The security researcher Pedro Umbelino from Portugal-based cybersecurity services provider Char49 discovered multiple vulnerabilities in Samsung’s Find My Mobile that could have been chained to perform various malicious activities on Samsung Galaxy Phones.
“There are several vulnerabilities in the Find My Mobile package that can ultimately result in complete data loss for the smartphone user (factory reseting), as well as real time location tracking, phone call and message retrieving, phone lockout, phone unlock, etc. Every action that is possible for the user to perform using the web application that is passed to the device can be abused by a malicious application.” reads the report published by the security firm. “The code path to execute these actions involves several vulnerabilities being chained.”
The experts shared his findings at the DEF CON conference last week.
The “Find My Mobile” feature allows owners of Samsung devices to find their lost phones, it also allow to remotely lock a device, block access to Samsung Pay, and completely wipe the content of the device.
Char49 researcher found four vulnerabilities in Find My Mobile components that could have been exploited by a rogue app installed on the device that only requires access to the device’s SD card.
The access to the device’s SD card allows the app to trigger the first vulnerability in the attack chain, then create a file used by the attacker to intercept communications with backend servers.
Below the speech made by the experts last week at DEF CON 28SM hacking virtual conference.
The successful exploitation of the flaw would have allowed a malicious app to perform the same actions allowed by the Find My Mobile app, including force a factory reset, wipe data, locate the device, access to phone calls and messages, and lock and unlock the phone.
Char49 discovered the flaws more than a year ago, but Samsung addressed them in October 2019.
The expert explained that the exploit chain works on unpatched Samsung Galaxy S7, S8, and S9+ devices.
“This flaw, after setup, can be easily exploited and with severe implications for the user and with a potentially catastrophic impact: permanent denial of service via phone lock, complete data loss with factory reset (sdcard included), serious privacy implication via IMEI and location tracking as well as call and SMS log access,” concludes the report.
“The [Find My Mobile] application should not have arbitrary components publicly available and in an exported state. If absolutely necessary, for example if other packages call these components, then they should be protected with proper permissions. Testing code that relies on the existence of files in public places should be eliminated.”
(SecurityAffairs – hacking, Samsung Find My Mobile)