California is leading the way in smartphone kill switch legislation but at least one implementation has already been found to have a fatal flaw. The National Institute of Standards and Technology (NIST) as well as a separate security researcher have uncovered an exploit in Samsung’s Find My Mobile service that could allow an attacker to remotely lock, wipe or even send ring commands to Samsung handsets.
According to NIST, the Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network which makes it easier for remote attackers to cause a denial of service by triggering unexpected Find My Mobile network traffic.
NIST has given the flaw a base score of 7.8, an impact sub-score of 6.9 and an exploitability sub-score of 10.0 (all out of 10).
It’s worth pointing out that Find My Mobile isn’t enabled by default. It is, however, automatically enabled when a user signs up for a Samsung account.
As of writing, Samsung hasn’t publically addressed the matter. The best course of action for now is to simply turn off the Find My Mobile feature (Settings > More > Find My Mobile > Remote Controls) and hope you don’t lose your phone or it gets stolen. With any luck, Sammy will issue a fix as soon as possible.