Is the data on your smartphone secure: your bank records, your emails, your chat history? Normally, we take steps to protect this info like putting passwords on our handsets, and being diligent about avoiding malware, but is that always enough? Not if the security hole exposing your data is deeply ingrained in system software itself. This week, devs are sounding the alarm over what’s being described as a backdoor in certain Samsung devices (both Galaxy-series as well as the Nexus S and Galaxy Nexus) that could potentially allow your carrier (or someone impersonating a carrier) to access your phone’s file system without your knowledge.
We’ve talked before at some length about the security issues raised by the baseband processor on your phone, the special-purpose chip that handles cellular communication. Problem is, that code’s largely inaccessible to us users, and with free reign over system hardware, it has the potential to cause a lot of harm if misused. Sometimes steps are taken to limit the baseband’s access to the rest of the system, but Samsung appears to have gone the opposite direction, crafting Android software that seems to deliberately give the baseband a backdoor into your phone’s file system.
The code in question handles communications between Android and the baseband processor, and includes a full set of commands for opening, closing, reading, and writing local files.
So, is this freak-out time? Throw your Samsung phone in a lead-shielded box? Maybe not just yet. For one, this report only mentions the software on relatively older Samsung models – the most recent flagships affected appear to be the GS3 and Note 2. Maybe more importantly, it’s worth noting that while Samsung is being singled-out here, the baseband processors in many other phones are just as able to access phone storage, and without the help of Android-side code like Samsung is using here; while Samsung’s taking the heat this time, it’s far from the only OEM in this boat.