Security Experts:

Samsung to Patch Vulnerable Exynos-powered Devices

Earlier this week, SecurityWeek reported on the discovery of a new vulnerability in Exynos 4-powered devices from Samsung, including the Samsung Galaxy S2 and Galaxy S3 smartphones. The discovery came from developers on the XDA forums, who urged a patch as soon as possible. Samsung said recently that they plant to deliver on those requests.

“The flaw is a 'Privilege Escalation' vulnerability that exists in the drivers used by the camera and multimedia devices,” Ohad Bobrov, CTO and co-founder of Lacoon Security told SecurityWeek via email on Monday, after our initial story went to press.

“By exploiting this vulnerability, the attacker can bypass the [device’s] permission model and ultimately access various files and sensitive information..."

According to the developer notes, the issue has been confirmed “on any Exynos4-based device” including the Samsung Galaxy S2 (GT-I9100) and Galaxy S3 (GT-I9300 & LTE GT-I9305), the Galaxy Note (GT-N7000), Galaxy Note 2 (GT-N7100), Verizon’s Galaxy Note 2 (SCH-I605) with locked bootloaders, the Galaxy Note 10.1 GT-N8000, and the Galaxy Note 10.1 GT-N8010.

“The good news is we can easily obtain root on these devices and the bad is there is no control over it,” the developer who discovered the flaw explained.

Unfortunately, he added, the downside also means that attackers can download data from the system’s RAM, “kernel code injection and [other types of code injection] could be possible via app installation from Play Store.”

Another developer chimed in on the security risks and noted that any application “can use [the vulnerability] to gain root without asking and without any permissions on a vulnerable device...” adding that a fix was needed ASAP.

In a statement sent to the media, Samsung has acknowledged the issue and promises a fix.

“Samsung is aware of the potential security issue related to the Exynos processor and plans to provide a software update to address it as quickly as possible,” the company said.

“The issue may arise only when a malicious application is operated on the affected devices; however, this does not affect most devices operating credible and authenticated applications. Samsung will continue to closely monitor the situation until the software fix has been made available to all affected mobile devices.”

The problem however, will then fall to the carriers once the update is delivered. Over the air (OTA) updates are the responsibility of the mobile operator, and they are notoriously slow on delivering them.

In the meantime, Samsung recommends that users avoid downloading from third-party app stores, and stick to stock device settings (i.e. don’t root them).

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.