4 critical-severity flaws were recently disclosed in the Find My Mobile feature of Samsung Galaxy smartphones, which if exploited could allow attackers to force a factory reset on the phones or spy on users.
Researchers have disclosed a slew of critical-severity, patched flaws in flagship Samsung smartphones, including the Galaxy S7, S8 & S9 models.
Find my Mobile
The vulnerabilities specifically originate from Samsung’s “Find My Mobile” service, a feature built into the smartphones letting users locate their devices if they lose them.
Researchers with Char49, who discovered the 4 glitches, said that if a bad player convinced a target to download a malicious application onto their device, the flaws could have been linked together to launch various, insidious attacks.
Complete Data Loss
These could ultimately have resulted in complete data loss for the smartphone user (via a factory reset). Attackers could also track users’ real-time locations, spy on phone calls and messages, lock users out of their phones, or unlock phones.
In a real-life attack, that could mean that “when attacked, the device can be spied on or, in the worst-case scenario, wiped clean of all its data, without the victim even perceiving what was happening, exposing the victim to situations of blackmail & extortion,” commented researchers with Char49 in an analysis of the flaws [PDF].
Researchers explained that the vulnerabilities were 1st reported to Samsung Feb. 21, 2019, & quietly fixed by the company on April 7, 2019. However, the flaws were not revealed until last Fri., when Char49 researchers presented them during a DEFCON session.
Researchers also observed that there are no CVEs assigned to the flaws, as Samsung opted to not disclose the issues publicly in their website. However, Samsung did issue an internal SVE to the bugs (SVE-2019-14025), which is Samsung’s identification mechanism for security issues, & classified the flaws as “critical.”
Researchers found 4 vulnerabilities in total in Find My Mobile.
The 1st issue is that it is possible for a malicious app installed on the smartphone to change the URL endpoints that Find My Mobile uses to communicate with the backend servers. In an attack situation, this means that when the Find My Mobile app makes a call to the backend servers, it “allows an attacker to create a man-in-the middle (MiTM) scenario, monitoring Find My Mobile call to the backend &, as we will see, to manipulate them,” observed researchers.
The 2nd issue comes from 3 “exported broadcast receivers” (com.sec.pcw.device.receiver.PCWReceiver ) in the service that are not protected by permissions. Broadcast receivers enable applications to receive intents that are broadcast by the system or by other applications, even when other components of the application are not running. Researchers commented, sending a broadcast – (com.samsung.account.REGISTRATION_COMPLETED) can allow the backend server URL endpoints to be updated to an attacker-controlled value. That means attackers can now monitor & control traffic from Find My Mobile to the backend servers.
“So now, at server side, the attacker has lots of sensitive information,” revealed researchers. “To start, the victim coarse location via the IP address of the request, but also several PIIs (personal identifiable information), both registration ID (from the 2 requests) & the victim’s IMEI.
This by itself allows for user tracking. The attacker also gets, among other things, device brand & other information not important for this attack scenario. ”
The 3rd flaw relates to another unprotected broadcast receiver (com.sec.pcw.device.receiver.SPPReceiver). Researchers found that an attacker could use this flaw by sending a broadcast with a certain action to the broadcast receiver.
This results in Find My Mobile contacting the Device Management (DM) server for updates: “When Find My Mobile contacts the DM server, the DM can reply just with an equivalent to an OK or, most importantly, the accumulated actions requested by the user & missed by Find My Mobile while the smartphone was offline.
If an attacker can modify a server response to include an action of his choosing, he can tell the smartphone which action to take,” outlined researchers.
The last flaw discovered is a problem in ncml:auth-md5, a base64 coded string that authenticates the message from the server. Researchers discovered that a problem in the authentication method lets the server accept all server replies.
“We’re pretty sure it was not supposed to be implemented like this,” commented researchers. “There is no message signing or any mechanism that prevents message modification, which is great for an attacker.”
Researchers produced an attack that could link these 4 flaws together. Through convincing a target to install a malicious app on their device (via spear phishing or by other means), these flaws can let an attacker carry out any action that Find My Mobile can perform.
“This attack was tested successfully on different devices (Samsung Galaxy S7, S8 and S9+). The Proof of Concept involves an APK [Android Application Package] & the server-side code that implements the logic needed to inject actions in the server responses,” observed researchers.
Galaxy S10 & Note10
Samsung smartphones have been found to have various security issues over the past 12 months. In 2019, Samsung rolled out a software patch for the Galaxy S10 & Note10, dealing with glitches in both phone models that allow the bypass of their built-in fingerprint authentication sensors.
Also, in 2019, a new way to listen to people’s mobile phone calls was uncovered after researchers discovered an attack using of Android devices’ on-board accelerometers (motion sensors) to infer speech from the devices’ speakers.