Samsung Fires Back at NIST, Says Find My Mobile Service Safe

Samsung this week fired back at NIST who warned last month that the company’s Find My Mobile service could be exploited.

Samsung this week tried to quell recent reports that its Find My Mobile service is vulnerable to hacking, firing back at NIST (National Institute of Standards and Technology) who warned last month that the feature could be exploited.

In a blog post on the company’s global blog Tuesday, Samsung reiterated that the issue was fixed via an update on Oct. 13 and that no user information was ever compromised through the vulnerability.

“Even before the update, any data from the phone or on the server could not be accessed by the hacker,” the post read.

Late last month US-CERT/NIST warned that the Remote Controls feature on some Samsung devices failed to validate the source of lock code data that was received over a network. This meant that if an attacker wanted to cause a denial of service attack, they could lock the screen of a device by triggering what NIST calls unexpected Find My Mobile traffic.

Mohamed Baset, an Egyptian security researcher posted a pair of proof of concept videos to YouTube at the time confirming the vulnerability.

https://www.youtube.com/watch?v=Q3adkpOEjyI

https://www.youtube.com/watch?v=YufuOYQoDOY

Similar to Apple’s Find My iPhone, Samsung’s Find My Mobile uses GPS to remotely help users track and control tablets and smartphones that run Android 2.3.3 Gingerbread or later. Users can log into Samsung’s site and find their device, lock its screen, or make it ring.

In the post Samsung went on to stress that even before it was patched, an attacker would be able to lock or unlock a user’s device and make it ring, but only if four conditions were true:

1)   The attacker occupies a way to send a link containing malicious code

2)   The Find My Mobile user sets up Find My Mobile Remote control ‘ON’ at his/her device

3)   The user enters his/her ID and password and logs on Find My Mobile website (http://findmymobile.samsung.com) (If the user doesn’t use the website after log-on, it will be automatically logged out)

4)   The user clicks the link in email/instant message/SMS sent by attackers

This is the second time in the last couple of weeks that Samsung has had to come out and publicly rebuke a report critical of the way it handles device security. Two weeks ago a researcher called out the company’s Knox technology arguing that consumer versions of the product, Knox Personal, stored passwords entered in setup in clear text, among other things. Samsung answered those claims last week by insisting the researchers’ conclusions were incorrect for its enterprise version of KNOX and that the way it stores passwords and keys is based on “the best security practices.”

Suggested articles