In response to recent reports that its “Find My Mobile” service is plagued by a vulnerability that can be leveraged lock and unlock devices, Samsung has published a statement explaining the conditions that need to be met in order for the exploit to work.
The existence of a vulnerability in Find My Mobile (CVE-2014-8346) came to light in late October when the National Institute of Standards and Technology (NIST) published a security advisory.
Samsung’s Find My Mobile is a service that allows smartphone and tablet owners to locate their devices, lock them, or perform other tasks remotely in case of loss or theft. The service is available for Samsung smartphones and tablets running Android 2.3.3 Gingerbread or later versions of the operating system.
“The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic,” NIST said.
Two proof-of-concept videos created by Egyptian security researcher Mohamed A. Baset show that the Find My Phone service is plagued by a cross-site reference forgery (CSRF) vulnerability that can be remotely exploited to lock and unlock Samsung devices, and make them ring.
Samsung has clarified that the vulnerability was fixed through an update on October 13, more than 10 days before NIST published its advisory. The company has also pointed out that no user information has been compromised, and that attackers could not access any data on the phone or the server even before the update was rolled out.
“The unlikely situation where the attacker could lock/unlock user’s device and make the device ring (but not access any data), would have been if the user fell under all four of the following conditions: 1) The attacker occupies a way to send a link containing malicious code; 2) The Find My Mobile user sets up Find My Mobile Remote control ‘ON’ at his/her device; 3) The user enters up his/her ID and password and logs on Find My Mobile website; 4) The user clicks the link in email/instant message/SMS sent by attackers,” Samsung said.
While the issue in Find My Mobile affects mostly consumers, researchers have also uncovered vulnerabilities in Samsung products that impact enterprise customers. Over the past period, security experts reported uncovering multiple flaws in Samsung KNOX, the security software that’s considered efficient even by the U.S. government.
In December 2013, researchers at the Ben Gurion University in Israel said they had found a way to steal data after leveraging a flaw in KNOX. More recently, an expert reported identifying KNOX password and key management issues. Samsung published statements in both cases to deny that the researchers’ conclusions were correct.
Late last month, Google detailed some of the new security features in Android 5.0, the newest version of the mobile OS.