Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Samsung Clarifies Impact of “Find My Mobile” Vulnerability

In response to recent reports that its “Find My Mobile” service is plagued by a vulnerability that can be leveraged lock and unlock devices, Samsung has published a statement explaining the conditions that need to be met in order for the exploit to work.

In response to recent reports that its “Find My Mobile” service is plagued by a vulnerability that can be leveraged lock and unlock devices, Samsung has published a statement explaining the conditions that need to be met in order for the exploit to work.

The existence of a vulnerability in Find My Mobile (CVE-2014-8346) came to light in late October when the National Institute of Standards and Technology (NIST) published a security advisory.

Samsung Mobile VulnerabilitySamsung’s Find My Mobile is a service that allows smartphone and tablet owners to locate their devices, lock them, or perform other tasks remotely in case of loss or theft. The service is available for Samsung smartphones and tablets running Android 2.3.3 Gingerbread or later versions of the operating system.

“The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic,” NIST said.

Two proof-of-concept videos created by Egyptian security researcher Mohamed A. Baset show that the Find My Phone service is plagued by a cross-site reference forgery (CSRF) vulnerability that can be remotely exploited to lock and unlock Samsung devices, and make them ring.

Samsung has clarified that the vulnerability was fixed through an update on October 13, more than 10 days before NIST published its advisory. The company has also pointed out that no user information has been compromised, and that attackers could not access any data on the phone or the server even before the update was rolled out.

“The unlikely situation where the attacker could lock/unlock user’s device and make the device ring (but not access any data), would have been if the user fell under all four of the following conditions: 1) The attacker occupies a way to send a link containing malicious code; 2) The Find My Mobile user sets up Find My Mobile Remote control ‘ON’ at his/her device; 3) The user enters up his/her ID and password and logs on Find My Mobile website; 4) The user clicks the link in email/instant message/SMS sent by attackers,” Samsung said.

While the issue in Find My Mobile affects mostly consumers, researchers have also uncovered vulnerabilities in Samsung products that impact enterprise customers. Over the past period, security experts reported uncovering multiple flaws in Samsung KNOX, the security software that’s considered efficient even by the U.S. government.

In December 2013, researchers at the Ben Gurion University in Israel said they had found a way to steal data after leveraging a flaw in KNOX. More recently, an expert reported identifying KNOX password and key management issues. Samsung published statements in both cases to deny that the researchers’ conclusions were correct.

Late last month, Google detailed some of the new security features in Android 5.0, the newest version of the mobile OS.

 

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Vulnerabilities

GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet