“Find my phone” type apps are numerous – just go to the Google Play Store and have a quick search. But one of the main features of newer Samsung top tier devices is that they have this capability built in with the “Find My Mobile” service. But the National Institute of Standards and Technology (NIST) has just sounded a warning, saying that the feature a real security vulnerability and is very much “hackable”.
The NIST has published this in a report and has shown two proof-of-concept videos that demonstrate the Cross-Site Request Forgery (CSRF) vulnerabilities in the Find My Mobile service. This then allows a “denial of service” attack, which constitutes of the hacked being able to remotely lock, unlock and ring the phone – which are incidentally the main functions of the Find My Mobile feature.
You see, Samsung’s Find My Mobile remote control features include being able to lock a lost device, causing a lost device to ring at maximum volume for a minute even if set on vibrate, device location, and wiping lost device data among others. The hack allows the attacker to do this in reverse. See the videos below.
A small comfort is this – the service is not enabled by default. But please note that it is automatically enabled when you register for a Samsung account. If you have the feature activated, it might be a good idea to turn it off for now. We will be waiting for Samsung’s reply to this vulnerability, which could possibly be in the form of an OTA firmware update.
VIA: Computer World