In response to recent reports that its “Find My Mobile” service is plagued by a vulnerability that can be leveraged lock and unlock devices, Samsung has published a statement explaining the conditions that need to be met in order for the exploit to work.
The existence of a vulnerability in Find My Mobile (CVE-2014-8346) came to light in late October when the National Institute of Standards and Technology (NIST) published a security advisory.
Samsung’s Find My Mobile is a service that allows smartphone and tablet owners to locate their devices, lock them, or perform other tasks remotely in case of loss or theft. The service is available for Samsung smartphones and tablets running Android 2.3.3 Gingerbread or later versions of the operating system.
“The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic,” NIST said.
Two proof-of-concept videos created by Egyptian security researcher Mohamed A. Baset show that the Find My Phone service is plagued by a cross-site reference forgery (CSRF) vulnerability that can be remotely exploited to lock and unlock Samsung devices, and make them ring.
Samsung has clarified that the vulnerability was fixed through an update on October 13, more than 10 days before NIST published its advisory. The company has also pointed out that no user information has been compromised, and that attackers could not access any data on the phone or the server even before the update was rolled out.
“The unlikely situation where the attacker could lock/unlock user’s device and make the device ring (but not access any data), would have been if the user fell under all four of the following conditions: 1) The attacker occupies a way to send a link containing malicious code; 2) The Find My Mobile user sets up Find My Mobile Remote control ‘ON’ at his/her device; 3) The user enters up his/her ID and password and logs on Find My Mobile website; 4) The user clicks the link in email/instant message/SMS sent by attackers,” Samsung said.
While the issue in Find My Mobile affects mostly consumers, researchers have also uncovered vulnerabilities in Samsung products that impact enterprise customers. Over the past period, security experts reported uncovering multiple flaws in Samsung KNOX, the security software that’s considered efficient even by the U.S. government.
In December 2013, researchers at the Ben Gurion University in Israel said they had found a way to steal data after leveraging a flaw in KNOX. More recently, an expert reported identifying KNOX password and key management issues. Samsung published statements in both cases to deny that the researchers’ conclusions were correct.
Late last month, Google detailed some of the new security features in Android 5.0, the newest version of the mobile OS.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- New York Man Arrested for Running BreachForums Cybercrime Website
- Exploitation of Recent Fortinet Zero-Day Linked to Chinese Cyberspies
- Mozilla Patches High-Severity Vulnerabilities With Release of Firefox 111
- Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up
Latest News
- Google Suspends Chinese Shopping App Amid Security Concerns
- Verosint Launches Account Fraud Detection and Prevention Platform
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
