While being able to remotely manage a smartphone is often said to be a security feature, it is exactly that feature that hackers are now able to exploit in Samsung phones.
Security researchers found that the feature, called Find My Mobile, has a flaw that allows hackers to remotely lock, call, or even completely wipe a user's phone.
"The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic," said the National Institute of Standards and Technology.
Using the Common Vulnerability Scoring System, with 10 representing maximum severity, NIST ranked the base score of the issue at 7.8, with the impact score at 6.9 and the exploitability score at 10.
Find My Mobile automatically enables when users sign up for a Samsung account, so it would be appropriate for users to check if their device has it turned on. The feature is not enabled by default when users purchase a device and do not sign up for a Samsung account.
While Samsung did not have too much to say about the issue, it did say it was looking into it. It is recommending users disable the feature for now and take extra precautions to not lose their device. It is likely that Samsung will release a patch for the flaw in the near future.
"Samsung takes the security of our products very seriously and we are currently investigating this matter," said a Samsung spokesperson.
The Find My Mobile feature on Samsung's phones includes three options. The first is called "Locate my device," which allows users to see where their device is on a map. The next is called "Lock my device," which allows users to remotely disable the device's features and display a message on it that tells whoever has the device what to do, assuming they found it and did not steal it. The last feature is called "Ring my device," which calls the device at full volume, even if it's on silent.
The flaw highlights a growing concern when it comes to mobile security. Both the newest version of Apple's iOS and Google's Android include data encryption by default, meaning that both hackers and authorities alike will be unable to access user data without permission and access codes from the user. While many users have applauded the move, federal law enforcement officials and other security agencies have condemned the move, suggesting they should have access to a user's phone for matters of national security.
Find-my-phone features have become commonplace in most smartphones, with other examples including Google's Android Device Manager and Find My Phone on Apple's devices.
