Zero-day in Samsung ‘Find My Mobile’ service allows attacker to remotely lock phone

Samsung Find My Mobile remote control service
Credit: Samsung

NIST warned that if an attacker exploits the zero-day vulnerability in Samsung's ‘Find My Mobile’ service, then the hacker can remotely lock, unlock and ring the phone.

There are a plethora of “find my phone” type apps, but if your Android is a Samsung and you use Find My Mobile then you should know that NIST is warning about a zero-day in the service.

Samsung’s Find My Mobile remote control “features” include lock my device, ring my device, locate my device, wipe my device, unlock my screen, call logs, SIM change alert and register a personal guardian. The service is not enabled by default; instead it is automatically enabled after registering for a Samsung account.

According to the National Institute of Standards and Technology (NIST):

The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

With 10 representing maximum impact severity on the Common Vulnerability Scoring System (CVSS), NIST ranks the base score as high at 7.8, the impact score as 6.9 and the exploitability score at 10. It further classified CVE-2014-8346 to have a network exploitable access vector with a low complexity to exploit; it requires no authentication in order to disrupt service.

CVE-2014-8346 Samsung Find My Mobile CVSS severity NIST

As an example, the Find my Mobile how-to for Galaxy S5 suggests that if you lose your phone, then first remotely “lock my device” and display a message such as “This device is lost. Please keep it for a while, and I will contact you.”

Samsung Find My Mobile lock device Samsung

Then “locate my device” on the map.

Samsung Find My Mobile locate device Samsung

When using “ring my device,” the device rings at maximum volume for one minute even if the phone is on vibrate; it can also display a message such as “This is a lost device.” There is also an option for remotely wiping the device.

NIST linked to two proof-of-concept videos posted by Egyptian security researcher Mohamed A. Baset, aka @SymbianSyMoh, that demonstrate exploiting Cross-Site Request Forgery (CSRF) vulnerabilities in the Find My Mobile service that would allow an attacker to remotely lock, unlock and ring the phone.

Little FYI: If you don’t use the service and haven’t really poked around on your Samsung Galaxy, then know that merely opening the app labeled “Galaxy Apps” triggers an automatic download of “Samsung In-App purchase” as well as “Samsung Billing.” If you do no more than open the “Samsung Hub” app, then that results in an automatic download of “Samsung Push Service.”

Apple, Android fan boys call for boycott on anti-NFC payment retailers

Elsewhere...Apple and Android fan boys have formed an “unholy alliance” to boycott retailers which disabled NFC for payments via mobile devices. Major pharmacy chain CVS followed Rite Aid in shutting down NFC functionality in payment terminals so that customers can use neither Apple Pay nor Google Wallet at the stores. Conversely, Walgreens reportedly accepts both.

Walmart and Best Buy said “no” immediately to Apple Pay. That’s because some big retail chains are banking on CurrentC as the future of mobile payment solutions; it cuts out the middle man and fees charged by credit card companies. CurrentC uses QR codes instead of NFC and is backed by merchants such as Walmart, Target, Best Buy, Lowes and other companies which operate over 110,000 brick-and-mortar retail locations.

Lock down your servers more easily: A look inside the Microsoft Local Administrator Password Solution
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies