>1) There is virtually no evidence for the ability to remotely execute this functionality. The write-up states, "As the modem is running proprietary software, it is likely that it offers over-the-air remote control that could then be used to issue the incriminated RFS messages and access the phone's file system."
summary: there's no evidence of how it can be used, because it's all closed source.
>2) The amount of data that can be read or written to by this functionality is very limited. On all affected models except the original Galaxy S, which was released 4 years ago, the affected radio software is running under the "radio" user. As a result, this can only be used to access data specifically related to radio functionality, plus information stored on the SD card (because this is also readable by every application on the phone).
summary: it can read and write to all that the radio user is allowed to access, and your entire SD card.
>3) The specifics of the vulnerability suggest that it was poorly programmed legitimate functionality rather than a secret backdoor. The authors had to leverage a directory traversal flaw in the handling of modem commands in order to cause the radio software to write outside of the /efs/root directory, which contains radio-related files. This suggests that the intended purpose of this functionality was rather mundane and not at all malicious, and that it was simply poorly implemented.
summary: the backdoor was poorly written, and allowed complete access when combined with a known exploit.
I think the "Nope" refers to headline, which is not supported by facts.
If there's no evidence that it was intentional then you can't call it a backdoor. Otherwise every security flaw (or potential security flaw) is a backdoor.
from http://www.reddit.com/r/netsec/comments/209h4d/samsung_galax... :
This is not a backdoor. It's a feature, and a reasonably common one for Qualcomm based devices.
It's an interface to allow the modem access to a persistent data store (ie. eMMC modem partitions) even though only the application processor may access the MMC controller.
Have a look at the rmt_storage client documentation found in a Qualcomm kernel tree. It used to be pretty common to ship a rmt_storage daemon to do the very same thing Samsung is being accused of here (hint: Nexus 5 still uses it), I don't know about other recent devices, but I'd imagine they'd employ something similar.
Also, there are many more ways for the baseband to compromise the application processor, without an explicit interface.
> This is not a backdoor. It's a feature, and a reasonably common one for Qualcomm based devices
Are these really mutually exclusive? I don't doubt that qualcomm had good reasons to add this interface, but clearly it can be used as a backdoor, and since the user is not made aware of it, I'd say this meets all the qualifications of a backdoor.
They could have easily designed this in a way that allowed the baseband processor to only write to a designated area instead of giving it full access.
You are right that that the baseband in phones usually has many other ways to directly access sensitive data from the main processor (DMA is the obvious one). But this differs from phone to phone, depending on the hardware design. There are phones where the baseband talks to the main processor through a serial interface with no access to DMA.
"Bug" implies a mistake/oversight where the additional functionality was known to noone, and then discovered. This functionality was deliberately created, thus it's a "backdoor".
Based on what seemingly passes for "accepted practice" in the mobile world (download QPST for tons of fun!), the only sane way to have a trustable mobile device is with a separate cell-modem and a well-defined interface.
I mean, maybe I'm confused, but this sounds like they closed one method (among others) that could potentially be used to create a backdoor by, I guess, a carrier or OEM.
There's no evidence that anyone's phone was open to remote exploit at any time.
18 comments
[ 3.4 ms ] story [ 29.6 ms ] threadsummary: there's no evidence of how it can be used, because it's all closed source.
>2) The amount of data that can be read or written to by this functionality is very limited. On all affected models except the original Galaxy S, which was released 4 years ago, the affected radio software is running under the "radio" user. As a result, this can only be used to access data specifically related to radio functionality, plus information stored on the SD card (because this is also readable by every application on the phone).
summary: it can read and write to all that the radio user is allowed to access, and your entire SD card.
>3) The specifics of the vulnerability suggest that it was poorly programmed legitimate functionality rather than a secret backdoor. The authors had to leverage a directory traversal flaw in the handling of modem commands in order to cause the radio software to write outside of the /efs/root directory, which contains radio-related files. This suggests that the intended purpose of this functionality was rather mundane and not at all malicious, and that it was simply poorly implemented.
summary: the backdoor was poorly written, and allowed complete access when combined with a known exploit.
Nope?
If there's no evidence that it was intentional then you can't call it a backdoor. Otherwise every security flaw (or potential security flaw) is a backdoor.
See http://arstechnica.com/security/2014/03/virtually-no-evidenc...
If it's on my phone, it's definitely only a backdoor.
Are these really mutually exclusive? I don't doubt that qualcomm had good reasons to add this interface, but clearly it can be used as a backdoor, and since the user is not made aware of it, I'd say this meets all the qualifications of a backdoor.
They could have easily designed this in a way that allowed the baseband processor to only write to a designated area instead of giving it full access.
You are right that that the baseband in phones usually has many other ways to directly access sensitive data from the main processor (DMA is the obvious one). But this differs from phone to phone, depending on the hardware design. There are phones where the baseband talks to the main processor through a serial interface with no access to DMA.
Based on what seemingly passes for "accepted practice" in the mobile world (download QPST for tons of fun!), the only sane way to have a trustable mobile device is with a separate cell-modem and a well-defined interface.
There's no evidence that anyone's phone was open to remote exploit at any time.