If you happen to be the owner of a Samsung smartphone, and you use their Find My Phone service, stop immediately. A zero-day exploit has been discovered that can lead to attackers ringing, locking, and even wiping your device.
The NIST is ranking the base score of this exploit a 7.8, with the impact score as 6.9, and the exploitability score at 10 (10 being the highest). So, this is not something you want to ignore.
The problem is that the Find My Mobile service doesn’t bother to validate the lock code information it receives, so an attacker need only flood the device with network traffic to gain control.
But here’s the kicker… since the Find My Phone usually turns on when you sign up for a Samsung account, there’s a high probability your phone is vulnerable. To that end, what can you do? First and foremost, if you have been using Find My Phone, turn it off. If you haven’t registered for a Samsung account, chances are that this service is not turned on and you’re safe. If you haven’t signed up for an account, but you’ve tapped the launcher for Galaxy Apps, then Find My Mobile is most likely on your device.
If you’re unsure, do this:
- On your Samsung device, open up Settings
- Tap the Accounts tab
- Look for a Samsung account listed under My accounts (Figure A)
An enabled Samsung account on a Verizon-branded Samsung Galaxy S4.
If you do have a Samsung account listed, remove it. To do this, tap on the account, tap on the associated email address, and then tap the Remove account button. Once you’ve done this, your device should be safe.
Next, open up the Application Manager (from within Settings) and search for Find My Mobile. If you see it, tap it, and then tap the Uninstall button.
If you still need this type of service, I recommend using the default Android Device Manager, which I’ve covered in a previous post, “Ring, lock, or erase your lost or stolen Android device.” If a Google service isn’t up to snuff for you, you can try out these device locators:
If you want to see the proof of concept that brought this exploit to light, watch the video below, created by Egyptian security researcher Mohamed A. Baset, that demonstrates exploiting Cross-Site Request Forgery (CSRF) vulnerabilities in the Find My Mobile service. It’s this exploit that allows an attacker to lock, unlock, and ring your device.
My guess it that it won’t take Samsung long to patch this rather serious bug. In the meantime, however, your best bet is to avoid the issue at all costs by removing the app and account from your device.
Should OEM’s include their own security on devices? Do you think Google should even allow the inclusion of redundant services, such as Find My Mobile — or is the Android Device Manager enough? What are your thoughts on the state of Android security? Let us know in the discussion thread below.