Earlier today, there was a claim from the makers of the Replicant Android ROM that Samsung devices have a "backdoor
" in the software which would allow a remote user to access the data stored on the device. When we saw the story, we assumed that Samsung would come out relatively quickly to argue the point, but actually it is a security researcher coming to defend Samsung.
Dan Rosenberg, a senior security researcher at Azimuth Security, admits that Samsung devices do have a flaw, and he said it could be found in the Galaxy S4 and Note 3, not just the Galaxy S III and Note II mentioned by Replicant. But, Rosenberg told Ars Technica
that calling the issue a "'backdoor' is a bit far-fetched". He went on to explain "three crucial facts" that debunk the claims.
First, "there is virtually no evidence for the ability to remotely execute this functionality." Rosenberg notes that the Replicant team says that it is "likely" there is a remote control mechanism, but give no evidence to support that claim. Second, even if such functionality does exist, read/write capability would be limited to the radio and the SD card, not the whole system. Last, "the specifics of the vulnerability suggest that it was poorly programmed legitimate functionality rather than a secret backdoor."
All this to say that there was never malicious intent, just bad coding; and, it is unlikely that the vulnerability would cause as serious a threat as Replicant made it out to have.