NIST advisory is latest clue to suggest remote administration features in consumer smartphones are a foolish feature

Samsung Electronics Comp., Ltd. (KRX:005930)(KRX:005935) customers were rocked this week to discover that a popular security feature on Samsung's Galaxy Android smartphone line was vulnerable to a zero-day exploit that could allow malicious hackers to hijack people's phones and hold them ransom.
I.  From Feature to Exploit

The warning came from the National Institute of Standards and Technology (NIST), a U.S. government agency under the U.S. Department of Commerce umbrella.  The vulnerability pertains to the "Find My Mobile" feature, which was introduced this year with the launch of the Galaxy S5.

The feature -- like the "Find My iPhone" functionality Apple, Inc. (AAPL) has provided for the past five years -- offers services such as remote locking of your smartphone, a remote wipe of its data, and even the ability to call it, overriding any vibration settings and forcing the phone to ring at maximum volume.  
Of course, as one might guess, putting strong administrative remote controls on millions of devices creates a serious security headache.  Any flaw in such a system could endanger not just one user, but thousands or even millions of customers.
Samsung Find My Phone

And security researchers will remind you that virtually any digital system has security flaws that can be found and exploited.  In this case the only good news is that the good guys -- government security researchers -- found the flaw first.  
According to the NIST security advisory on the bug (CVE-2014-8346):

The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

The NIST advisory rates the zero-day bug using the Common Vulnerability Scoring System (CVSS).  It assigns it a 7.8/10 in terms of vulnerability 6.9/10 in terms of impact, and 10/10 in terms of exploitability.  

Samsung Find My Phone

The good news is that if customers hear news of the bug they can easily disable the future to prevent exploits that will inevitably soon be popping up in the wild.  To disable the feature just go to:

Settings > More > Find My Mobile > Remote controls

Several independent security researchers have taken to YouTube, verifying the exploitability of the NIST-revealed flaw:

Surely, there will be a fix from Samsung in the works, but customers might be wise to rethink that whole trading liberty for convenience equation.  After all, this is hardly the first such exploit.  It turns out that these kinds of remote administration features -- long used in on a fall smaller, less attention-grabbing scale by enterprises -- have increasingly been shown to be very dangerous if deployed in such a highly visible fashion to such a large number of end users.
Again, it was fortunate the good guys found this bug first.
Apple users weren't so lucky.  In May a hacker going by the name "Oleg Pliss" locked a small number of iPhones in Australia using iCloud's location-aware "Find My iPhone" feature, which was was first introduced in 2009 with iOS 3.0.  It was later rolled into Apple's monolithic cloud services portal, iCloud, where it currently resides.  
It's unclear whether the hacker found a true vulnerability in iCloud or simply breezed into user accounts by more clever and difficult-to-defeat means, such as phishing or local network surveillance.  The hacker then proceeded to ask users to wire large sums of money to certain accounts, threatening to wipe their devices otherwise.  
Unfortunately, some customers caved to the demands.

Sources: NIST [CVE-2014-8346], YouTube [1], [2]

"This is from the It's a science website." -- Rush Limbaugh

Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki