The US-CERT/NIST is warning of the presence of a zero-day flaw that affects the Samsung FindMyMobile web service (CVE-2014-8346). The Samsung FindMyMobile implements several features that allow users to locate the lost device, to play an alert on a remote device or to lock remotely the mobile phone.
“The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.” states the security advisory issues by the NIST.
According to the NIST the Remote Controls feature implemented by the Samsung FindMyMobile fails to validate the sender of a lock-code data received over a network, an attacker could cause a denial of service remotely (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.
The NIST rated the severity of the flaw in the Samsung FindMyMobile as HIGH, but the the exploitability subscore is 10.0, that is an index of the likelihood of exploitation.
Below a couple of video POCs:
More info are available on the CVE Standard Vulnerability Entry for the CVE-2014-8346 flaw.
Security Affairs – (samsung findmymobile, CVE-2014-8346)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.