Friday, October 23, 2015

Firefox Find My Device Service Lets Hackers Wipe or Lock Phones, Change PINs

A variation on an older Samsung Find My Mobile attack

Vulnerabilities in Mozilla's Find My Device service enabled hackers to carry out attacks that locked the screens of smartphones running Firefox OS, change PINs, make the devices ring, and even wipe all data with only a few clicks.

The Firefox Find My Device service allows users who've lost their Firefox OS phone to lock it or see its location on a map and retrieve it or direct law enforcement to the thief's location. The service is extremely usable and is a similar feature to what Apple has been offering for years for iPhone users.

A variation of CVE-2014-8346 that affected the Samsung Find My Mobile service

Egyptian security researcher Mohamed A. Baset is "guilty" of discovering this flaw, which seems to be a variation (but it's not) of CVE-2014-8346, a security vulnerability that affected the Samsung Find My Mobile service.

For that vulnerability, also revealed by Mr. Baset, the National Institute of Standards and Technology gave a CSVV (Common Vulnerability Scoring System) score of 7.8 out of 10, but got a 10 for exploitability, meaning it was quite easy to carry out, without too many technical skills being needed by an attacker.

According to Mr. Baset's findings, by loading the Firefox Find My Device website inside a hidden iframe on other sites, via basic clickjacking techniques, a hacker would have been able to carry out attacks that would lock or unlock the phone's screen, set a new PIN only known by the attacker, or make the phone ring at maximum volume for one minute, even if set in vibrate or silent mode.

While these actions seem more like bad pranks, they would allow criminals who stole phones to craft a Web interface through which they could unlock PIN-protected phones with the push of a button.

Some differences exist, attackers can wipe phones clean of their data

As Mr. Basat told Softpedia, despite having similar outcomes, "the two vulnerabilities are not related. Even the vulnerabilities themselves are different, Samsung's was vulnerable to a CSRF attack but Mozilla's is vulnerable to a ClickJacking attack."

Unlike the Samsung Find My Mobile vulnerability, the one affecting Firefox's service also allowed attackers to wipe the phones clean, which poses more risk since valuable data can be lost if not properly backed up.

The good news is that this attack needs users to be logged in on the service with their Firefox account, which very few people use. Additionally, more clicks are needed to perform the attacks, ranging from 2 to 4, based on the desired malicious action.

The vulnerability was reported to Mozilla back in March, and it was patched yesterday.

Below is a YouTube video of the Samsung Find My Mobile hack. The Mozilla Find My Device attack should work in a similar fashion.


UPDATE: The article was updated with Mr. Basat statement, which clarified how the two attacks were different.

No comments:

Post a Comment

Spammers, stay out. Only political and video game discussion here.