The developers behind Replicant, a free and open source Android distribution (aka custom ROM/firmware) that attempts to replace proprietary Android components with free alternatives, claim to have discovered and close a backdoor in the software found on Samsung devices, including the Nexus S, Galaxy S, S2, and S3, and Galaxy Tab 2 10.1. According to Replicant devs, the proprietary program running on the devices’ processor and in charge of handling communication with the modem implements a backdoor that lets the modem read, write, and modify files on the device’s storage – if the modem, which also runs a proprietary program, is controlled remotely, it would be possible for someone to modify file storage contents without physical access to the device.
The backdoor was apparently discovered a few weeks ago, but is only now getting some attention from the media. The Free Software Foundation, where Replicant developers published their findings, makes the case that Samsung should release its proprietary software as free software without the backdoor, so that “Replicant doesn’t have to continue defusing the traps they have apparently left for their users,” and that Samsung Galaxy owners should appeal to Samsung publicly for an explanation to why this exists.
Now, if I may be allowed to speculate, I really think this isn’t as big an issue as Replicant is making it out to be, since only Samsung has full access over the modem on its devices as it runs proprietary firmware code. It looks like a ploy on Replicant’s behalf to make Samsung publish the code for its modem/processor software – getting the modem on Samsung devices to work through free and open source alternatives on custom ROMs has been a major hurdle for developers in the past, so making a case about a security flaw on the modem’s software certainly reeks of a way to get Samsung to make things easier for the developers in the Replicant team.
Of course, I may be wrong, and I hope that Samsung makes the necessary changes if the security flaw is a serious one and puts user data at risk. We’ve reached out to Samsung for a statement, and we’ll be sure to update this post as and when we get one.
Update: Like we said, it seems the backdoor isn’t really something that is as bad as some would make it out to be. A security expert has confirmed to XDA that the proof-of-concept attack scenario was a bit misleading, and that it would require a modified firmware with security features disabled to exploit the modem into accessing data. Furthermore, Replicant team itself states that Android’s kernel security module would restrict the potential files the modem can access, and according to an XDA forum member, there is no evidence that the modem is controlled remotely and that the backdoor is possibly just a medium through which the modem software can write radio diagnostic files to the efs/root directory, where the radio/modem files are saved.
In short, this is one “security flaw” that you shouldn’t be worried about, and like we surmised, it looks more like a scheme to try and get Samsung to open source its modem files.