Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

‘Find My Mobile’ Vulnerabilities Exposed Samsung Galaxy Phones to Attacks

A series of vulnerabilities affecting Samsung’s Find My Mobile could have been chained to perform various types of activities on a compromised smartphone, a researcher from Portugal-based cybersecurity services provider Char49 revealed at the DEF CON conference on Friday.

A series of vulnerabilities affecting Samsung’s Find My Mobile could have been chained to perform various types of activities on a compromised smartphone, a researcher from Portugal-based cybersecurity services provider Char49 revealed at the DEF CON conference on Friday.

Find My Mobile is designed to help users find lost Samsung phones. It can also be used to remotely lock a device, block access to Samsung Pay, and completely wipe the phone if it “falls into the wrong hands.”Samsung Find My Mobile Vulnerabilities

According to Char49, there were a total of four vulnerabilities in Find My Mobile components and they could have been exploited by a malicious app installed on the targeted device.

Pedro Umbelino, the Char49 researcher who found the flaws, told SecurityWeek that the malicious app would only require access to the device’s SD card in order to exploit the first vulnerability in the chain and create a file that allows the attacker to intercept communications with backend servers.

Successful exploitation of the vulnerabilities would have allowed a malicious app to perform any action that the Find My Mobile app could perform, including force a factory reset, wipe data, track the device’s location in real time, retrieve phone calls and messages, and lock and unlock the phone.

The exploit was successfully reproduced on Samsung Galaxy S7, S8 and S9+ devices before the vendor released a patch.

Char49 told SecurityWeek that the vulnerabilities were found more than a year ago, but Samsung only patched them in late October 2019, and the security company wanted to wait for 9 months before making details public.

“This flaw, after setup, can be easily exploited and with severe implications for the user and with a potentially catastrophic impact: permanent denial of service via phone lock, complete data loss with factory reset (sdcard included), serious privacy implication via IMEI and location tracking as well as call and SMS log access,” the company explained in a technical report describing each of the vulnerabilities.

It added, “The [Find My Mobile] application should not have arbitrary components publicly available and in an exported state. If absolutely necessary, for example if other packages call these components, then they should be protected with proper permissions. Testing code that relies on the existence of files in public places should be eliminated.”

Advertisement. Scroll to continue reading.

Related: Samsung Clarifies Impact of “Find My Mobile” Vulnerability

Related: Samsung Unveils New Security Chip for Mobile Devices

Related: Samsung Patches Critical 0-Click Vulnerability in Smartphones

Related: Hackers Access Sprint Accounts via Samsung Website

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.