Samsung Android Phones in Remote Lock Shock

The US National Institute of Standards and Technology (NIST) has warned of a major new zero-day vulnerability in Samsung Android smartphones which could allow a remote attacker to lock the handset.

NIST has given the CVE-2014-8346 flaw a CVSS severity rating of 7.8 and an exploitability subscore of 10.0 as it doesn’t require authentication to exploit.

It relates to an issue with the Find My Phone service, as explained by NIST here:

“The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.”

The note links to two YouTube videos here and here posted by a Mohamed A Baset (@SymbianSyMoh) which purport to show the hack in action.

In the first, he demonstrates how, by exploiting a Cross-Site Request Forgery (CSRF) vulnerability, an attacker could remotely lock a device with a new code, as well as unlock it and make it ring.

In the wild, such an attack could theoretically be used to hold a user to ransom.

Samsung had not responded to Infosecurity’s request for comment at the time of writing but it is presumed to be looking into the situation. In the meantime it would probably be wise for users to turn off the Find My Phone feature.

The flaw calls to mind a problem Apple had with its iOS devices in May when scores of Antipodean users awoke one morning to find their handsets and tablets locked with a message on the screen that noted they had been “hacked by Oleg Pliss.”

However, that particular plot didn’t net the attackers the ransom they coveted as users were advised to simply erase their device using Recovery Mode and restore from a backup by connecting to iTunes.

The discovery of such an apparently basic CSRF flaw in Samsung devices once again raises important questions about how much we rely on our handsets, especially in the corporate world.

The effect of a mass remote-lock campaign against BYOD handsets could cause serious productivity problems for many workers.

Thomas Labarte, European managing director of mobile security firm Lookout, argued that the incident shows there will never be one silver bullet to stop all smartphone crime.

"Ultimately, the most significant progress in phone crime will only come through a multi-pronged approach involving widespread industry collaboration, technology innovation, and broad consumer and business adoption of these new features," he told Infosecurity.

"A robust, holistic approach such as this would represent a direct attack against the economy of smartphone theft and crime."

What’s Hot on Infosecurity Magazine?