The National Institute of Standards and Technology is warning of the presence of a Zero-Day flaw in the Samsung FindMyMobile service.
The US-CERT/NIST is warning of the presence of a zero-day flaw that affects the Samsung FindMyMobile web service (CVE-2014-8346). The Samsung FindMyMobile implements several features that allow users to locate the lost device, to play an alert on a remote device or to lock remotely the mobile phone.
“The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.” states the security advisory issues by the NIST.
According to the NIST the Remote Controls feature implemented by the Samsung FindMyMobile fails to validate the sender of a lock-code data received over a network, an attacker could cause a denial of service remotely (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.
The NIST rated the severity of the flaw in the Samsung FindMyMobile as HIGH, but the the exploitability subscore is 10.0, that is an index of the likelihood of exploitation.
Below a couple of video POCs:
More info are available on the CVE Standard Vulnerability Entry for the CVE-2014-8346 flaw.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.