back to article Find My Phone does just one thing but Samsung's messed it up

Researcher Mohamed Baset has reported a zero day flaw that allows hackers to lock a host of Samsung phones with the lost device feature. Baset (@SymbianSyMoh) uploaded a proof of concept video to YouTube showing how to lock a Samsung phone using a cross site request forgery vulnerability in the Find My Mobile feature. Phones …

  1. Anonymous Coward
    Stop

    Still needs 'help' from the user..

    The youtube movie starts with the following quote:

    "Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into loading a page that contains a malicious request".

    So it still boils down to "be careful what website(s) you visit". It doesn't make this attack less dangerous, obviously not, but even so the targeted users can still do a lot themselves to prevent any damage as well.

    1. Anonymous Coward
      Anonymous Coward

      Re: Still needs 'help' from the user..

      "Be careful what website(s) you visit" isn't terribly helpful advice, since it could be any website that accepts user-generated input and a target site that doesn't check the referrer header carefully - something which the user can hardly be expected to know. Forums that allow images like are classic examples.

  2. Anonymous Coward
    Anonymous Coward

    What? Sloppy code from Samsung??

    Say it isn't so!

    1. Intractable Potsherd

      Re: What? Sloppy code from Samsung??

      More accurately: "What? Sloppy code from <insert any manufacturer of anything that uses software>? Say it isn't so?"

  3. Lee D Silver badge

    There's a reason that I don't automatically sign up to certain things just because I've bought a new phone and they look "cool".

    I think about the consequences if it goes wrong. Not deliberate or malicious attacks, just what could happen if a server somewhere decides to go muppet and link my ID to someone else's or something.

    When I bought myself and my girlfriend an S4 mini each the other month (having given it sufficient time to bed-in as a cheap stable device), I went through all the options, turned off or "skipped" anything that I could see going wrong. I have to say, reliance on outside servers features heavily. There are still half-a-dozen apps that prompt me every time I do an "Update All" because I don't agree with their permissioning and don't even want them anyway.

    Linking in the Samsung Account - never even did it. Find My Phone was pointless against the in-built Google one (and I do have a Google Account, and did see value in putting it on the phone). However, even there I disabled the remote-wipe / remote-lock features while still retaining the phone-tracking (lost my phone the other day - if the battery hadn't been completely dead, it would have been very handy - as it's proved itself when I've lost it in the past).

    The Samsung stuff is just junk. All the Samsung apps I've hidden or just completely uninstalled. About the only one I ever used on a previous phone was the Memo app but that's complete junk and over-complicated now, especially compared to Google Keep.

    There are reasons that I just don't turn on this kind of stuff, and lock down the settings so only I can use the device anyway. This kind of vendor-reliant junk is not only open to attack, but just open to cock-up too. I'm not saying that I'm immune, but these features are really just a problem waiting to happen.

    Internet-activated remote-wipe. God. I can see the use in business, where anything critical is backed up, all the devices are passcoded and encrypted, and when something goes missing you KNOW it's gone missing, can wipe and rebuild in a few moments if it's brought back. But for your own mobile? No. Not nowadays. Just encrypt. Without the encryption key, nobody can do anything with it. Inform your telco and get the IMEI blocked and forget about it unless you want to go and hunt it down.

    1. Vector

      "Internet-activated remote-wipe..."

      And yet, kill switches are now required on all phones sold in many US states and will soon be required across the entire US...

      At least, we can still opt out (for now)

      1. Pitbull Byte

        Re: "Internet-activated remote-wipe..."

        It's for reasons like this there's still an old Nokia handset gathering dust in the drawer.

  4. Anonymous Coward
    Anonymous Coward

    "Phones could be remotely locked, unlocked, or made to ring"

    Ring a phone? There's an app for that :)

    1. LaeMing
      Meh

      But it costs 15 quid do download.

  5. Lallabalalla
    Mushroom

    Chance'd be a fine thing

    Both my kids have Samsung handsets and the chances of my finding either of them using Samsung's frankly awful "find my device" webpage/system are about 1,000:1

    It's buggy, slow, unreliable and soul-destroying to use, to the point where I give my eldest my old iPhone4 if I'm really going to need to know where he's at, because the Apple version works immediately, quickly, reliably and without fail. Everything the Samsung system is not.

    I know the apple-haters and Samsung apologists will be downvoting the actual reality of my personal experience but hey. Haters gonna hate, potaters gonna potate.

    Samsung, your "find my device" stuff really really sucks.

    Apple - yours doesn't.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like