Slashdot Mirror

← Back to Stories (view on slashdot.org)

Remote Attackers Can Force Samsung Galaxy Devices Into Never-Ending Reboot Loop (helpnetsecurity.com)

Posted by BeauHD on from the held-for-ransom dept.

Orome1 quotes a report from Help Net Security: A single SMS can force Samsung Galaxy devices into a crash and reboot loop, and leave the owner with no other option than to reset it to factory settings and lose all data stored on it. This is because there are certain bugs in older Samsung Galaxy phones and tablets that can be triggered via SMS, and used by attackers to force maliciously crafted configuration messages onto the users' device. The bugs allow these types of messages to be executed without user interaction. As the ContextIS researchers who discovered the vulnerabilities explained, this avenue of attack can be abused by crooks to hold users' devices for ransom. "First a ransom note is sent, if ignored then the malicious configuration message can be sent," they noted. If the victim pays up, a configuration message can later be sent to stop the rebooting. The vulnerabilities in question, CVE-2016-7988 and CVE-2016-7989, can be triggered through SMS on the S4, S4 Mini, S5 and Note 4, but not on newer Samsung devices. "It's worth noting that although newer phones such as the S6 and S7 aren't affected over the air, [a similar result] could be accomplished by a malicious app abusing CVE-2016-7988," they added. These specific issues are related to modifications Samsung made to to the Android telephony framework and are found in a Samsung-specific application for handling carrier messages. They've since been patched (November 2016).

71 comments

  1. Posted without comment by NigelTheFrog · · Score: 1

    http://www.androidcentral.com/...

    1. Re:Posted without comment by NotInHere · · Score: 0

      Now just someone has to get near to the white house and erect a cell with excellent receptional quality that exposes some baseband bug of that phone...

      Extra points if you manage to provoke a nuclear strike with solely one tweet.

    2. Re: Posted without comment by Anonymous Coward · · Score: 0

      Sounds like somebody spent some time with Sandusky over on D street. Abe took care of things, so Kait is happy again.

  2. "It's worth noting that..." by Anonymous Coward · · Score: 0

    Writing that is stupid. Anardtech has a few freshman kids posing as tech writers who can't stop themselves from writing that every other paragraph.

  3. Post the solution then ? by Beamer145 · · Score: 4, Interesting

    "leave the owner with no other option than to reset it to factory settings" vs"configuration message can later be sent to stop the rebooting" -> Why not just publish the config message then so the attack becomes useless ?

    1. Re: Post the solution then ? by Anonymous Coward · · Score: 1

      Do you need a hint... that was slashdot posting a warning to all galaxy devices to be prepared. Next post will explain the unlock procedure to those who paid.

    2. Re:Post the solution then ? by K.+S.+Kyosuke · · Score: 0

      Or, alternatively, upgrade from your Android Hedgehog.

      --
      Ezekiel 23:20
    3. Re:Post the solution then ? by Anonymous Coward · · Score: 1

      If the victim pays up, a configuration message can later be sent to stop the rebooting.

      So why can't you just call Samsung and have them send the "configuration message" that fixes the problem? Sounds like Samsung is hoping people will just give up and buy a new phone.

    4. Re:Post the solution then ? by Anonymous Coward · · Score: 0

      The solution would be, carriers providing timely Android updates to all of their customers, free of charge. But that doesn't happen in America because it's bad for corporate profits to support devices more than 6 months old.

    5. Re: Post the solution then ? by Anonymous Coward · · Score: 0

      Both Verizon and AT&T already patched this out a while back at least on the S4 and S5.

  4. Fitness for purpose? by DeplorableCodeMonkey · · Score: 5, Insightful

    When a product can be literally rendered unusable through this level of epic fail, it stands to reason that the product was so defective that the customer could not rely on it. Warranty period or not, this is the sort of thing that the government should say "it should never have been built this way, fix it" since we're not talking about the S1 here.

    1. Re:Fitness for purpose? by SeaFox · · Score: 2

      Warranty period or not, this is the sort of thing that the government should say "it should never have been built this way, fix it" since we're not talking about the S1 here.

      A way of changing device configuration that cannot be stopped by the user... sounds like what the government wanted from Apple so they could brute-force the passcode for locked devices.

    2. Re:Fitness for purpose? by AmiMoJo · · Score: 2

      It's been patched. Maybe they could offer free recovery but it seems like no one has actually been affected.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:Fitness for purpose? by sheramil · · Score: 0

      It's been patched.

