Researchers have disclosed a slew of critical-severity, patched flaws in flagship Samsung smartphones – including the Galaxy S7, S8 and S9 models. The vulnerabilities specifically stem from Samsung’s “Find My Mobile” service, a feature built into the smartphones allowing users to locate their devices if they lose them.
Researchers with Char49, who discovered the four glitches, said that if a bad actor convinced a target to download a malicious application onto their device, the flaws could have been chained together to launch various, insidious attacks. These could ultimately have resulted in complete data loss for the smartphone user (via a factory reset). Attackers could also track users’ real-time locations, spy on phone calls and messages, lock users out of their phones, or unlock phones.
In a real-life attack, that could mean that “when attacked, the device can be spied on or, in the worst-case scenario, wiped clean of all its data, without the victim even perceiving what was happening, exposing the victim to situations of blackmail and extortion,” said researchers with Char49 in an analysis of the flaws [PDF].
Researchers told Threatpost that the vulnerabilities were first reported to Samsung Feb. 21, 2019, and quietly fixed by the smartphone company on April 7, 2019. However, the flaws were not disclosed until this past Friday, when Char49 researchers presented them during a DEFCON session.
Researchers also told Threatpost that there are no CVEs assigned to the flaws, as Samsung opted to not disclose the issues publicly in their website. However, Samsung did issue an internal SVE to the bugs (SVE-2019-14025), which is Samsung’s identification mechanism for security issues, and classified the flaws as “critical.”
The Flaws
Researchers found four vulnerabilities in total in Find My Mobile. The first issue is that it’s possible for a malicious app (installed on the smartphone) to change the URL endpoints that Find My Mobile uses to communicate with the backend servers. In an attack scenario, this means that when the Find My Mobile app makes a call to the backend servers, it “allows an attacker to create a man-in-the middle (MiTM) scenario, monitoring Find My Mobile call to the backend and, as we will see, to manipulate them,” said researchers.
The second issue stems from three “exported broadcast receivers” (com.sec.pcw.device.receiver.PCWReceiver ) in the service that are not protected by permissions. Broadcast receivers enable applications to receive intents that are broadcast by the system or by other applications, even when other components of the application are not running. Researchers said, sending a broadcast with a certain action (com.samsung.account.REGISTRATION_COMPLETED) can enable the backend server URL endpoints to be updated to an attacker controlled value. That means attackers can now monitor and control traffic from Find My Mobile to the backend servers.
“So now, at server side, the attacker has lots of sensitive information,” said researchers. “To start, the victim coarse location via the IP address of the request, but also several PIIs [personal identifiable information], both registrationId (from the 2 requests) and the victim’s IMEI. This alone allows for user tracking. The attacker also gets, among other things, device brand… and other information not important for this attack scenario. ”
The third flaw stems from another unprotected broadcast receiver (com.sec.pcw.device.receiver.SPPReceiver). Researchers found that an attacker could leverage this flaw by sending a broadcast with a certain action to the broadcast receiver. This results in Find My Mobile contacting the Device Management (DM) server for updates: “When Find My Mobile contacts the DM server, the DM can reply just with an equivalent to an OK or, most importantly, the accumulated actions requested by the user and missed by Find My Mobile while the smartphone was offline. And this is where an attacker can step in. If an attacker can modify a server response to include an action of his choosing, he can tell the smartphone which action to take,” said researchers.
The final flaw discovered is a glitch in ncml:auth-md5, a base64 coded string that authenticates the message from the server. Researchers found that an issue in the authentication method allows the server to accept all server replies.
“We’re pretty sure it was not supposed to be implemented like this,” said researchers. “There is no message signing or any mechanism that prevents message modification, which is great for an attacker.”
Researchers formed an attack that could chain these four flaws together. By convincing a target to install a malicious app on their device (via spear phishing or by other means), these flaws can allow an attacker to carry out any action that Find My Mobile can perform.
“This attack was tested successfully on different devices (Samsung Galaxy S7, S8 and S9+). The [Proof of Concept] involves an APK [Android Application Package] and the server-side code that implements the logic needed to inject actions in the server responses,” said researchers.
Samsung smartphones have been found to have various security issues over the past year. Last year, Samsung rolled out a software patch for the Galaxy S10 and Note10, addressing glitches in both phone models that allow the bypass of their built-in fingerprint authentication sensors. Also in 2019, a new way to eavesdrop on people’s mobile phone calls was uncovered after researchers unveiled an attack making use of Android devices’ on-board accelerometers (motion sensors) to infer speech from the devices’ speakers.
Threatpost has reached out to Samsung for commented on the patched flaws.
Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts from Microsoft and Fortanix together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us Wednesday Aug. 12 at 2pm ET for this FREE live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Confidential Computing Consortium. Register Now.