Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Samsung to Patch Vulnerable Exynos-powered Devices

Earlier this week, SecurityWeek reported on the discovery of a new vulnerability in Exynos 4-powered devices from Samsung, including the Samsung Galaxy S2 and Galaxy S3 smartphones. The discovery came from developers on the XDA forums, who urged a patch as soon as possible. Samsung said recently that they plant to deliver on those requests.

Earlier this week, SecurityWeek reported on the discovery of a new vulnerability in Exynos 4-powered devices from Samsung, including the Samsung Galaxy S2 and Galaxy S3 smartphones. The discovery came from developers on the XDA forums, who urged a patch as soon as possible. Samsung said recently that they plant to deliver on those requests.

“The flaw is a ‘Privilege Escalation’ vulnerability that exists in the drivers used by the camera and multimedia devices,” Ohad Bobrov, CTO and co-founder of Lacoon Security told SecurityWeek via email on Monday, after our initial story went to press.

“By exploiting this vulnerability, the attacker can bypass the [device’s] permission model and ultimately access various files and sensitive information…”

According to the developer notes, the issue has been confirmed “on any Exynos4-based device” including the Samsung Galaxy S2 (GT-I9100) and Galaxy S3 (GT-I9300 & LTE GT-I9305), the Galaxy Note (GT-N7000), Galaxy Note 2 (GT-N7100), Verizon’s Galaxy Note 2 (SCH-I605) with locked bootloaders, the Galaxy Note 10.1 GT-N8000, and the Galaxy Note 10.1 GT-N8010.

“The good news is we can easily obtain root on these devices and the bad is there is no control over it,” the developer who discovered the flaw explained.

Unfortunately, he added, the downside also means that attackers can download data from the system’s RAM, “kernel code injection and [other types of code injection] could be possible via app installation from Play Store.”

Another developer chimed in on the security risks and noted that any application “can use [the vulnerability] to gain root without asking and without any permissions on a vulnerable device…” adding that a fix was needed ASAP.

In a statement sent to the media, Samsung has acknowledged the issue and promises a fix.

Advertisement. Scroll to continue reading.

“Samsung is aware of the potential security issue related to the Exynos processor and plans to provide a software update to address it as quickly as possible,” the company said.

“The issue may arise only when a malicious application is operated on the affected devices; however, this does not affect most devices operating credible and authenticated applications. Samsung will continue to closely monitor the situation until the software fix has been made available to all affected mobile devices.”

The problem however, will then fall to the carriers once the update is delivered. Over the air (OTA) updates are the responsibility of the mobile operator, and they are notoriously slow on delivering them.

In the meantime, Samsung recommends that users avoid downloading from third-party app stores, and stick to stock device settings (i.e. don’t root them).

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

Cloud and container security firm Sysdig has tapped William Welch as CEO on its path to an IPO.

Dave Scher has been promoted to Deputy Chief Information Officer at MITRE.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.