Samsung Left Millions Vulnerable To Hackers Because It Forgot To Renew a Domain

An anonymous reader writes: Samsung cellphones used to have a stock app called S Suggest. The company apparently discontinued the app recently, and then forgot to renew a domain that was used to control it. This snafu left millions of smartphone users vulnerable to hackers who could've registered the domain and installed malicious apps on the phones.

what happens if a company goes under

[redback]

What would have happened with something like this if a company goes under?

We almost need a charity foundation of some sort to maintain domains like this in that situation.

Re:what happens if a company goes under

[DickBreath]

Maybe there needs to be a mechanism to disable the app. Or updates to the app. Or further downloads. Etc.

Then there needs to be an officer in the company who is responsible to activate this mechanism in the event that the company ceases operations. Prior to that happening, the product manager of the affected product would be responsible to use this mechanism to disable further updates to the app when it is being discontinued.

Re:what happens if a company goes under

[iggymanz]

ah, script kiddies newest target, that mechanism. render massive slice of a market unable to use their internet dependent product.

Re:what happens if a company goes under

[OrangeTide]

You can disable any app in Android. Instead of "uninstall" you'll see a button to uninstall updates, then if you uninstall updates you'll see a button to disable the app.

Re:what happens if a company goes under

[vlad30]

It should also be much more difficult to register a domain especially a domain that has been used before. That registration fee should entail some actual work on the part of the domain registrar to fact check the applicant and potential use and removal if the use is nefarious. imagine how many fewer scam and spam website would exist if they actually did this

Re:what happens if a company goes under

[The+MAZZTer]

The app can use certificate pinning. If someone else puts a new server up on the domain name the certificate will not match the expected one from the old site and the app will refuse to connect to it.

Re:what happens if a company goes under

[phantomfive]

What would have happened with something like this if a company goes under?

For one thing, you should have some kind of authentication. Basing security entirely around domain name is a known security flaw, since at least the 90s. Two to one odds says that they also programmed the app to communicate over HTTP instead of HTTPS.

Re:what happens if a company goes under

[by+(1706743)]

Well it's fine if the end-user (the one who presumably rooted the phone) wants to defeat some certificate checking. And if you're suggesting that a third party rooted the phone, well...you have bigger problems.

Re:what happens if a company goes under

[Obfuscant]

You can disable any app in Android. Instead of "uninstall" you'll see a button to uninstall updates,

Most user loaded apps do not have a "disable" feature. It's either let it run as it wants or uninstall it lock, stock and barrel.

I wish they all had "disable", since there are apps (like Nook with at least 5, FileManager+ with one, Accuweather with 3 or 4) that run multiple services all the time, even when you haven't used the app for a month. And some of them simply won't go away when you kill them (Google Location Services service, I'm pointing at you.) It's a pain to have to uninstall apps and then reinstall them for just the amount of time you want to actually use them.

Those that do have "disable" can hide it behind a "uninstall updates", so if you want to disable it you have to uninstall the update. When you want to run it again, you have to enable and then often reload the update.

It's all designed to make it impossible, or as hard as possible, to stop whatever from gathering information about you and your files.

Re:what happens if a company goes under

[OrangeTide]

You can disable any app in Android. Instead of "uninstall" you'll see a button to uninstall updates,

Most user loaded apps do not have a "disable" feature. It's either let it run as it wants or uninstall it lock, stock and barrel.

Like I said, if you've been paying attention, " Instead of 'uninstall' you'll see a button to uninstall updates".
If a user installed it, you'll just see "uninstall". If it's a factor app you'll get the "uninstall updates" -> "disable".
Of course Android is different with every OEM, but I haven't run into any that totally prevented me from disabling an OEM app. Samsung's definitely gives you scary warnings if you attempt it but it lets you.

Re:what happens if a company goes under

[Obfuscant]

Like I said, if you've been paying attention, " Instead of 'uninstall' you'll see a button to uninstall updates".

And like I said, if you had been paying attention, is that most USER LOADED apps do not have a disable feature. Many system apps do, but user installed do not. It would be a good feature for the user to have to be able to disable instead of uninstall those apps.

If it's a factor app you'll get the "uninstall updates" -> "disable".

Which does not contradict in any way what I said about user-installed apps, so keep your insults to yourself.

