Millions of Samsung phones may be remotely locked by hackers
An Egyptian security researcher first detected the flaw when he was able to hack into the service and remotely unlock handsets from a PC. Once in, hackers can change the PIN code and make it useless to the owner.
In a proof-of-concept video posted as part of the research, Mohamad Baset, is shown hacking a device, unlocking it, changing the greeting message, and remotely calling the device. Samsung was told about the flaw.
“The reported issue occurred in web user interface, and it was fixed through a patch update on 13 October,” Samsung told the MailOnline.
But Baset’s proof-of-concept was posted on October 27, after Samsung claimed the patch date. It is not clear if the phone used in the study had the latest patch installed – and even if it hadn’t, what percentage of devices are in reality kept up to date by their owners.
The flaw affects any Samsung device that has enabled the Find My Mobile service. The service is supposed to be a security system for users to protect their mobile phone in case of theft, loss or being misplaced. The service is automatically enabled when a user registers for a Samsung account. If the mobile phone is lost or stolen, a user can either remotely lock the device, or wipe it clean. The feature also has a “Ring my device” tool to alert people to its location. The service provides users with a list of recent calls, and if a SIM card was changed, the owner is notified.
The flaw has been reported by the National Institute of Standards and Technology (NIST) in the US on its National Vulnerability Database (NVD).
“The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network,” NIST’s vulnerability report stated. “[This] makes it easier for remote attackers to cause a denial of service – screen lock with an arbitrary code – by triggering unexpected Find My Mobile network traffic.”