Developers working on Replicant, an open-source OS based on Android, claim to find a flaw that provides access “to read, write, and delete files” stored on some Samsung devices.
March 13, 2014 6:04 AM PDT
The Samsung Galaxy Tab 2 10.1 — one of the allegedly affected devices.
(Credit: Josh Miller/CNET)
Samsung’s Galaxy devices might have a built-in security flaw that could allow for “remote access to data,” a developer claims.
The folks behind Replicant, a free and open-source OS that aims to replace proprietary Android components with free alternatives, claim to have discovered a flaw in certain Samsung devices that allows for access “to read, write, and delete files on the phone’s storage.” In addition, the developers said that the flaw has “sufficient rights to access and modify the user’s personal data.”
In a blog post detailing the issue on Wednesday, Replicant developer Paul Kocialkowski said the trouble resides in the use of two processors in mobile devices.
The applications processor runs the main operating system, while another, baseband processor, is used to handle communications to and from the device.
The issue with the baseband processor in Samsung’s devices, Replicant argued, is that it’s using a proprietary Samsung software to handle all the communication — and that software allows for a backdoor to user data.
“Provided that the modem runs proprietary software and can be remotely controlled, that backdoor provides remote access to the phone’s data, even in the case where the modem is isolated and cannot access the storage directly,” Kocialkowski wrote.
Although Replicant said that the software could potentially access user data, it appears that it’s doing nothing wrong. In fact, the company wrote that there are some features in the software that are “legitimate.”
According to Replicant, the Nexus S, Galaxy S, S2, and S3, and Galaxy Tab 2 10.1, among other Samsung devices, are affected by the issue. It’s worth noting that Replicant’s announcement might also be somewhat self-serving: the company said in a blog post that its free alternative would mitigate the issue.
CNET has contacted Samsung for comment on the report. We will update this story when we have more information.