Friday, 31 October 2014

samsung-find-my-mobile
Samsung 'Find My Mobile' Leads to Phone Lock


The US National Institute of Standards and Technology (NIST) has discovered a flaw in the Samsung Android Devices which can lead them to get locked by the remote attacker.

About The Flaw:


The zero-day-vulnerability has been submitted by NIST as CVE-2014-8346. They have rated it 7.8 and 10.0 in CVSS Severity and Exploitability subscore scale respectively.

Samsung Find My Mobile: 


The flaw, reported by NIST is in app used by Samsung Devices "Find My Mobile".

The Remote Controls feature on Samsung Mobile Devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic   

How does it work??

By using CSRF (Cross Site Request Forgery) the attacker can perform the followings:
  • Device Lock-with a new code
  • Device unlock
  • Make the Device Ring
 Must Read: Verizon Tightens Its Cyber Security by Adding FireEye Tools

Video 1:



 Video 2:


  
Videos Uploaded by Mohamed A Baset, Information Security Researcher from Egypt

Doubts and Limits

Though the video demonstrates the flaw and its consequences but what if the user is not logged into the Samsung Find My Mobile service. The researcher recommend users to turn of Find My Mobile to be in the Safe side. Does it really require to turn if off when we can simply get rid off this by logging off from Samsung Find My Mobile Website. 

Simply Ransomware ?? 

In other word, it's can be used easily as a ransomware for Samsung Mobile Devices. 

Previous Record of This Kind of Attack 

This looks similar to the incident when bunch of Antipodean Apple users found their phones and tablets locked with a message on their screen "hacked by Oleg Pliss". Though the iPhones were locked by service called "Find My iPhone" but the cause of the attack was not this flaw. Apple as well as security researchers blamed users for setting same credentials for various online accounts. But in this case, it's not user data compromise.
So this kind of simple CSRF flaw in Samsung Devices cause a great concern among people about up to what extent we can rely on our phone when some of us are using it only for business operations.   

0 comments:

Post a Comment