CVE-2014-8346: Zero-day vulnerability in the Samsung’s Find My Mobile service

Posted: October 29, 2014 in Vulnerabilities
Tags: , , ,

samsung find my mobileZero-day vulnerability in Samsung’s Find My Mobile service allows you to remotely lock the user smartphone.

If an attacker exploits the zero-day vulnerability in Samsung’s ‘Find My Mobile’ service, then the hacker can remotely lock, unlock and ring the phone.

Vulnerability affects all smartphones Samsung, what support the web service Find My Phone.

In the service Samsung Find My Mobile was detected dangerous zero-day vulnerability. According to Computer World, by using it, a hacker can remotely lock the user’s smartphone. The Find My Phone service from Samsung allows you to remotely control a lost smartphone. Thus, the user can lock the device, ring the phone, view the call list, delete all data from the device, as well as to register a personal assistant or connect notification function when changing the SIM-card.

The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service by triggering unexpected Find My Mobile network traffic.

find my mobile remote control service

samsung find my mobile lock device

Vulnerability affects all smartphones Samsung, users that are connected to Samsung account and activated the Find My Mobile. Easy opening Galaxy Apps or Samsung Hub application, preinstalled on a device of the Korean manufacturer, may lead to the fact that the smartphone will be subject to breaches.

NIST (National Institute of Standards and Technology) has provided two PoC-videos created by an Egyptian researcher Mohamed Baset. They demonstrate how to operate CSRF-vulnerability (Cross-site request forgery) allows an attacker to remotely lock or unlock your smartphone, as well as ring the phone.

CVE-2014-8346: Zero-day vulnerability

Danger level: High (Zero-day vulnerability)
Availability Corrections: No
Quantity of vulnerabilities: 1

CVSS v2 Base Score: 7.8 (HIGH) (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVE ID: CVE-2014-8346

Vector of operation: Remote
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows disruption of service
Product: Samsung mobile

Description:

[CVE-2014-3954] The vulnerability allows a  remote attackers to cause a denial of service by triggering unexpected Find My Mobile network traffic.

The vulnerability is due to the fact that the Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network.

Solution: We recommend all users to temporarily disable the Find My Phone, as its continued use is a threat to safety. Just go to the settings menu of the smartphone, select “More” – “Find my phone” and turn it off.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s