Samsung's Find My Mobile Service exploit allows hackers to remotely lock your smartphone

Menchie Mendoza, Tech Times 29 October 2014, 08:10 am

The Find My Mobile remote control service of Samsung has a wide range of useful features.

These include registering a personal guardian, SIM change alert, call logs, and the "wipe my device," "unlock my screen," "locate my device," "ring my device," and "lock my device" functions. These service features do not launch by default. They are automatically enabled only after the user registers for a Samsung account.

In other words, Find My Mobile allows users to track their mobile device. In the case of theft, the user can remotely lock, wipe, or ring the phone.

However, a serious vulnerability was found in the Samsung feature, which allows hackers to use the same tool in locking the device remotely and setting a chosen pass code.

The vulnerability issue revolves around the remote control system of Samsung mobile devices.

"The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic," said the National Institute of Standards and Technology (NIST).

With 10 as the highest severity score on the Common Vulnerability Scoring System, the NIST rates the vulnerability base score at 7.8, exploitability score at 10 and impact score at 6.9. Furthermore, it classifies the CVE (Common Vulnerabilities and Exposures) Standard Vulnerability Entry as having the so-called "network exploitable access vector."

The vulnerability is not too difficult to exploit. The most disturbing aspect is that the service can be disrupted easily since it doesn't require any process of authentication.

Mohamed Baset, a security researcher from Egypt, also warns users of the exploit on the service, which allows evildoers to remotely ring, lock or wipe their Samsung mobile device.

It should be remembered that by merely accessing the app called "Galaxy App," an automatic download of "Samsung Billing" and "Samsung In-App purchase" is triggered. If the user merely opens the "Samsung Hub" app, it leads the "Samsung Push Service" to download automatically.

There's no word yet from Samsung on how to fix the vulnerability. At present, the only way for one to deal with the issue is to turn off the Find My Mobile feature.