Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Samsung Clarifies Impact of “Find My Mobile” Vulnerability

In response to recent reports that its “Find My Mobile” service is plagued by a vulnerability that can be leveraged lock and unlock devices, Samsung has published a statement explaining the conditions that need to be met in order for the exploit to work.

In response to recent reports that its “Find My Mobile” service is plagued by a vulnerability that can be leveraged lock and unlock devices, Samsung has published a statement explaining the conditions that need to be met in order for the exploit to work.

The existence of a vulnerability in Find My Mobile (CVE-2014-8346) came to light in late October when the National Institute of Standards and Technology (NIST) published a security advisory.

Samsung Mobile VulnerabilitySamsung’s Find My Mobile is a service that allows smartphone and tablet owners to locate their devices, lock them, or perform other tasks remotely in case of loss or theft. The service is available for Samsung smartphones and tablets running Android 2.3.3 Gingerbread or later versions of the operating system.

“The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic,” NIST said.

Two proof-of-concept videos created by Egyptian security researcher Mohamed A. Baset show that the Find My Phone service is plagued by a cross-site reference forgery (CSRF) vulnerability that can be remotely exploited to lock and unlock Samsung devices, and make them ring.

Samsung has clarified that the vulnerability was fixed through an update on October 13, more than 10 days before NIST published its advisory. The company has also pointed out that no user information has been compromised, and that attackers could not access any data on the phone or the server even before the update was rolled out.

“The unlikely situation where the attacker could lock/unlock user’s device and make the device ring (but not access any data), would have been if the user fell under all four of the following conditions: 1) The attacker occupies a way to send a link containing malicious code; 2) The Find My Mobile user sets up Find My Mobile Remote control ‘ON’ at his/her device; 3) The user enters up his/her ID and password and logs on Find My Mobile website; 4) The user clicks the link in email/instant message/SMS sent by attackers,” Samsung said.

While the issue in Find My Mobile affects mostly consumers, researchers have also uncovered vulnerabilities in Samsung products that impact enterprise customers. Over the past period, security experts reported uncovering multiple flaws in Samsung KNOX, the security software that’s considered efficient even by the U.S. government.

In December 2013, researchers at the Ben Gurion University in Israel said they had found a way to steal data after leveraging a flaw in KNOX. More recently, an expert reported identifying KNOX password and key management issues. Samsung published statements in both cases to deny that the researchers’ conclusions were correct.

Advertisement. Scroll to continue reading.

Late last month, Google detailed some of the new security features in Android 5.0, the newest version of the mobile OS.

 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.