Researchers from Context Security have identified a vulnerability in Samsung Galaxy phones: by embedding commands in the obsolete, 17-year-old WAP proptocol in an SMS message, attackers can put them into endless reboot loops, or encrypt their storage and charge the phone's owners for a decryption key.
The devices known to be vulnerable to this attack are the Samsung Galaxy S4, S4 Mini, S5 and Note 4.
Samsung released a security update for this attack in November 2016.
The complexity of exploiting an Android device in recent years has escalated to the point that more often than not a chain of bugs is required to achieve the desired effect. This case is no different and we have shown here that it took two bugs to produce a viable attack vector, combined with some in-depth knowledge of the bespoke message format.
If you have a rooted device, a fix for this is to simply use adb as the phone is coming up and delete the default_ap.conf file. If your device is not rooted, the only two solutions are to factory reset the phone (losing all your data) or hope that the attacker is kind enough to send you another OMA CP message containing a valid configuration.
Given the reversible nature of this attack (a second SMS could be sent that restored the device to its unbroken state) it does not require much imagination to construct a potential ransomware scenario for these bugs. Samsung have now released a security update that addresses these amongst other vulnerabilities and as is our usual advice, it is recommended that users prioritise the installation of these updates.
WAP just happened to my Samsung Galaxy?
SMS-Exploitable Bug in Samsung Galaxy Phones Can Be Used for Ransomware Attacks
[Catalin Cimpanu/Bleeping Computer]
“Have fun at home with my old rubber boots,” the creator writes. Avant-garde performance art or fetish video? You decide. One commenter’s rave review: “Nice boots. Rubber seems to be very soft.” (via r/DeepIntoYouTube)
Donato Sansone “Concatenation 2” film connects a series of acrobatic Olympic athletes’ jumps, spins, and dives into “a series of interconnected things or events,” which is the definition of “concatenation.” This delightfully disorienting video is a sequel to Sansone’s original “Concatenation” film here. (via Colossal)
“Hi, Lloyd. Little slow tonight, isn’t it?” Deepfake auteur Ctrl Shift Face presents Jim Carrey in… The Shining. (Thanks, Jeff Cross!)
With more and more companies moving all their operations into the cloud, the need has never been greater for those with the skills to map exactly how an organization reconstitutes itself in that new environment. Network architects responsible for determining all the communication, storage, and infrastructure needs of an expansive organization are among the most […]
Even after months of working from home, you’d be forgiven for thinking the whole experience still doesn’t quite feel…well, normal. In addition to all the obvious environmental changes of handling your 9 to 5 from your den or dining room table, the technological aids you didn’t realize you loved back at the office probably don’t […]
Running a small business drops a lot on to the plate of just one person. And between juggling a dozen tasks that need to get handled daily, it’s no surprise that there are a dozen more equally vital tasks that can just as easily go overlooked. While posting to social channels and making web posts […]