      [Citation needed]

    4. Re:Fitness for purpose? by Imrik · · Score: 1

      I cite the summary...

    5. Re:Fitness for purpose? by Anonymous Coward · · Score: 0

      It's in the fucking summary dipshit.

    6. Re:Fitness for purpose? by sheramil · · Score: 1
      Oh, right! So.. this article warns us.. that a vulnerability.. that has been patched.. er... existed. And someone's discovered it.

      All I can say is, thank god for .. uh.. right.

    7. Re:Fitness for purpose? by AmiMoJo · · Score: 1

      It's the summary...

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re:Fitness for purpose? by Anonymous Coward · · Score: 0

      Spending a little too much time in The Donald's world? It's right in the fucking summary.

    9. Re: Fitness for purpose? by Anonymous Coward · · Score: 0

      What isn't really clear is that what it's been patched for - all devices with the vulnerability, or a subset of them, and for what OS, etc.

      If Samsung fixed it for all deployed devices, good on them. If they only fixed it for devices shipped in the last year or so, they still suck and need to get to work.

    10. Re:Fitness for purpose? by thegarbz · · Score: 1

      Warranty period or not, this is the sort of thing that the government should say "it should never have been built this way, fix it" since we're not talking about the S1 here.

      Yes we need the government to tell a company to fix a problem that they have fixed before the bug was even published, that'll teach them for being ... errr on reasonable time ... next time. ... Wait what?

    11. Re:Fitness for purpose? by wisebabo · · Score: 1

      Considering that most (all except Google's?) devices are not allowed to receive updates except once they've been vetted by their cell phone carrier, how can this have been patched? I thought a lot of the carriers stopped offering updates on devices more than one or two generations old

      Anyway, why don't we test it? Post THE ATTACK and see if any devices are still affected :)

    12. Re:Fitness for purpose? by Anonymous Coward · · Score: 0

      A way of changing device configuration that cannot be stopped by the user... sounds like what the government wanted from Apple so they could brute-force the passcode for locked devices.

      More like a way of changing the device configuration that's been known by the government for a long time now and they're cursing out whoever discovered it independently.

      What? You think these vulnerabilities just show up because of stupid coding?

    13. Re:Fitness for purpose? by AmiMoJo · · Score: 1

      Every Google phone I've ever owned has been unlocked and pure Google. Updates over the air, immediately upon release. I switch carrier regularly too to get the best deal, they never complained or even asked what phone I had.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    14. Re: Fitness for purpose? by Anonymous Coward · · Score: 0

      Yes, and rainwater should be beer.

    15. Re:Fitness for purpose? by Anonymous Coward · · Score: 1

      I think that's primarily a USA problem; at least here in the Netherlands (or even the rest of the world? yeah, citation needed), carrier-enslaved phones are much less common.

    16. Re:Fitness for purpose? by Anonymous Coward · · Score: 0

      Government? Android is Teh Op3n Sor3sssss!!!!!11111!!! Fix it your fucking self, shitburger.

      Only a faggot needs the government to come and hold his dick for him. A bitch ass faggot, at that.

  5. Clouds by thegarbz · · Score: 1

    In this day of clouds who actually loses data in a factory reset?

    Seriously if you tick yes to all the default options when setting up the phone you'll end up with something that synchronises all your pictures and videos to dropbox, all your contacts to google, all your app settings and health stats to Samsung, and anyone else who wants to manage data for you. What'sApp are stored on the servers, Facebook doesn't store anything locally, and vast majority of the other apps just access shit online. Even games save your state to your Google Play account.

    The idea of factory reset used to scare me, but Android smartphones are the reason I do it every few months unprovoked anyway and it is a complete non-issue. ...

    Till I get in my car and my phone doesn't auto connect to bluetooth anymore. WiFi access is synced with Google so why aren't bluetooth settings?

    1. Re:Clouds by Alumoi · · Score: 1

      In this day of clouds who actually loses data in a factory reset?

      Anybody who values his/her privacy and who doesn't bother with local backup?

    2. Re: Clouds by Anonymous Coward · · Score: 0

      Um... Just in case you missed the news, there's this thing called privacy now. It's pretty big and getting bigger. Just search for the term, you'll find a lot of stuff to read. Also, Dropbox... yeesh!

