Remote Attackers Can Force Samsung Galaxy Devices Into Never-Ending Reboot Loop

Orome1 quotes a report from Help Net Security: A single SMS can force Samsung Galaxy devices into a crash and reboot loop, and leave the owner with no other option than to reset it to factory settings and lose all data stored on it. This is because there are certain bugs in older Samsung Galaxy phones and tablets that can be triggered via SMS, and used by attackers to force maliciously crafted configuration messages onto the users' device. The bugs allow these types of messages to be executed without user interaction. As the ContextIS researchers who discovered the vulnerabilities explained, this avenue of attack can be abused by crooks to hold users' devices for ransom. "First a ransom note is sent, if ignored then the malicious configuration message can be sent," they noted. If the victim pays up, a configuration message can later be sent to stop the rebooting. The vulnerabilities in question, CVE-2016-7988 and CVE-2016-7989, can be triggered through SMS on the S4, S4 Mini, S5 and Note 4, but not on newer Samsung devices. "It's worth noting that although newer phones such as the S6 and S7 aren't affected over the air, [a similar result] could be accomplished by a malicious app abusing CVE-2016-7988," they added. These specific issues are related to modifications Samsung made to to the Android telephony framework and are found in a Samsung-specific application for handling carrier messages. They've since been patched (November 2016).

Posted without comment

[NigelTheFrog]

http://www.androidcentral.com/...

Post the solution then ?

[Beamer145]

"leave the owner with no other option than to reset it to factory settings" vs"configuration message can later be sent to stop the rebooting" -> Why not just publish the config message then so the attack becomes useless ?

Re: Post the solution then ?

Do you need a hint... that was slashdot posting a warning to all galaxy devices to be prepared. Next post will explain the unlock procedure to those who paid.

Re:Post the solution then ?

If the victim pays up, a configuration message can later be sent to stop the rebooting.

So why can't you just call Samsung and have them send the "configuration message" that fixes the problem? Sounds like Samsung is hoping people will just give up and buy a new phone.

Fitness for purpose?

[DeplorableCodeMonkey]

When a product can be literally rendered unusable through this level of epic fail, it stands to reason that the product was so defective that the customer could not rely on it. Warranty period or not, this is the sort of thing that the government should say "it should never have been built this way, fix it" since we're not talking about the S1 here.

Re:Fitness for purpose?

[SeaFox]

Warranty period or not, this is the sort of thing that the government should say "it should never have been built this way, fix it" since we're not talking about the S1 here.

A way of changing device configuration that cannot be stopped by the user... sounds like what the government wanted from Apple so they could brute-force the passcode for locked devices.

Re:Fitness for purpose?

[AmiMoJo]

It's been patched. Maybe they could offer free recovery but it seems like no one has actually been affected.

Re:Fitness for purpose?

[Imrik]

I cite the summary...

Re:Fitness for purpose?

[sheramil]

Oh, right! So.. this article warns us.. that a vulnerability.. that has been patched.. er... existed. And someone's discovered it.

All I can say is, thank god for .. uh.. right.

Re:Fitness for purpose?

[AmiMoJo]

It's the summary...

Re:Fitness for purpose?

[thegarbz]

Warranty period or not, this is the sort of thing that the government should say "it should never have been built this way, fix it" since we're not talking about the S1 here.

Yes we need the government to tell a company to fix a problem that they have fixed before the bug was even published, that'll teach them for being ... errr on reasonable time ... next time. ... Wait what?

Re:Fitness for purpose?

[wisebabo]

Considering that most (all except Google's?) devices are not allowed to receive updates except once they've been vetted by their cell phone carrier, how can this have been patched? I thought a lot of the carriers stopped offering updates on devices more than one or two generations old

Anyway, why don't we test it? Post THE ATTACK and see if any devices are still affected :)

Re:Fitness for purpose?

[AmiMoJo]

Every Google phone I've ever owned has been unlocked and pure Google. Updates over the air, immediately upon release. I switch carrier regularly too to get the best deal, they never complained or even asked what phone I had.

Re:Fitness for purpose?

