A zero-day flaw in Samsung’s Find My Mobile system that can be extremely easily exploited to remotely lock a target’s phone has been uncovered by programmer and researcher Mohamed Abdelbaset.
The cross site request forgery vulnerability in question exists because the Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network.
This allows remote attackers to lock the devices’ screen and effectively to cause a denial of service. They can also make the phone ring.
Abdelbaset demonstrated the attack in a video:
The vulnerability has received a 7.8 risk score (out of 10) from US-CERT/NIST due to its impact and easy exploitability. Samsung has been notified of its existence and it currently investigating the matter.
Users who are worried about it can simply disable the Find My Mobile feature until the flaw is patched.
While it’s difficult to see this type of attack being leveraged against a great number of users, there is always the possibility that someone will start locking devices and asking for ransom. In fact, a very similar episode happened earlier this year to Australian Apple device users.