Millions of Samsung devices may be at risk of attack due to
a vulnerability in the firm's Find My Mobile service. An Egyptian security researcher has discovered a way to hack
into the service and remotely unlock handsets from a PC. Once a hacker has access to a device, they can also change
the PIN code rendering it useless to the owner.
WHAT IS FIND MY MOBILE?
Find My Mobile is automatically enabled when a user
registers for a Samsung Account.It lets users remotely lock and wipe their devices if
they're lost or stolen. The 'Ring my device' sounds the default ringtone at its
maximum volume for one minute, regardless of any sound or vibration settings. By sounding the ringtone, it can alert people to the lost
device, increasing the chances of it being found. Its Call logs feature additionally lets users check to see a
list of recent calls, and if the SIM card is changed, the owner is informed. Uses beyond this are not known, and it is unclear whether
hackers will be able to exploit it further to access personal information on
the device.
Mohamad Baset posted a proof-of-concept video at
the weekend that shows him hacking a device, unlocking it, changing the
greeting message and remotely calling it. His hack is controlled using the web on a PC.There are three modes of attack seen in the video: Remote
mobile device lock, remote mobile device unlock, and remote device mobile ring. The flaw has also been reported by the National Institute of
Standards and Technology (NIST) in the US on its National Vulnerability
Database (NVD).The security researchers have given it a high-severity
rating of 7.8, with an ‘exploitability sub-score’ of 10.0. This means it is a relatively easy hack and doesn't require
authentication.NIST’s vulnerability report explained: ‘The Remote Controls feature
on Samsung mobile devices does not validate the source of lock-code data
received over a network.This makes it easier for remote attackers to cause a
denial of service - screen locking with an arbitrary code - by triggering
unexpected Find My Mobile network traffic.’
Egyptian researcher Mohamad Baset has posted a
proof-of-concept video (screengrab pictured) that shows him hacking a device,
unlocking it, changing the greeting message and remotely calling it. The
flaw has also been reported by the National Institute of Standards and
Technology (NIST)
The flaw affects any Samsung device with Find My Mobile
enabled (Galaxy S5 pictured) Samsung told MailOnline: 'The reported issue occurred in web
user interface, and it was fixed through a patch update on 13 October.' But Mr Baset's proof-of-concept was posted on 27 October,
after this patch date. MailOnline has contacted Mr Baset to discover when the video
was filmed, and if the flaw is still being exploited
News Courtesy : Daily Mail
No comments:
Post a Comment