Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Samsung Clarifies Impact of “Find My Mobile” Vulnerability

In response to recent reports that its “Find My Mobile” service is plagued by a vulnerability that can be leveraged lock and unlock devices, Samsung has published a statement explaining the conditions that need to be met in order for the exploit to work.

In response to recent reports that its “Find My Mobile” service is plagued by a vulnerability that can be leveraged lock and unlock devices, Samsung has published a statement explaining the conditions that need to be met in order for the exploit to work.

The existence of a vulnerability in Find My Mobile (CVE-2014-8346) came to light in late October when the National Institute of Standards and Technology (NIST) published a security advisory.

Samsung Mobile VulnerabilitySamsung’s Find My Mobile is a service that allows smartphone and tablet owners to locate their devices, lock them, or perform other tasks remotely in case of loss or theft. The service is available for Samsung smartphones and tablets running Android 2.3.3 Gingerbread or later versions of the operating system.

“The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic,” NIST said.

Two proof-of-concept videos created by Egyptian security researcher Mohamed A. Baset show that the Find My Phone service is plagued by a cross-site reference forgery (CSRF) vulnerability that can be remotely exploited to lock and unlock Samsung devices, and make them ring.

Samsung has clarified that the vulnerability was fixed through an update on October 13, more than 10 days before NIST published its advisory. The company has also pointed out that no user information has been compromised, and that attackers could not access any data on the phone or the server even before the update was rolled out.

“The unlikely situation where the attacker could lock/unlock user’s device and make the device ring (but not access any data), would have been if the user fell under all four of the following conditions: 1) The attacker occupies a way to send a link containing malicious code; 2) The Find My Mobile user sets up Find My Mobile Remote control ‘ON’ at his/her device; 3) The user enters up his/her ID and password and logs on Find My Mobile website; 4) The user clicks the link in email/instant message/SMS sent by attackers,” Samsung said.

While the issue in Find My Mobile affects mostly consumers, researchers have also uncovered vulnerabilities in Samsung products that impact enterprise customers. Over the past period, security experts reported uncovering multiple flaws in Samsung KNOX, the security software that’s considered efficient even by the U.S. government.

In December 2013, researchers at the Ben Gurion University in Israel said they had found a way to steal data after leveraging a flaw in KNOX. More recently, an expert reported identifying KNOX password and key management issues. Samsung published statements in both cases to deny that the researchers’ conclusions were correct.

Advertisement. Scroll to continue reading.

Late last month, Google detailed some of the new security features in Android 5.0, the newest version of the mobile OS.

 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.