Of course Android is different with every OEM, but I haven't run into any that totally prevented me from disabling an OEM app.

For just one example, I have a factory test app that becomes active every time I reboot one of my Samsung tablets. I can kill it and it will stay dead -- until the next boot -- but it cannot be disabled. It is not the only OEM app that behaves that way. I just did a quick survey of the tablet here and it's less than 50% of OEM apps that can be disabled, so I'd have to say many can but most cannot. And if you pay attention, that DOES contradict your experience.

Re:what happens if a company goes under

[Obfuscant]

And one bit more -- you said you can disable "any app". You cannot disable user-loaded apps. You can only uninstall them. Uninstall is not the same as disable.

Re:what happens if a company goes under

[OrangeTide]

And like I said, if you had been paying attention, is that most USER LOADED apps do not have a disable feature. Many system apps do, but user installed do not. It would be a good feature for the user to have to be able to disable instead of uninstall those apps.

Yes, you'd uninstall those, not disable them. Fucking idiots these days.

Re:what happens if a company goes under

[OrangeTide]

Oh you really zinged me. Yes I said "any app". I should have said something like "any app that the article was talking about"

I don't care what you think you want to do. Android lets you disable factor apps, except in the rare cases the vendor hacks that feature out. Users can either have additional apps installed or if they don't want to use them, not have them installed. That's the model, we all understand that you don't like that model, but that's how it works today. The functionality is effectively equivalent, even if you can't wrap your head around it.

Re:what happens if a company goes under

[Obfuscant]

Yes, you'd uninstall those, not disable them. Fucking idiots these days.

You clearly do not understand the difference between disabling an app and uninstalling them. As I said a couple of times now, it would be nice if we could disable any app LIKE YOU SAID WE CAN, but which in truth cannot be done. You are not in a good position to be using insult to make your point.

Re:what happens if a company goes under

[Obfuscant]

I don't care what you think you want to do.

Thanks.

Android lets you disable factor apps, except in the rare cases the vendor hacks that feature out.

As I pointed out already, the survey of "factor" apps I made on my Samsung device showed less than 50% of them could be disabled. It isn't rare if more than 50% of the apps cannot be disabled.

Users can either have additional apps installed or if they don't want to use them, not have them installed.

Of course. But that means that any app that a user needs only occasionally must be reinstalled from scratch before it can be used for a short period of time, and then re-uninstalled. That's a lot more work that simply disabling/enabling/disabling an app. This difference seems to be lost on you. For example, the Nook app that wants to have five services running at all times so it can keep in constant contact with home base and monitor all usage has a huge amount of data installed in the form of content (or it can, depending on the user. Mine has.) To reinstall all that content is quite a bit of work and requires the internet. To disable the app means it won't run, but to get access to the content again requires no internet connection to redownload the content after reenabling it. It's just an on/off switch.

but that's how it works today.

Which is why I said it would be nice if we could do it, unlike those who have said that you can disable any app.

The functionality is effectively equivalent,

Except for the differences, yes, totally equivalent. The difference makes the difference.

even if you can't wrap your head around it.

I don't seem to be the one who cannot "wrap my head around" the differences, so why don't you just stop trying to be insulting? You do it so poorly.

Re:what happens if a company goes under

[LordWabbit2]

And how much more would it cost to register a domain? All that paper work and vetting is going to seriously increase the price of registering a domain. Heard of net neutrality? Same thing applies here. You raise the bar for something as simple as registering a domain and you start cutting out the smaller players, and then only the big boys can play, and we all know what happens then.

Re:what happens if a company goes under

[AmiMoJo]

Neither of those things will help, unfortunately.

Normal people don't install updates unless forced to. If it isn't 100% automatic it isn't happening. And anyway, how would they even know to disable the app? Most don't read security advisory mailing lists.

Giving someone the job of handing over company assets for free to a charity at the precise moment that the company is being broken up for scrap isn't likely to fly either. They would just get blamed for giving away something that the bankruptcy team could have sold to some malware outfit for a few hundred bucks.

Also

[thundercattt]

Left vulnerable by NEVER updating the operating systems on phones other than Flagship. I remember stage fright, they promised a security release. Still waiting on my 4.4.1.

