back-door, the devices using these modems are most likely to have good modem isolation, compared to other devices using Qualcomm platforms. Bear in mind that this back-door is implemented in software and can easily be removed by installing a free replacement for the incriminated software, for instance by installing Replicant. Hence, we don't consider the incriminated devices as bad targets for Replicant because of this back-door.
Updated by Paul Kocialkowski almost 11 years ago · 9 revisions locked