    3. Re:Clouds by thegarbz · · Score: 1

      So no one then? At least not smartphone users.

    4. Re:Clouds by Antique+Geekmeister · · Score: 1

      I certainly have. A day's data with calendared applications, or newly stored passphrases, can be an expensive loss.

    5. Re:Clouds by drinkypoo · · Score: 1

      Android is fairly crap at bluetooth. They still don't even support pinless pairing! I followed a bug report filed during GINGERBREAD about this. It's still active. People are still posting to it, complaining that this basic functionality is not supported.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    6. Re: Clouds by Anonymous Coward · · Score: 0

      In case you missed the news, when it comes to privacy and security, 99% of people using computers/phones/tablets are morons who do not care and do not want to know. Maybe *YOU* care, but you are part of a very tiny minority of users.

    7. Re:Clouds by Ol+Olsoc · · Score: 1

      In this day of clouds who actually loses data in a factory reset?

      Seriously if you tick yes to all the default options when setting up the phone you'll end up with something that synchronises all your pictures and videos to dropbox, all your contacts to google, all your app settings and health stats to Samsung, and anyone else who wants to manage data for you.

      No thanks. I have a good local backup that can restore the entire system, including the OS and programs, and complete control over what gets backed up or synced. Any time you allow someone else to "manage" your data, you put it at risk. Anyhow, if a person is okay with that, fine. But I go through a lot of temporary data that I just don't want backed up at all, so I need to exclude it from the hourly backups. So admittedly my needs might be a little different than the average schmoo, but even if I didn't have that need, I'd control my own backups, and not rely on somebody that I am just another customer of.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    8. Re:Clouds by Ol+Olsoc · · Score: 1

      So no one then? At least not smartphone users.

      Can you imagine the porn on those cloud backup servers? At least it gives the IT guy at HQ some stuff to look through during breaks.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    9. Re:Clouds by Anonymous Coward · · Score: 0

      Oh? Did Apple finally join this millenium? Last time I tried to send a pic taken from my mom's phone to mine via bluetooth, it required downloading an appity app from the appstore.Which required a password which scared her from doing it. I never did get the pic.

    10. Re:Clouds by Zontar+The+Mindless · · Score: 1

      Last time I tried to send a pic taken from my mom's phone to mine via bluetooth, it required downloading an appity app from the appstore.Which required a password which scared her from doing it. I never did get the pic.

      Back in my day--when we walked to school uphill in both directions, and LIKED it--there was this thing... I think we called it "email"...

      --
      Il n'y a pas de Planet B.
    11. Re:Clouds by thegarbz · · Score: 1

      Any time you allow someone else to "manage" your data, you put it at risk.

      Risk is a metric that takes into account the consequence of a data breach. I'm not some CIA spy. I'll happily tell you any phone number in my phone book and show you any picture I've taken on my phone. My most recent message in WhatsApp is from Rebecca asking me to bring some onions and some tomato concentrate, and the one before that is that the running club was cancelled last Wednesday. My heart rate averaged 65bpm resting and I clocked an average of 9000 steps. I also took a photo of a windmill today and one of a funny street sign yesterday.

      How much at risk am I?

    12. Re:Clouds by thegarbz · · Score: 1

      They still don't even support pinless pairing!

      That's because pinless pairing doesn't exist in the spec. It was a quirk of people who abused the Bluetooth 2 spec which *required* a pin code. Any device which supports Bluetooth 2.1 or later can pair via SSP and not need a pin code, this works just fine in Android. Any device with Bluetooth 2 or earlier which doesn't specify a pin code is effectively in breach of the spec. Many devices got around this by hard coding 0000 or 1234 into the device itself.

      In short, not an Android bug, it's a shit vendor made a shit product bug, and you'll find forums full of the same garbage about people trying to pair with mac, linux and windows too, interestingly most of them often pointing to the same device as the problem.

    13. Re:Clouds by angel'o'sphere · · Score: 1

      You have the Risk that you don't get your phone numbers back, lose the photos you mentioned and never will know your heart beat at that time again ...

      That was pretty obvious, why did you ask?