Re:Also

[Ksevio]

See if you can update it yourself: https://www.lineageos.org/

Re: Also

[thundercattt]

Thanks for the link. It's not on there, wasn't a hugely popular model being a rugged phone.

Zero risk if done right

[OrangeTide]

It doesn't matter who controls or hijacks your domain because DNS is not an authoritative source of information. You go through numerous unsigned caches before you get queries through.
If you write software without your head up your ass you'd use a certificate on the app to check every interaction with the server before you trust it.
 

Re:Zero risk if done right

[CanadianMacFan]

Yes but these are the same type of programmers that think that doing the error checking in Javascript is good enough.

You Fail It

I hope our goatse guy gets his domain renewed soon. I'd hate to see him fall victim to the same problem!

Why did they even need a separate domain for this?

[ZorinLynx]

You'd think they could have instead used "ssuggest.samsung.com" or similar, rather than registering an entirely separate domain for what is essentially a minor feature on a phone.

The nice thing about DNS is that it was designed PRECISELY TO BE USED THIS WAY, being able to establish a hierarchy so that an entity can organize all their hostnames/services in one hierarchy.

But "Touchwiz isn't so bad..."

[surfdaddy]

Plus all of those Samsung crap apps.

That's why I use stock Android on my Nexus, and my next phone will be a Pixel. It's a shame because the Samsung hardware is really nice (except the Galaxy S7 of course).

Re:But "Touchwiz isn't so bad..."

[LordWabbit2]

Or just get a knock off Chinese phone, the only problem with those is that what you get on the phone will be all you get on the phone. No updates. You will have to manage that yourself.

Re:Why did they even need a separate domain for th

[mccalli]

It's almost certainly an internal corporate division problem. I'll bet internal processes and/or corporate divisions meant that it was easier for one department to create an entirely new website with their own servers etc. than it was to get Samsung's corporate website, or more accurately the DNS for such, altered by the other project team.

The cloud is great...

[Gravis+Zero]

at fucking you over. ;)

Proprietary SW is the bug. SW freedom is the fix.

[jbn-o]

What users need is software freedom (the freedom to run, edit, and share the complete corresponding source code to the software) so they can alter the software as they wish, point the device to whatever site they want for updates, and genuinely own their computers. There's no good reason to keep a domain going and address this in a monopoly-sustaining surface level way. Keeping a domain going is not really the issue nor is that a thorough solution to the underlying problem.

I quit using the "smart" features

[sentiblue]

Bought two Samsung TVs with all these networked smart features... Over six months, I see on the screen announcements of discontinued features.... I unplugged my TVs from the wifi connection and only watched TV on them.

Yeah, BUT....

[JustAnotherOldGuy]

Yeah, but they saved $9.99 by not renewing the domain so it was a huge win for Samsung.

It couldn't happen: it's a Samsung phone.

[ctrl-alt-canc]

It self destroys by design, hackers don't have enough time to compromise the phone.

Re:Proprietary SW is the bug. SW freedom is the fi

[Gr8Apes]

What users need is software freedom (the freedom to run, edit, and share the complete corresponding source code to the software) so they can alter the software as they wish, point the device to whatever site they want for updates, and genuinely own their computers.

You already can. Just buy the appropriate hardware for whatever software you have rights to and want to install on it. Enjoy.

Re:My bet: "didn't even try"

[Gr8Apes]

Your bitterness is misplaced in this case. The proper response is "Of course we can handle 'yourdomain.com'. You filled out this form and had the company (me) add the domain to our list of supported names (and added the appropriate SMTP clauses to our DNS servers) so we register correctly with the blacklisting services?" as a start. Putting the situation into a "we have these processes and abilities to support you, let's confirm you followed the steps" scenario without being defensive from the start, if done correctly, will put you on a road to being seen as hero instead of the BOFH. And you still get to snicker to yourself, because your status with those present will increase because you were helpful and used an external 3rd party, the blacklisting services which is something most will understand as a negative just from the name, as the target of why this had to happen to bear the negativity of your position.

Knowing your job is one thing, being able to properly communicate to non-technical people in terms they understand is a job requirement for those that wish to not be the admin that's ignored because they're never seen or worse, worked around because they're perceived as being too painful to work with.