My understanding is that there's simply filesystem access for the modem, through some Samsung supplied kernel driver. Replicant implies Samsung may have another backdoor in the modem itself, allowing to remotely issue commands accessing the phone's filesystem. That is pure speculation and FUD.
"Samsung Galaxy devices running proprietary Android versions come with a back-door that provides remote access to the data stored on the device.
In particular, the proprietary software that is in charge of handling the communications with the modem, using the Samsung IPC protocol, implements a class of requests known as RFS commands, that allows the modem to perform remote I/O operations on the phone's storage. As the modem is running proprietary software, it is likely that it offers over-the-air remote control, that could then be used to issue the incriminated RFS messages and access the phone's file system."
Nothing substantiated there, just speculation.
Edit: This is not even interesting, and I'll explain why: normally, any component that has a kernel driver can already access all your data. The network interface in your PC can already do just the same - it has some proprietary firmware running on it, as well as a privileged OS driver that can see anything the system does; and it's connected to the internet.
Most likely, Samsung placed the driver there for providing a convenient storage area for the modem's firmware, in case it requires one (for logging, updating or whatever).
Actually, my interpretation (which admittedly is based off of limited knowledge of hardware, the Linux kernel, and operating systems in general) was that the baseband processor itself doesn't have a kernel driver, per se, because it's software doesn't run within the Linux kernel on the main CPU; rather it runs on the baseband processor, and presumably communicates with the kernel via some bus. It is my understanding that the alleged "backdoor" is based on the fact that the kernel allows the baseband processor to access the device's filesystem over this bus, via the libsamsung-ipc component. Please do correct me if I'm missing something here.
Now, if that's correct, then this is in fact significant, because the baseband processor would not otherwise have such access to the filesystem (since it's not, as I understand it, running in the kernel as a driver).
All that being said, the entire thing hinges upon what really goes on in the baseband processor? There are certainly legitimate engineering uses for such filesystem access (as pointed out elsewhere in these comments), so is there really a corresponding backdoor in the modem to allow an attacker full filesystem access on Galaxy devices?
You are not missing anything. However you have so much Samsung code running in privileged mode on these devices, that picking this issue out and calling it a "backdoor" (implying malice) is an especially nasty PR tactic. This leads to classifying legitimate engineering decisions as something of an evil nature.
I would have to agree with you somewhat. Perhaps this is just FUD.
However, I will say that a lot of the FSF's/GNU project's platform is based on the idea that, with unchecked closed-source code running on a device, such backdoors are possible. (Call it FUD if you like.) Fifteen years ago in the days of Windows '98, that might have seemed ridiculous or improbable, but I believe that in the present climate their concerns have become more relevant than ever. In that sense I think that this Replicant project is really interesting, and I'll probably be paying attention to it in the future.
That being said, they surely aren't making any friends at Samsung by doing this, which could hurt them in the long run (compare to the relatively fruitful, although sometimes tumultuous, relationship between Cyanogen Mod and Google).
Also, the elephant in the room here is still the unchecked software running on the baseband processor, no matter which way you look at it.
>> Now, if that's correct, then this is in fact significant, because the baseband processor would not otherwise have such access to the filesystem (since it's not, as I understand it, running in the kernel as a driver).
You'd think so... The baseband processor is actually integrated on the die of current gen SoCs from Qualcomm and plenty of the teardowns I've seen for high end phones use them. I haven't used these chips but everything I've read leads me to believe that there is a lot more integration between the radio and processor (that's the point)... and as a result, a larger attack surface.
Some further research I did since this thread started has shown that in some phones, even the microphone and camera are under the direct control of the baseband processor. In others, it's not. But in most phones, the CPU and BB share memory, which opens the door for the BB to do all sorts of nasty things to the OS on the CPU.
You don't have to suspect a deliberate back-door in the "modem" software to be worried about this; you just need to think that it might have an exploitable bug. And odds are very good that it does. See, for example, the following:
I've spoken to a Qualcomm engineer about this article. He responded by telling me, in fact, he was one of the engineers that dealt with the issues that highlighted after it was published. He asserted all of those remote-execution holes were addressed, and the article has been a constant pain since because it was never updated to reflect that.
I'm not a close friend of his, but I've met him on multiple occasions and felt confident he was telling the truth.
I've worked with Qualcomm chips before and I guarantee you that it was only due to the public response that they fixed those holes. Qualcomm has an institutional problem that makes it nearly impossible for them to make secure silicon and any fixes they apply now are just damage control.
No doubt this thing is full of holes, but the fact the modem can directly access the RFS barely registers as an elevated security threat. There's so much an attacker can normally do when they control the modem (MITM, exploiting system services, etc).
You are clueless on how the modem works on Android phones. On all nexus, which I'm familiar, modem firmware runs with more ring priority/privileges than the OS.
Have https keys in memory? Now so does the modem firmware if it wishes.
A modem can't MITM https without the key. And all http traffic can be MITM'd anyway. So having control of the modem doesn't get you anything that you wouldn't otherwise be able to get by vacuuming up the traffic further upstream.
How do you MITM someone specific that may be thousands of miles from you? Much easier when you have access to their modem.
Exploiting system services - you can attack any kind of non encrypted traffic flowing through the modem. Such as unsecured applications running with broad permissions. Or you can inject data into kernel services that communicate directly with the modem.
