A variation on an older Samsung Find My Mobile attack
Vulnerabilities in
Mozilla's Find My Device service enabled hackers to carry out attacks
that locked the screens of smartphones running Firefox OS, change PINs,
make the devices ring, and even wipe all data with only a few clicks.
The Firefox Find My Device service allows users
who've lost their Firefox OS phone to lock it or see its location on a
map and retrieve it or direct law enforcement to the thief's location.
The service is extremely usable and is a similar feature to what Apple
has been offering for years for iPhone users.
A variation of CVE-2014-8346 that affected the Samsung Find My Mobile service
Egyptian security researcher Mohamed A. Baset is
"guilty" of discovering this flaw, which seems to be a variation (but
it's not) of CVE-2014-8346, a security vulnerability that affected the Samsung Find My Mobile service.
For that vulnerability, also revealed by Mr. Baset,
the National Institute of Standards and Technology gave a CSVV (Common
Vulnerability Scoring System) score of 7.8 out of 10, but got a 10 for
exploitability, meaning it was quite easy to carry out, without too many
technical skills being needed by an attacker.
According to Mr. Baset's findings, by loading the
Firefox Find My Device website inside a hidden iframe on other sites,
via basic clickjacking techniques, a hacker would have been able to
carry out attacks that would lock or unlock the phone's screen, set a
new PIN only known by the attacker, or make the phone ring at maximum
volume for one minute, even if set in vibrate or silent mode.
While these actions seem more like bad pranks, they
would allow criminals who stole phones to craft a Web interface through
which they could unlock PIN-protected phones with the push of a button.
Some differences exist, attackers can wipe phones clean of their data
As Mr. Basat told Softpedia, despite having similar
outcomes, "the two vulnerabilities are not related. Even the
vulnerabilities themselves are different, Samsung's was vulnerable to a
CSRF attack but Mozilla's is vulnerable to a ClickJacking attack."
Unlike the Samsung Find My Mobile vulnerability, the
one affecting Firefox's service also allowed attackers to wipe the
phones clean, which poses more risk since valuable data can be lost if
not properly backed up.
The good news is that this attack needs users to be
logged in on the service with their Firefox account, which very few
people use. Additionally, more clicks are needed to perform the attacks,
ranging from 2 to 4, based on the desired malicious action.
The vulnerability was reported to Mozilla back in March, and it was patched yesterday.
Below is a YouTube video of the Samsung Find My Mobile hack. The Mozilla Find My Device attack should work in a similar fashion.
UPDATE: The article was updated with Mr. Basat statement, which clarified how the two attacks were different.
No comments:
Post a Comment
Spammers, stay out. Only political and video game discussion here.