An Egyptian security researcher has allegedly found a vulnerability in Samsung's Find My Mobile service that enables unauthorised individuals to send remote lock, unlock, and ring commands to Samsung devices that support the service.
Also reported by the National Institute of Standards and Technology (NIST) in the US on its National Vulnerability Database (NVD), the Find My Mobile vulnerability has been given a high-severity rating at 7.8, with an exploitability sub-score of 10.0, due to its network exploitable nature, low access complexity, no authentication requirement, and disruption potential.
The NIST vulnerability summary states, "The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic."
Samsung has not yet responded to the reports of the Find My Mobile vulnerability, and is expected to issue an update to its Galaxy Apps suite to fix the problem.
Two proof-of-concept videos have been uploaded to YouTube by Egyptian security researcher Mohamed A. Baset (@SymbianSyMoh) that show the vulnerability being exploited with cross-site request forgery (CSRF) attacks, where he is able to insert scripts into Find My Mobile fields via the Web interface to force the service to lock, unlock, and ring a linked Samsung smartphone.
Notably, the CSRF attack used by Baset is able to lock a Samsung smartphone with a "specific device lock code" set by the attacker, essentially causing a denial of service to the smartphone owner. Baset was also able to set a custom message in each case (locking, unlocking, ringing).
For now, it is being recommended that Samsung smartphone users turn off the Find My Mobile service, which as Computerworld notes is automatically enabled once a user registers for a Samsung account, or opens Galaxy Apps or Samsung Hub.Samsung