NIST warns on Zero-Day flaw in Samsung FindMyMobile

Monday, October 27, 2014

Pierluigi Paganini

03b2ceb73723f8b53cd533e4fba898ee

The National Institute of Standards and Technology is warning of the presence of a Zero-Day flaw in the Samsung FindMyMobile service.

The US-CERT/NIST is warning of the presence of a zero-day flaw that affects the Samsung FindMyMobile web service (CVE-2014-8346). The Samsung FindMyMobile implements several features that allow users to locate the lost device, to play an alert on a remote device or to lock remotely the mobile phone.

“The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.” states the security advisory issues by the NIST.

According to the NIST the Remote Controls feature implemented by the Samsung FindMyMobile fails to validate the sender of a lock-code data received over a network, an attacker could cause a denial of service remotely (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

The NIST rated the severity of the flaw in the Samsung FindMyMobile as HIGH, but the the exploitability subscore is 10.0, that is an index of the likelihood of exploitation.

Below a couple of video POCs:

https://www.youtube.com/watch?feature=player_embedded&v=YufuOYQoDOY

https://www.youtube.com/watch?feature=player_embedded&v=Q3adkpOEjyI

 More info are available on the CVE Standard Vulnerability Entry for the CVE-2014-8346 flaw.

This was cross-posted from the Security Affairs blog.

8574
Breaches CVE DB Vulns US-CERT PDAs/Smart Phones
Post Rating I Like this!
Default-avatar
Terry Juan I m agree With this Article . its all true what  you said about. i really Appreciate your blog. its really interesting and true saying thanks for sharing. Keep updates like this amazon.com

1415774466
Default-avatar
John Smith Great article! This highlights the danger of DDS attacks. I run my own business and it would be very detrimental if my phone suddenly stopped working. For more on my business see my website Antonio HairStyle.
1418223264
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.