I think that's primarily a USA problem; at least here in the Netherlands (or even the rest of the world? yeah, citation needed), carrier-enslaved phones are much less common.

Clouds

[thegarbz]

In this day of clouds who actually loses data in a factory reset?

Seriously if you tick yes to all the default options when setting up the phone you'll end up with something that synchronises all your pictures and videos to dropbox, all your contacts to google, all your app settings and health stats to Samsung, and anyone else who wants to manage data for you. What'sApp are stored on the servers, Facebook doesn't store anything locally, and vast majority of the other apps just access shit online. Even games save your state to your Google Play account.

The idea of factory reset used to scare me, but Android smartphones are the reason I do it every few months unprovoked anyway and it is a complete non-issue. ...

Till I get in my car and my phone doesn't auto connect to bluetooth anymore. WiFi access is synced with Google so why aren't bluetooth settings?

Re:Clouds

[Alumoi]

In this day of clouds who actually loses data in a factory reset?

Anybody who values his/her privacy and who doesn't bother with local backup?

Re:Clouds

[thegarbz]

So no one then? At least not smartphone users.

Re:Clouds

[Antique+Geekmeister]

I certainly have. A day's data with calendared applications, or newly stored passphrases, can be an expensive loss.

Re:Clouds

[drinkypoo]

Android is fairly crap at bluetooth. They still don't even support pinless pairing! I followed a bug report filed during GINGERBREAD about this. It's still active. People are still posting to it, complaining that this basic functionality is not supported.

Re:Clouds

[Ol+Olsoc]

In this day of clouds who actually loses data in a factory reset?

Seriously if you tick yes to all the default options when setting up the phone you'll end up with something that synchronises all your pictures and videos to dropbox, all your contacts to google, all your app settings and health stats to Samsung, and anyone else who wants to manage data for you.

No thanks. I have a good local backup that can restore the entire system, including the OS and programs, and complete control over what gets backed up or synced. Any time you allow someone else to "manage" your data, you put it at risk. Anyhow, if a person is okay with that, fine. But I go through a lot of temporary data that I just don't want backed up at all, so I need to exclude it from the hourly backups. So admittedly my needs might be a little different than the average schmoo, but even if I didn't have that need, I'd control my own backups, and not rely on somebody that I am just another customer of.

Re:Clouds

[Ol+Olsoc]

So no one then? At least not smartphone users.

Can you imagine the porn on those cloud backup servers? At least it gives the IT guy at HQ some stuff to look through during breaks.

Re:Clouds

[Zontar+The+Mindless]

Last time I tried to send a pic taken from my mom's phone to mine via bluetooth, it required downloading an appity app from the appstore.Which required a password which scared her from doing it. I never did get the pic.

Back in my day--when we walked to school uphill in both directions, and LIKED it--there was this thing... I think we called it "email"...

Re:Clouds

[thegarbz]

Any time you allow someone else to "manage" your data, you put it at risk.

Risk is a metric that takes into account the consequence of a data breach. I'm not some CIA spy. I'll happily tell you any phone number in my phone book and show you any picture I've taken on my phone. My most recent message in WhatsApp is from Rebecca asking me to bring some onions and some tomato concentrate, and the one before that is that the running club was cancelled last Wednesday. My heart rate averaged 65bpm resting and I clocked an average of 9000 steps. I also took a photo of a windmill today and one of a funny street sign yesterday.

How much at risk am I?

Re:Clouds

[thegarbz]

They still don't even support pinless pairing!

That's because pinless pairing doesn't exist in the spec. It was a quirk of people who abused the Bluetooth 2 spec which *required* a pin code. Any device which supports Bluetooth 2.1 or later can pair via SSP and not need a pin code, this works just fine in Android. Any device with Bluetooth 2 or earlier which doesn't specify a pin code is effectively in breach of the spec. Many devices got around this by hard coding 0000 or 1234 into the device itself.

In short, not an Android bug, it's a shit vendor made a shit product bug, and you'll find forums full of the same garbage about people trying to pair with mac, linux and windows too, interestingly most of them often pointing to the same device as the problem.

