On Wednesday, developers of an alternative version of Google's Android mobile operating system published a startling claim: Samsung's S3, Note 2, and seven other models of Galaxy smartphones contained a backdoor that provides remote access to virtually all data stored on the devices. The code that allows access, which controls the phones' baseband or modem processors, made it possible to remotely read, write, or even modify users' files.

"Provided that the modem runs proprietary software and can be remotely controlled, that backdoor provides remote access to the phone's data, even in the case where the modem is isolated and cannot access the storage directly," Paul Kocialkowski, one of the Free Software Foundation (FSF) developers who reported the finding, wrote in a separate post. "This is yet another example of what unacceptable behavior proprietary software permits!" Going on to plug the Android replacement known as Replicant, he continued: "Our free replacement for that non-free program does not implement this backdoor. If the modem asks to read or write files, Replicant does not cooperate with it."

To get a second opinion, Ars turned to Dan Rosenberg, a senior security researcher at Azimuth Security, who specializes in the reverse engineering of Unix and embedded devices. While he expanded the list of affected phones to include Samsung's more recent S4 and Note 3 models, he largely dispelled the claims that the software provided a backdoor that could be used to compromise users' privacy or security. What follows is an e-mail interview conducted early Thursday.

Ars: What's your overall take?

Rosenberg: I think calling this a "backdoor" is a bit far-fetched, much less one that can allow parties to remotely access data from your phone. This claim can be debunked with three crucial facts:

1. There is virtually no evidence for the ability to remotely execute this functionality. The write-up states, "As the modem is running proprietary software, it is likely that it offers over-the-air remote control that could then be used to issue the incriminated RFS messages and access the phone's file system." (When people are referring to "RFS commands" in the context of this issue, they're talking about the proprietary protocol Samsung implemented to allow the baseband to communicate with the application processor (AP) and vice versa—in particular the commands that allow reading and writing files on the AP.) However, the authors provide no evidence of such a "remote control" mechanism. The FSF has a known agenda against proprietary software, and I think that agenda resulted in them creating a narrative that would cause perhaps more outrage than is warranted.

2. The amount of data that can be read or written to by this functionality is very limited. On all affected models except the original Galaxy S, which was released 4 years ago, the affected radio software is running under the "radio" user. As a result, this can only be used to access data specifically related to radio functionality, plus information stored on the SD card (because this is also readable by every application on the phone).

3. The specifics of the vulnerability suggest that it was poorly programmed legitimate functionality rather than a secret backdoor. The authors had to leverage a directory traversal flaw in the handling of modem commands in order to cause the radio software to write outside of the /efs/root directory, which contains radio-related files. This suggests that the intended purpose of this functionality was rather mundane and not at all malicious, and that it was simply poorly implemented.

What is the total list of models that are affected?

The only models that I'm aware are affected are those mentioned in the writeup, plus the Galaxy Note 3 and Galaxy S4.

Do phones made by other manufactures have the same type of backdoor design and/or behavior reported here?

In a cursory glance I made on phones by a few other vendors, this type of functionality was not present, but since I haven't done an in-depth evaluation, it's definitely not out of the question.

How worrisome is the design and behavior reported by these developers? Is there any legitimate reason for this backdoor to exist?

The legitimate reason appears to be to allow the modem to write diagnostic files to Android storage in order to assist with identifying and fixing problems with the modem.

Is it widely agreed that a phone's modem should never be able to access storage?

This is a security boundary that hasn't really been formally defined in many cases. In general, best practices would dictate that neither the application processor nor the baseband should be able to negatively influence each other or access sensitive information from the other, but I wouldn't be surprised if there are other ways the baseband can mess with the AP.

Who might be able to exploit the backdoor?

If a carrier, OEM, or attacker had the ability to execute arbitrary code on an affected device's baseband processor (a big "if"), that party could then leverage this flaw to read and write the aforementioned mostly non-sensitive files on the phone's storage.