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    14. Re:Clouds by Ol+Olsoc · · Score: 1

      Risk is a metric that takes into account the consequence of a data breach. I'm not some CIA spy. I'll happily tell you any phone number in my phone book and show you any picture I've taken on my phone. My most recent message in WhatsApp is from Rebecca asking me to bring some onions and some tomato concentrate, and the one before that is that the running club was cancelled last Wednesday. My heart rate averaged 65bpm resting and I clocked an average of 9000 steps. I also took a photo of a windmill today and one of a funny street sign yesterday.

      How much at risk am I?

      Ahhh, good citizen, it looks like you half nussing to hide! Veddy good, veddy good indeed, Ve need mur citizens like you.

      All joking aside, if a person who doesn't do anything but surf Facebook, and collect doggo pix play, Candy Crush, maybe catch the wife taking a shower now and again and get pix when he's feeling frisky - yeah, there isn't a big need to have multi TByte drives sitting around backing up their data, no need for imaging.

      And that's great.

      I deal in a lot of communications, hundreds of emails every day, a lot of spreadsheets, and CSV files, and multiple relational databases. And if I lose any of it, I am as they say, well and truly screwed. So I might be forgiven if I find multiple dated and saved backups to be an integral part of what I am doing, and having them under my personal control.

      As for anything private, well it isn't like a data breach exposing a hellavalota people has never happened.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    15. Re:Clouds by thegarbz · · Score: 1

      it looks like you half nussing to hide

      No I have plenty to hide. I'm just not stupid enough to hide it on my phone.

    16. Re:Clouds by Anonymous Coward · · Score: 0

      Last time I tried to send a pic taken from my mom's phone to mine via bluetooth, it required downloading an appity app from the appstore.Which required a password which scared her from doing it. I never did get the pic.

      Back in my day--when we walked to school uphill in both directions, and LIKED it--there was this thing... I think we called it "email"...

      But then he'd have to give his email address to his mom. Besides pictures, he'd be getting and funny cat picture collections and scary story forward messages all day long, plus be put on every SPAM list ever. And then she could just email him instead of yelling downstairs for him to come to dinner.

      His life in no way resembles my own. Uh oh, mom's home early! Better submit this now.

    17. Re:Clouds by drinkypoo · · Score: 1

      In short, not an Android bug, it's a shit vendor made a shit product bug, and you'll find forums full of the same garbage about people trying to pair with mac, linux and windows too, interestingly most of them often pointing to the same device as the problem.

      It works fine when implemented, there's no reason not to allow it, the users clearly want to see it a lot more than they want to see things that Google has actually implemented. Why should I throw away a perfectly good bluetooth GPS just because Google doesn't want to support some reasonable functionality?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    18. Re:Clouds by thegarbz · · Score: 1

      Yeah I guess I could make two devices pair by having one send out a random shout of "boo" and the other one replying "aaah". That would work fine too, and is equally not part of the Bluetooth spec.

      The users should tell the companies to go fuck themselves and stick with the established standards rather complaining that Google doesn't support something that isn't part of the spec.

      You should throw away your bluetooth GPS because it clearly got it's bluetooth certification in cereal box. Note I omitted the word "perfectly good" because those words should never be associated with something that can't follow a very simple spec. Either SSP, pin, or hardcode the pin. There is no such thing as pinless and you should not expect it to work.

  6. Never Samsung again by Anonymous Coward · · Score: 0, Funny

    That is what you get when a microwaves and washing machines company crawls out of its niche.

    1. Re:Never Samsung again by thegarbz · · Score: 1

      Err white goods are one of the last divisions that Samsung added to it's electronic devices lineup.

    2. Re: Never Samsung again by Anonymous Coward · · Score: 0

      What!? How racist can they get? They have a division making goods only for whites people?

      I thought they are Koreans (yellow) , but obviously they are white worshipping their colonial masters!

  7. Android Fragmentation by Anonymous Coward · · Score: 0

    ..and vendor apathy.

    I know the industry can pull together the smartest people in the world and come up with an underlying set up automatic update method for just the most egregious security vulnerabilities. Wake up people, something has to be done before SkyNet comes online.

  8. This is obviously a cunning plan by Anonymous Coward · · Score: 0

    by Apple to make even more money or at least sell enough iPhones so that their stock does not crash by 30% as it may well do after their latest dismal results get posted.

    1. Re: This is obviously a cunning plan by Anonymous Coward · · Score: 0

      Your dream that you just posted can quickly turn into everyone's nightmare. You know that a healthy Apple keeps your beloved Android from becoming a monopolistically stagnant shit show, right?

