Home Tags Samsung Galaxy S6

Tag: Samsung Galaxy S6

Boffins break Samsung Galaxies with one SMS carrying WAP crap

S4 and S5 A single TXT message is enough to cause Samsung S5 and S4 handsets to return to factory settings, likely wiping users' data along the way.

And because the attack exploits Android's innards, other vendors' handsets are at risk. The vulnerabilities, thankfully patched by Samsung, means attackers can send WAP configuration messages that will be blindly applied by the affected devices once received without the need to click on links. Attacks that send affected devices into boot loops can also be reversed and set to stable by a good configuration SMS, opening avenues for ransomware attacks, Contextis hackers Tom Court (@tomcourt_uk) and Neil Biggs say. Newer Samsung Galaxy S6 and S7 models will not blindly accept the messages sent over the 17 year-old protocol. The pair of researchers have penned a three part series explaining the attack surface of Android SMS and the WAP suite. Court and Biggs combined two bugs to produce the denial of service attack that forces unpatched and non-rooted phones to factory reset. Users of rooted Samsung devices can enter the adb settings to delete the malicious configuration file default_ap.conf. "The complexity of exploiting an Android device in recent years has escalated to the point that more often than not a chain of bugs is required to achieve the desired effect," Court and Biggs say. "This case is no different and we have shown here that it took two bugs to produce a viable attack vector, combined with some in-depth knowledge of the bespoke message format." The pair explain the attack in detail here finding that no authentication is used to protect OMA CP text messages. They also found a remote code execution on vulnerability on Samsung devices on the S5 and below, detailed in the following CVEs: CVE-2016-7988 – No Permissions on SET_WIFI Broadcast receiver CVE-2016-7989 – Unhandled ArrayIndexOutOfBounds exception in Android Runtime CVE-2016-7990 – Integer overflow in libomacp.so CVE-2016-7991 – omacp app ignores security fields in OMA CP message "Given the reversible nature of this attack, it does not require much imagination to construct a potential ransomware scenario for these bugs," the pair say. "Samsung have now released a security update that addresses these among other vulnerabilities and, as is our usual advice, it is recommended that users prioritise the installation of these updates." They left discovery of how the bugs apply to other phones as an exercise for other hackers. Vulnerabilities were reported to Samsung in June, fixed in August, and patched on 7 November with disclosure made overnight. ® Sponsored: Customer Identity and Access Management

Professor Uses Enhanced 2D Fingerprints to Unlock Smartphone

An MSU professor and his team used enhanced 2D fingerprints to unlock a Samsung Galaxy phone, offering a reminder of the now-quiet encryption debate. Back in February, as Apple and the FBI legally and politically wrangled over the locked iPhone of San Bernardino, Calif., terrorist Syed Farook, more than one online commenter suggested using the finger of the deceased Farook to unlock the phone.That wouldn't have worked because the skin of living people is conductive, and that's part of what biometric phone locks respond to.
So explained Anil Jain, a distinguished professor of computer science and engineering at Michigan State University, who, with doctoral student Sunpreet Arora and postdoctoral student Kai Cao, figured out how to unlock the Samsung Galaxy S6 of a different dead man, using his inky fingerprints from a previous arrest.The man had been murdered, and Michigan State University Police Department Detective Andrew Rathburn hoped that his phone contained clues as to who had done it.

According to MSU Today, Rathburn Googled "spoof fingerprint" and was shocked and delighted to come across the fingerprint-related work of Jain and his team, right at MSU."The fingerprints they provided us were just ink on paper, which doesn't have a conductive property," Jain told NPR, in a July 27 report. "So the first thing we tried was to print the fingerprints on a special conductive paper, just like a photographic paper." That didn't work the first time, so Jain and his team turned to more expensive 3D alternatives: a $250,000 machine that took 40 minutes per finger to reproduce each fingertip, and a $600,000 machine that added a conductive, metallic coating. That plan—still less expensive than the reported $1.3 million the FBI ultimately paid a group of hackers to unlock Farook's phone—didn't work either, which sent Jain and his team back to Plan A.

This time, they turned to an image-enhancing algorithm, which filled in light or missing spots to create a more precise print.The team called Rathburn to bring back the smartphone, and this time it worked."Lucky for us, this phone did not require a passcode after a fixed number of failed attempts with fingerprints," Jain told MSU Today. "This allowed us to try different digitally enhanced fingerprints."My team is not in the business of hacking phones, but in the research side of the fingerprint technology," he said. "Hopefully, our ability to unlock this phone will motivate phone developers to create advanced security measures for fingerprint liveness detection."The Encryption IssueThe FBI filed a court order Feb. 16, insisting that Apple assist law enforcement agents in unlocking Farook's iPhone 5C.Apple CEO Tim Cook pushed back, saying the FBI was asking Apple engineers to write new code, which he said violated their civil rights, set a dangerous precedent and would essentially create a key that could, terrifyingly, unlock any door."The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers—including tens of millions of American citizens—from sophisticated hackers and cyber-criminals," Cook said in a statement. "The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe."After the hackers successfully unlocked the iPhone, the FBI dropped the case, saying in a March 28 status report with the court that it "no longer requires the assistance from Apple."FBI Director James Comey, in a speech at Kenyon College April 6, called litigation a "terrible place" to have the important security, privacy and civil rights conversations that need to take place."It is a good thing that the litigation is over.

But it is a bad thing if the conversation ended," said Comey.Lawmakers agreed, insisting that ongoing conversations are necessary to address an issue that, far from going away, will only be exacerbated.On March 21, House of Representatives Judiciary Committee Chairman Bob Goodlatte, R-Va., announced a bipartisan Encryption Working Group.

And on June 22, the group offered an update on their progress.Key takeaways from their meetings to date, they announced, are that encryption is a good thing; there are "technical obstacles" to legislative mandates that "require special access to law enforcement"; there are opportunities for companies to enhance their training and support for law enforcement; and increased cooperation between law enforcement and the private sector could help break down "adversarial walls.""We continue to meet with a variety of federal, state and local government entities, former government officials, private industry and trade associations, civil society organizations, consultants and legal experts, academia, and cryptographers," the group added in a statement. "These meetings have produced critical information that has helped inform the working group as we seek solutions to this issue."