US National Institute of Standard and Technology (NIST) reported a Zero-day vulnerability in Samsung’s FindMyMobile web service. The Vulnerability codenamed (CVE-2014-8346) allows a hacker to remotely control a Samsung smartphone by triggering unexpected FindMyMobile traffic.
The Popular FindMyMobile web service enables Samsung users to track their lost devices. Users can remotely execute commands such as ringing their lost phones, making messages appear on the screen, setting up new passcodes or remotely erasing all data on the lost device where it impossible to retrieve it.
According to the security advisory issued by NIST, security features on the service fail to authenticate the sender of a lock-code command. This implies a hacker can easily log into FindMyMobile web service and remotely control your device. By doing so, the hacker can wipe out all data on the devices, change the passcode or completely lock the phones causing a denial of service attack.
“The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.” states the security advisory issued by the NIST.
The vulnerability has been ranked as a high security threat with a CVSS (Common Vulnerability Scoring System) count of 7.8 and an impact sub-score of 6.9 but with a low exploitability index of 10.1. Samsung is yet to release a patch nor comment on the vulnerability affecting it web service.
Technically, Zero day Vulnerabilities are design and implementation flaws in operating systems or computer App that developers had no time to address or Patch. They are known as “Zero-day” vulnerabilities because the developer never had no time (Zero-days) to fix the flaw. They are common in the Tech world because cybercriminals are always on the look-out, trying to find new ways to infiltrated computer systems.
Last week Microsoft reported a Zero-day vulnerability in a majority of its Windows operating systems including its latest Windows 8.1. The security flaw residing in the operating system code for handling OLE (Object Linking and Embedding) allowed a hacker to take full control of a compromised machine.
“The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file that contains an OLE object. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” said the Tech giant. Microsoft a released a temporary patch in addition to other available mitigation factors on its security advisory.