      Let's not re-live the 1990s where one company sat on a decade of laurels because there was no competition to speak of.

  9. Is the Galaxy SIII (S3) Vulnerable? by BigBlockMopar · · Score: 1

    Is either main version of the Galaxy SIII vulnerable? I'm still running one of the old girls...

    --
    Fire and Meat. Yummy.
  10. Endless reboot, eh? by Provocateur · · Score: 4, Funny

    At least it's not going to explo

    --
    WARNING: Smartphones have side effects--most of them undocumented.
  11. SMS whitelist fn required by Anonymous Coward · · Score: 0

    Would help manage spam too

  12. Citation? by Anonymous Coward · · Score: 0

    I'm your ducking citation.

  13. Exaggeration by OneHundredAndTen · · Score: 0

    It is not infinite - it gets interrupted when the phone explodes - this is a Samsung phone that we are talking about.

  14. Please oh please publish exact SMS vulnerability! by Anonymous Coward · · Score: 0

    I own Apple stock. If a large proportion of Samsung devices become unusable (even if there's a patch, how long will it be until the Telco's get off their ***'s and allow it through) then many people won't trust Samsung devices again. Maybe they'll even realize that the slowness/inability to receive patches is a major vulnerability in the Android ecosystem and will shy away from all Android devices. Hence, the stock price will go up! (Also there are some particular annoying Samsung users I might want to target :)

    Of course posting this isn't in the best interests of a lot of people. But just because it is, doesn't mean it isn't correct. Fortunately even if it isn't posted on Slashdot, hopefully with a little time and digging (hacking the researchers account?) someone will put it out there

    Ever since the Republicans/Trump have taken over I've realized that being an asshole to the rest of humanity is the new norm, so why not embrace it? The fact that the majority of Republicans use Androids (and Democrats use iPhones) only makes it more fitting. The fact that the Russkies and Chinese also are (probably) heavy Android users is just triple fudge icing on the cake :)

  15. They're not bugs... by Visarga · · Score: 1

    They're features. For their blackhat user base.

  16. Post the attack by wisebabo · · Score: 2

    I'm curious. Does this attack really work? Does the defense really work?

    If the researchers have an effective attack AND an effective defense why not release both so that we can try it? Aren't there some Samsung users out there (okay all of them) that you'd like to annoy?

    (Sorry, but with the way things are going, being sociopathic is now in vogue)

  17. haha by Anonymous Coward · · Score: 0

    I'm still rocking out my Samsung Galaxy S7, so it's completely immune to this attack. I'm using it right now, and there haven't been any p

  18. Great by Anonymous Coward · · Score: 0

    Watching all the Android/Samsung apologists in this thread is hilarious. If this was an iPhone issue this would be literally the worst thing since the Third Reich.

  19. How's that workin for ya? by drew_kime · · Score: 1

    These specific issues are related to modifications Samsung made to to the Android telephony framework and are found in a Samsung-specific application for handling carrier messages.

    Good thing they didn't use the stock Android functionality. Almost makes me agree with the conspiracy guys saying this was the government mandated backdoor.

    --
    Nope, no sig
  20. Burning question ... by SumterLiving · · Score: 1

    Is that a feature or a bug?

    1. Re:Burning question ... by Anonymous Coward · · Score: 0

      'Buring question'

      lel

      I'd give +1 funny

  21. Best description of the actual attack so far by Anonymous Coward · · Score: 0

    Use your service of choice to translate this article and enjoy learning about WBXML encoded WAP Push messages that include the xcpInstallWifiSetting and how you can call it w/o any user authentication thanks to lazy programmers:

    https://www.version2.dk/artikel/fejlhaandtering-gammel-protokol-faar-samsung-telefoner-at-genstarte-via-sms-1072725

    Bonus points if anyone has a working example that I can test against!

    1. Re:Best description of the actual attack so far by pope1 · · Score: 2

      https://www.contextis.com/resources/blog/wap-just-happened-my-samsung-galaxy/

      --
      /* * pope1 */
  22. They've since been patched (November 2016). by Anonymous Coward · · Score: 0

    So, if you don't ignore updates, you aren't vulnerable.

  23. Hot news, now only 3 month old by Anonymous Coward · · Score: 0

    "They've since been patched (November 2016)."

    So why is that news now?

  24. Cyanogen by LienRag · · Score: 1

    Does this attack work on Cyanogen too?