It’s not been a good week for Samsung… first there was that Samsung’s KNOX was storing relatively easily decryptable passwords, and over this weekend it’s that the Find My Mobile application doesn’t’ bother to validate whether the person requesting access is really a person who should or not.
Among other things the vulnerability allows attackers to lock your phone, ring the device, unlock the phone, change the PIN, read your call logs, register a personal guardian (I do not know what that means,) or receive information when a SIM is changed.
This means an attacker can see everyone you called, if they find your phone all it takes is faking a FMM request to the device to change the code and give them complete access, they can also, if so inclined, remotely hijack your phone for ransom (although that seems a bit unlikely).
It seems like if you’re expecting security in a phone these days, Samsung is not where to look for it as neither this, nor the KNOX password storage, were crazy out-there hacks.
You can find the Find My Mobile service by going to settings, security, find my mobile. I don’t have a Sammy in front of me at the moment, so I can’t tell you the next steps to deactivate it. Evidently the service is installed and operating by default if you’ve registered for a Samsung account, but if you haven’t it probably is not active.
While Samsung beat Apple to the punch by nearly two years when it came to hardware, it seems they’re doing their very best right now to convince even non-Apple fanboys that Apple is the way to go for mobile security.
Meanwhile Android Device Manager sits back and snickers.[computerworld]