I don't know if on these phones the modem presents itself as a simple serial device, or if it has its own kernel driver (/dev/modem). If it does have its own kernel driver running in the phone, then this driver becomes an easy target for attack, granting full system access.
The modems in question here don't have direct access to system ram or flash, which is why Samsung is using an RPC mechanism to the application processor to store data on behalf of the modem (which quite possibly has no local flash at all -- designs do vary). Typically these are supposed to restrict the modem's storage to its little sandbox -- sounds like this one fails to do so (and runs as root which should not be necessary to provide the service).
This is merely a helper, but not necessarily to circumvent "sandboxing". Probably the honest firmware update routines use this route to make code smaller.
That's the key. There is no news here because every phone running every OS is back-doored[1]. Completely, totally back-doored. This includes every single phone "replicant" has ever been installed on.
There is a computer in your phone, that you cannot access, running a closed source, proprietary OS that your carrier controls, that has (in many cases) DMA access to your "actual" phone.
Your carrier has total control over that computer in your pocket.
Game Over.
[1] With the very tiny exceptions of calypso-based motorola phones running osmocom and possibly the neo freerunner phones ... but I could be wrong about those...
apologetic much? Its funny that you mentioned updating, its in fact the case that any network operator (or potentially anyone who can afford the equipment and has the knowledge/keys for it) can upgrade the firmware of the baseband processor remotely (OTA). So you don't even have to exploit a vulnerability or use a backdoor (that people can STILL deny their existence as conspiracy theory is hilarious).
And whats the difference to other entry points in the android operating system itself, a apologist may ask? First of all you have control over this portion of the device, you can read and audit the source code and employ selinux to harden the OS. The baseband processor on the other hand does a _LOT_ of complex parsing of huge binary protocols, exactly the point where you would want to have open source auditable software, the opposite is the case: The baseband firmware is largely a black box, nobody (not even the manufacturer of your phone) has access to the source code and can independently audit the security and remove backdoors placed there by the manufacturer hinthint.
"normally, any component that has a kernel driver can already access all your data" bullshit.
The FSF stance is equally opposed to the proprietary network interface in your PC, so I don't see why that diminishes anything. They propose people ideally use PC's with completely Free/Libre drivers for everything and BIOS even, for these reasons, among others.
Taking a closer look at these functions, using the objdump decompiler, reveals that they are actually called from the ipc_recv_rfs function, itself called from process_ipc_notify_message, which appears to handle the received messages from the modem. Hence we can deduct that the incriminated functions are actually called upon modem request.
This could just as well be a result of the modem's normal runtime (e.g. logging). No one has proven this interface is deliberately accessible over the air.
I think your onus of proof is backwards. We shouldn't need to prove that this interface is accessible over the air. They need to prove to us that it's not. It's not easy to prove it's accessible over the air. But it's easy for them to prove that it's not. They hold all the cards, after all.
Any thoughts on whether or not this is part of the OTA update infrastructure? Seems like having the modem be able to put data into the file system at a particular place that the boot loader/flasher knows to look for would be a typical sort of "install firmware when the firmware is broken" kind of thing.
Wouldn't that assume the Linux userland was up and running when the bootloader wanted to update itself after rebooting? I don't believe that is the case.
In modern qualcomm devices the primary boot loader (PBL) can usually only boot from it's own area of the eMMC (embedded SD card essentially, but based on MMC 4.0 not SD 2.0), possibly from a connected microSD card, and from an authenticated (and probably signed) download over USB or serial. This is controlled by one time use fuses (called Qfuses or Efuses).
The PBL loads and authenticates the secondary bootloader, SBL/QCSBL which runs a more advanced version of the download protocol and normally will launch the userland bootloader. (I'm not sure where the modem software is started here. The SBL may very well support the same or similar RFS IPCs from filesystem access to the eMMC, though I don't know of any RE that indicates that.
Of course, a compromised firmware could also reprogram pins and bitbang the eMMC, or just use it's own MMC interface as the bootloader can, rendering much of this moot.
I'm sure saurik or comex could add a lot more to this discussion.
Typically these services are intended to allow the modem to access factor calibration data, possibly page firmware in, or to store nonvolatile information it needs longer term. They should be restricted to just storing data on behalf of the modem and not providing broader filesystem access (that's at the very least (assuming incompetence rather than malice) a bug).
This is certainly possible (also possible for the modem to leave instructions for the phone to perform a remote wipe, for example).
The other way around is also imaginable - where the modem temporarily stores new firmware on the RFS upon reception, before updating itself, to reduce its own (likely expensive NOR-based) flash memory requirements.
"Samsung Galaxy devices running proprietary Android versions come with a back-door that provides remote access to the data stored on the device. In particular, the proprietary software that is in charge of handling the communications with the modem, using the Samsung IPC protocol, implements a class of requests known as RFS commands, that allows the modem to perform remote I/O operations on the phone's storage. As the modem is running proprietary software, it is likely that it offers over-the-air remote control, that could then be used to issue the incriminated RFS messages and access the phone's file system."
Nothing substantiated there, just speculation.
Edit: This is not even interesting, and I'll explain why: normally, any component that has a kernel driver can already access all your data. The network interface in your PC can already do just the same - it has some proprietary firmware running on it, as well as a privileged OS driver that can see anything the system does; and it's connected to the internet.
Most likely, Samsung placed the driver there for providing a convenient storage area for the modem's firmware, in case it requires one (for logging, updating or whatever).