Find My Mobile exploit lets an attacker remotely lock, wipe or ring Samsung smartphones

Shawn Knight

Posts: 15,256   +192
Staff member

exploit samsung smartphone attack vulnerability hack find my mobile

California is leading the way in smartphone kill switch legislation but at least one implementation has already been found to have a fatal flaw. The National Institute of Standards and Technology (NIST) as well as a separate security researcher have uncovered an exploit in Samsung’s Find My Mobile service that could allow an attacker to remotely lock, wipe or even send ring commands to Samsung handsets.

According to NIST, the Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network which makes it easier for remote attackers to cause a denial of service by triggering unexpected Find My Mobile network traffic.

NIST has given the flaw a base score of 7.8, an impact sub-score of 6.9 and an exploitability sub-score of 10.0 (all out of 10).

It’s worth pointing out that Find My Mobile isn’t enabled by default. It is, however, automatically enabled when a user signs up for a Samsung account.

As of writing, Samsung hasn’t publically addressed the matter. The best course of action for now is to simply turn off the Find My Mobile feature (Settings > More > Find My Mobile > Remote Controls) and hope you don’t lose your phone or it gets stolen. With any luck, Sammy will issue a fix as soon as possible.

Permalink to story.

 
I turned that "feature" off right after I purchased by new note 4. I don't need sammy or uncle sam or "you know who" messing with my phone.
 
That's why they need my stolen phone app which hasn't been hacked. Truthfully, it hasn't sold a single one except to friends. My fax app has sold. Gonna start telemarketing it this week. You could all work for me, really google, by downloading it, making $12-14 per sale, explained in the description in the google play store. Don't need a smartphone to get to the google play store.
 
Another minute, another hack or crack. Everything has it's flaws. I use Androids built in 'find & lock' feature instead but it's probably just as vulnerable.
 
Don't expect a update that will resolve this problem any time soon from Samsung, as it requires a full OS rewrite. Past OS updates take on average 4 to 5 months to be released. Samsung rewrote Android to include this "feature" in the OS, so in order to release a repair will require a full rewrite, which also means a full OS download of in excess of 3GB when the update becomes available
 
Do you know why Samsung hasn't address the matter. It's because there isn't really a matter to fix this is useless and can't really be used in a real world example. Yes it doesn't look at the source but does look at the Samsung account details so the "attacker" has to know your samsung username/password before they can then go on to send lock messages etc. More bloody scaremongering getting stupid this now.
 
Of you could use Androids "Device Protection Manager" from the Google Playstore. Which I imagine to be better than Samsungs
 
Back