Re:Clouds

[angel'o'sphere]

You have the Risk that you don't get your phone numbers back, lose the photos you mentioned and never will know your heart beat at that time again ...

That was pretty obvious, why did you ask?

Re:Clouds

[Ol+Olsoc]

Risk is a metric that takes into account the consequence of a data breach. I'm not some CIA spy. I'll happily tell you any phone number in my phone book and show you any picture I've taken on my phone. My most recent message in WhatsApp is from Rebecca asking me to bring some onions and some tomato concentrate, and the one before that is that the running club was cancelled last Wednesday. My heart rate averaged 65bpm resting and I clocked an average of 9000 steps. I also took a photo of a windmill today and one of a funny street sign yesterday.

How much at risk am I?

Ahhh, good citizen, it looks like you half nussing to hide! Veddy good, veddy good indeed, Ve need mur citizens like you.

All joking aside, if a person who doesn't do anything but surf Facebook, and collect doggo pix play, Candy Crush, maybe catch the wife taking a shower now and again and get pix when he's feeling frisky - yeah, there isn't a big need to have multi TByte drives sitting around backing up their data, no need for imaging.

And that's great.

I deal in a lot of communications, hundreds of emails every day, a lot of spreadsheets, and CSV files, and multiple relational databases. And if I lose any of it, I am as they say, well and truly screwed. So I might be forgiven if I find multiple dated and saved backups to be an integral part of what I am doing, and having them under my personal control.

As for anything private, well it isn't like a data breach exposing a hellavalota people has never happened.

Re:Clouds

[thegarbz]

it looks like you half nussing to hide

No I have plenty to hide. I'm just not stupid enough to hide it on my phone.

Re:Clouds

[drinkypoo]

In short, not an Android bug, it's a shit vendor made a shit product bug, and you'll find forums full of the same garbage about people trying to pair with mac, linux and windows too, interestingly most of them often pointing to the same device as the problem.

It works fine when implemented, there's no reason not to allow it, the users clearly want to see it a lot more than they want to see things that Google has actually implemented. Why should I throw away a perfectly good bluetooth GPS just because Google doesn't want to support some reasonable functionality?

Re:Clouds

[thegarbz]

Yeah I guess I could make two devices pair by having one send out a random shout of "boo" and the other one replying "aaah". That would work fine too, and is equally not part of the Bluetooth spec.

The users should tell the companies to go fuck themselves and stick with the established standards rather complaining that Google doesn't support something that isn't part of the spec.

You should throw away your bluetooth GPS because it clearly got it's bluetooth certification in cereal box. Note I omitted the word "perfectly good" because those words should never be associated with something that can't follow a very simple spec. Either SSP, pin, or hardcode the pin. There is no such thing as pinless and you should not expect it to work.

Is the Galaxy SIII (S3) Vulnerable?

[BigBlockMopar]

Is either main version of the Galaxy SIII vulnerable? I'm still running one of the old girls...

Endless reboot, eh?

[Provocateur]

At least it's not going to explo

They're not bugs...

[Visarga]

They're features. For their blackhat user base.

Re:Never Samsung again

[thegarbz]

Err white goods are one of the last divisions that Samsung added to it's electronic devices lineup.

Post the attack

[wisebabo]

I'm curious. Does this attack really work? Does the defense really work?

If the researchers have an effective attack AND an effective defense why not release both so that we can try it? Aren't there some Samsung users out there (okay all of them) that you'd like to annoy?

(Sorry, but with the way things are going, being sociopathic is now in vogue)

How's that workin for ya?

[drew_kime]

These specific issues are related to modifications Samsung made to to the Android telephony framework and are found in a Samsung-specific application for handling carrier messages.

Good thing they didn't use the stock Android functionality. Almost makes me agree with the conspiracy guys saying this was the government mandated backdoor.

Burning question ...

[SumterLiving]

Is that a feature or a bug?

Re:Best description of the actual attack so far

[pope1]

https://www.contextis.com/resources/blog/wap-just-happened-my-samsung-galaxy/

Cyanogen

[LienRag]

Does this attack work on Cyanogen too?