Blog/20140314 Galaxy back-door allows for over-the-air filesystem access

From Bjoern Hassler's website
Jump to: navigation, search

More from B's blog:

Some older entries are here.

Galaxy back-door allows for over-the-air filesystem access

Right, another Samsung S2 issue. Cory Doctow writes on BoingBoing:

Developers from the Replicant project (a free Android offshoot) have documented a serious software back-door in Samsung's Android phones, which "provides remote access to the data stored on the device." They believe it is "likely" that the backdoor could provide "over-the-air remote control" to "access the phone's file system."

At issue is Samsung's proprietary IPC protocol, used in its modems. This protocol implements a set of commands called "RFS commands." The Replicant team says that it can't find "any particular legitimacy nor relevant use-case" for adding these commands, but adds that "it is possible that these were added for legitimate purposes, without the intent of doing harm by providing a back-door. Nevertheless, the result is the same and it allows the modem to access the phone's storage."

The Replicant site includes proof-of-concept sourcecode for a program that will access the file-system over the modem. Replicant has created a replacement for the relevant Samsung software that does not allow for back-door access.


Oh, and Samsung has KNOX: Samsung KNOX is a holistic enterprise platform based on constant innovation in mobile security technology. (my emphasis). Apparently there is a KNOX market place too, which only features so-called KNOX-certified apps - which hosts apps passing a set of stringent security criteria set by Samsung.

  • App developer: Oh and we were thinking of having a back door in our app, so that we can retrieve customer data without consent.
  • Samsung KNOX: Ah go on then.

In the words of Alanis Morissette, isn't it ironic? (Except that really it isn't if you see what I mean ...)

Update (Bjoern 14:37, 16 March 2014 (UTC)): For balance, two more views:

2014-03-14 | Leave a comment | Back to blog Share on Twitter Share on Facebook