Zero-day vulnerability in Samsung’s Find My Mobile service allows you to remotely lock the user smartphone.

If an attacker exploits the zero-day vulnerability in Samsung’s ‘Find My Mobile’ service, then the hacker can remotely lock, unlock and ring the phone.

Vulnerability affects all smartphones Samsung, what support the web service Find My Phone.

In the service Samsung Find My Mobile was detected dangerous zero-day vulnerability. According to Computer World, by using it, a hacker can remotely lock the user’s smartphone. The Find My Phone service from Samsung allows you to remotely control a lost smartphone. Thus, the user can lock the device, ring the phone, view the call list, delete all data from the device, as well as to register a personal assistant or connect notification function when changing the SIM-card.

The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service by triggering unexpected Find My Mobile network traffic.

Vulnerability affects all smartphones Samsung, users that are connected to Samsung account and activated the Find My Mobile. Easy opening Galaxy Apps or Samsung Hub application, preinstalled on a device of the Korean manufacturer, may lead to the fact that the smartphone will be subject to breaches.

NIST (National Institute of Standards and Technology) has provided two PoC-videos created by an Egyptian researcher Mohamed Baset. They demonstrate how to operate CSRF-vulnerability (Cross-site request forgery) allows an attacker to remotely lock or unlock your smartphone, as well as ring the phone.

CVE-2014-8346: Zero-day vulnerability

Danger level: High (Zero-day vulnerability)

Availability Corrections: No

Quantity of vulnerabilities: 1

CVSS v2 Base Score: 7.8 (HIGH) (AV:N/AC:L/Au:N/C:N/I:N/A:C)

CVE ID: CVE-2014-8346

Vector of operation: Remote

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type: Allows disruption of service

Product: Samsung mobile

Description:

[CVE-2014-3954] The vulnerability allows a remote attackers to cause a denial of service by triggering unexpected Find My Mobile network traffic.

The vulnerability is due to the fact that the Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network.

Solution: We recommend all users to temporarily disable the Find My Phone, as its continued use is a threat to safety. Just go to the settings menu of the smartphone, select “More” – “Find my phone” and turn it off.