A security researcher has discovered a vulnerability in Samsung’s “Find My Mobile” feature that could let hackers interfere with phones over the internet.
The Find My Mobile service lets Samsung customers track their devices, and lock or erase them if they get stolen. However, The Register reports that Mohamed Baset discovered that Samsung doesn’t properly check where requests to Find My Mobile come from. This means that hackers can impersonate the device owners and interfere with the account.
So what can hackers do with this security flaw? They can display a customised message on the phone screen, or find the phone’s most recent location on a map. A hacker who attacked someone through the service could also force phones to ring on full volume for a minute, or even erase all data on the phone.
Baset uploaded a video to YouTube showing just how easy it is to hack into Samsung phones using Find My Mobile.
The National Institute of Standards and Technology examined the hack, and issued this statement:
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.
Computer World reports that the “Find My Mobile” vulnerability was given a 7.8 score in the Institute’s seriousness scale, indicating that it could be harmful to a wide number of Samsung phone users.