Category: Samsung

Apr 15 2014

Fingerprint lock in Samsung Galaxy 5 easily defeated by whitehat hackers

The heavily marketed fingerprint sensor in Samsung's new Galaxy 5 smartphone has been defeated by whitehat hackers who were able to gain unfettered access to a PayPal account linked to the handset.

The hack, by researchers at Germany's Security Research Labs, is the latest to show the drawbacks of using fingerprints, iris scans, and other physical characteristics to authenticate an owner's identity to a computing device. While advocates promote biometrics as a safer and easier alternative to passwords, that information is leaked every time a person shops, rides a bus, or eats at a restaurant, giving attackers plenty of opportunity to steal and reuse it. This new exploit comes seven months after a separate team of whitehat hackers bypassed Apple's Touch ID fingerprint scanner less than 48 hours after it first became available.

"We expected we'd be able to spoof the S5's Finger Scanner, but I hoped it would at least be a challenge," Ben Schlabs, a researcher at SRLabs, wrote in an e-mail to Ars. "The S5 Finger Scanner feature offers nothing new except—because of the way it is implemented in this Android device—slightly higher risk than that already posed by previous devices."

Read 10 remaining paragraphs | Comments

Jan 24 2014

Samsung patches store site for account takeover bug

Samsung has fixed a vulnerability on at least one of its sites that allowed attackers to take over the account of a target by creating a lookalike user name. The vulnerability, reported by security researcher Matthew Bryant (who goes by the hacker name "mandatory"), made it possible for someone to create a username using an intended victim’s e-mail address with added trailing spaces. While this created a separate account, the attacker would then be authenticated as the targeted user when going to other subdomains within

The bug, caused by the way Samsung’s Web applications pruned (or “scrubbed”) extra trailing characters off of account e-mail addresses, affected all of’s subdomains. But according to Bryant, Samsung has now fixed the problem on its e-commerce site—the one with the most sensitive user data.

“If your username was originally ‘<SPACE><SPACE>,’” Bryant wrote in a blog post today, “after visiting it would be scrubbed to ‘’.”  While the webpage for creating new accounts prevents adding trailing spaces to user names through form validation, the spaces can be added using an HTTP intercept tool such as the Tamper Data Firefox add-on.

Read 1 remaining paragraphs | Comments


Dec 19 2012

Developer’s Root Exploit Opens Door to Some Samsung Phones

In the past few days, developers on the XDA-Developers forum have discovered a new root exploit for recent Samsung phones. Normally a root exploit is a good thing for advanced users; they can modify their OS to improve performance, install new and rare apps, or even patch bugs. On the other hand, novice and uninformed users can have their phones targeted by attackers looking to reduce security and steal money or personal data. Malware writers have previously taken exploits written by the legitimate rooting community and repackaged them along with their malware to gain absolute control of a victim’s device.

XDA-Developers member alephzain discovered the vulnerability and created an exploit. A second forum member, Chainfire, packaged the exploit into an app that installed the exploit and rooted vulnerable phones. The app was later modified to disable the vulnerability to prevent an attacker from entering your phone.

Chainfire’s app makes rooting a Samsung phone easier for users.

How the exploit works
The vulnerability involves how the Exynos processor is used on certain Samsung phones (for example, the Galaxy S2). It is possible to access the entirety of physical memory through the OS. Usually this is limited to the root user, but in this case that memory is accessible by any user program.

The exploit uses this physical memory access to patch a system function in memory, bypassing the security and user controls in place. This lets the exploit gain root access on the phone. Once an attacker has root access, the entire phone is open.

Already exploited? Not maliciously
With such an open vulnerability in the wild, one might think that malware authors would be rushing to weaponize the exploit. Fortunately only Chainfire has done so, with this mobile rooting app. Currently knowledgeable phone “modders” can download and install this app to root their phones. And so can attackers, intent on stealing your personal data or money.

To protect against the latter situation, we detect the most recent versions of Chainfire’s tool as Android/ExynosToor.A-B, and alephzain’s exploit as Exploit/ExymemBrk.A.

Jul 05 2012

NFC Payment Test at Olympics Will Inspire Mobile Attackers to Go for the Gold

Visa is testing out its PayWave contactless payment service at the Summer Olympics in London. Every athlete will get a Samsung Galaxy SIII phone enabled with near-field communication (NFC) along with Visa’s payment app. Contactless payments aren’t new, and similar payments by mobile phone have been tested by Google with its Wallet app and other NFC smartphones.

Image of Samsung Galaxy SIII

A Samsung Galaxy SIII will be given to every athlete competing at the 2012 Summer Olympics in London.

When we last looked at NFC phones and similar apps, there were questions of whether an attacker could go after the apps or the phone hardware and the Android OS. Since then we have seen a PIN-reset vulnerability that allowed an attacker to use the free prepaid card and the ability to crack PINs on the phone. Google updated the Wallet app to fix those vulnerabilities and make attacks much harder. Now attackers would need to go after the hardware itself, though this does not necessarily involve going after the Secure Element portion. One can get excellent results by targeting the OS and its NFC-handling libraries.

Fuzzing the hardware, which involves feeding corrupt or damaged data to an app to discover vulnerabilities, is a good first step. Researchers Charlie Miller and Collin Mulliner fuzzed SMS messages to great effect to discover exploitable vulnerabilities on Android and iOS phones a few years back. Mulliner has also looked at fuzzing NFC tags, going as far as developing a Python library and framework for testing older devices. Recently he updated his software to measure Android devices, allowing him to inject crafted NFC tags to a phone and then monitor the results. He can programmatically feed crafted or damaged NFC tags to Android’s library and then capture any crashes or code-execution opportunities.

Collin Mulliner’s NFC library can be used in fuzzing Android phones. This is very useful for discovering new vulnerabilities.

The Samsung Galaxy SIII goes on sale in North America and wordlwide within the first two weeks of July. An attacker wishing to target the device can purchase one easily and use Mulliner’s research to help find vulnerabilities and eventually develop exploits to steal a victim’s credit card. The large number of readers at the Olympics will provide places where a successful attacker can use stolen credentials to make purchases. The Olympics will also provide a concentrated pool of targets (people and phones) to pilfer from–especially if everyone is busy watching who wins the medals and not worrying about where his or her phone is.