The Google Project Zero (GPZ) team recently issued a warning to Samsung that its ability to modify kernel code in the Galaxy family phone would expose more security BUGS. Jann Horn, a GPZ researcher, said that by adding downstream custom drivers, several smartphone makers, represented by Samsung, would create more vulnerabilities for direct hardware access to Android’s Linux kernel, resulting in the failure of multiple security features that exist in the Linux kernel.
Horn says the problem was found in the Android kernel of the Samsung Galaxy A50. But he says this is common among Android phone makers. That is, these vendors add downstream code to Linux Kernel that is not audited by upstream kernel developers, adding security errors related to memory corruption.
Even if these downstream customizations are designed to increase the security of the device, they introduce security errors. Google reported the vulnerability to Samsung in November 2019 and later fixed it in an update to the Galaxy family in February.
This error affects Samsung’s PROCA (Process Authenticator) security subsystem. Samsung describes the vulnerability SVE-2019-16132 as a medium problem on its security website. It allows “any code to be executed” on some Galaxy smartphones running Android 9 and Android 10 operating systems.
“Android reduces the security impact of such code by locking up processes that can access device drivers, usually vendor-specific,” Explains Horn. “An example is the newer Android phones that access hardware through dedicated helpers, collectively known in Android as the Hardware Abstraction Layer (HAL).
But Horn says phone makers undermine efforts to “lock the attack surface” by modifying the way the core parts of Linux Kernel work. Horn recommends that smartphone manufacturers use direct hardware access that already exists in Linux instead of changing the kernel code. FOR EXAMPLE, PROCA IS DESIGNED TO PREVENT AN ATTACKER WHO HAS BEEN GRANTED READ AND WRITE ACCESS TO THE KERNEL, BUT SAMSUNG SPENDS ENGINEERING TIME PREVENTING AN ATTACKER FROM GAINING THAT ACCESS FIRST.