sciencetech-blog

comments

Millions of Samsung devices are at risk of attack due to a vulnerability in the firm's Find My Mobile service.

An Egyptian security researcher has discovered a way to hack into the service and remotely unlock handsets from a PC.

Once a hacker has access to a device, they can also change the PIN code rendering it useless to the owner. 

Scroll down for video 

Samsung devices are at risk of attack due to a vulnerability in its Find My Mobile service (pictured). Security experts have discovered a way to hack into the service and remotely unlock handsets from a PC. Once a hacker has access to a device, they can also change the PIN code rendering it useless to the owner

Uses beyond this are not known, and it is unclear whether hackers will be able to exploit it further to access personal information on the device.

Mohamad Baset has posted a proof-of-concept video that shows him hacking a device, unlocking it, changing the greeting message and remotely calling it. 

His hack is controlled using the web on a PC.

There are three modes of attack seen in the video: Remote mobile device lock, remote mobile device unlock, and remote device mobile ring.  

The flaw has also been reported by the National Institute of Standards and Technology (NIST) in the US on its National Vulnerability Database (NVD).

The security researchers have given it a high-severity rating of 7.8, with an 'exploitability sub-score' of 10.0. 

This means it is a relatively easy hack and doesn't require authentication.

NIST's vulnerability report explained: 'The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network.

'[This] makes it easier for remote attackers to cause a denial of service - screen locking with an arbitrary code - by triggering unexpected Find My Mobile network traffic.' 

Egyptian researcher Mohamad Baset has posted a proof-of-concept video (screengrab pictured) that shows him hacking a device, unlocking it, changing the greeting message and remotely calling it. The flaw has also been reported by the National Institute of Standards and Technology (NIST)

The flaw affects any Samsung device with Find My Mobile enabled (Galaxy S5 pictured)

Samsung has not yet responded to MailOnline's request for information.

Find My Mobile is automatically enabled when a user registers for a Samsung Account.

It lets users remotely lock and wipe their devices if they're lost or stolen. 

It is also used to help locate a missing device. 

The 'Ring my device' sounds the default ringtone at its maximum volume for one minute, regardless of any sound or vibration settings.

By sounding the ringtone, it can alert people to the lost device, increasing the chances of it being found.

Its Call logs feature additionally lets users check to see a list of recent calls, and if the SIM card is changed, the owner is automatically informed. 

The flaw affects any Samsung device that has enabled the Find My Mobile service.  

To protect themselves,users can check the service's access by opening Menu, Settings, Location and security and Find My Mobile.