Samsung clarifies Find My Mobile vulnerability

By JC Torres/Nov. 5, 2014 3:50 am EST

Samsung has broken its silence regarding a reported security exploit that exists in its Find My Mobile service. That security hole could have potentially let hackers remotely lock, unlock, and ring a targeted device from Samsung's web service. Scary as that may sound, the OEM insists that not only would the hackers be limited to only those three actions, it would require a specific set of circumstances for the exploit to be used, which hopefully leaves majority of users unaffected and out of harm's way.

First, to calm worried souls, Samsung has plugged up the whole in an update on October 13, a good week before the National Institute of Standards and Technology (NIST) posted its vulnerability bulletin. And even before then, Samsung claims, no user data has been compromised as no data from either the phone or Samsung's server could be accessed by that specific security hole anyway. All hackers can do really is to lock, unlock, and ring a phone.

To be clear, the bug actually lied with the web half of the Find My Mobile service and not on the actual software found on users' smartphones. That said, a large hole in a security feature is still something to worry about and could lead to questions about the whole system's integrity. For now, however, we'll just focus on the problem at hand. The vulnerability in question allowed miscreants to make a Denial of Service (DoS) attack on Samsung's Find My Mobile web service in order to remotely control the phone in those three ways.

Samsung, however, says that there are four conditions that must all be met in order for this to happen. First, the hacker must have a way to send a link to the web service with that malicious code. Second, the user must have the Find My Mobile remote control feature turned on for his or her mobile device, which, in normal circumstances, might be a good idea. Third, the user must be currently logged into Find My Mobile on the web. And finally, the user, for one reason or another, must click on that link with malicious code sent by the attacker. If even one of these conditions are not met, the reported intrusion will not take effect.

It is good that Samsung was able to address this quickly, otherwise it could potentially lose more credibility in the enterprise market. The company has been intent in making inroads in that sector, presenting its KNOX security framework as the ideal solution for businesses in place of former favorite BlackBerry. But both KNOX and Find My Mobile have proven to be rather brittle in some areas, so it might still take a while before Samsung truly becomes a household name in that part of the industry.

SOURCE: Samsung