Researchers from Context Security have identified a vulnerability in Samsung Galaxy phones: by embedding commands in the obsolete, 17-year-old WAP proptocol in an SMS message, attackers can put them into endless reboot loops, or encrypt their storage and charge the phone's owners for a decryption key.
The devices known to be vulnerable to this attack are the Samsung Galaxy S4, S4 Mini, S5 and Note 4.
Samsung released a security update for this attack in November 2016.
The complexity of exploiting an Android device in recent years has escalated to the point that more often than not a chain of bugs is required to achieve the desired effect. This case is no different and we have shown here that it took two bugs to produce a viable attack vector, combined with some in-depth knowledge of the bespoke message format.
If you have a rooted device, a fix for this is to simply use adb as the phone is coming up and delete the default_ap.conf file. If your device is not rooted, the only two solutions are to factory reset the phone (losing all your data) or hope that the attacker is kind enough to send you another OMA CP message containing a valid configuration.
Given the reversible nature of this attack (a second SMS could be sent that restored the device to its unbroken state) it does not require much imagination to construct a potential ransomware scenario for these bugs. Samsung have now released a security update that addresses these amongst other vulnerabilities and as is our usual advice, it is recommended that users prioritise the installation of these updates.
WAP just happened to my Samsung Galaxy?
SMS-Exploitable Bug in Samsung Galaxy Phones Can Be Used for Ransomware Attacks
[Catalin Cimpanu/Bleeping Computer]
Competition scholar Tim Wu (previously) is one of the most cogent, accessible voices in the antitrust debate; his recent book on the subject is a must-read; this week, he debated George Mason University scholar Tyler Cowen, proprietor of Marginal Revolution and one of the leading voices for the expansion of unfettered, unregulated capitalism -- he's […]
Juice Media's Honest Government Adverts are some of the best, most biting political satire being produced today -- they're so good at afflicting the comfortable that Australia basically banned their style of humour -- and now, on the eve of (yet another) critical Australian election, they've produced a "season finale" that recaps the parade of […]
Software developer Chris Harris is experimenting with machine learning to remove cars from video footage; while the software isn't quite seamless, the results are pure, glorious glitch aesthetic.
If you can build a cloud infrastructure, you can build a business. Companies are overwhelmingly turning to cloud computing to set up or bolster their network, and it’s easy to see why. It allows on-demand access to processing power, a la carte services, and nearly unlimited storage, all without adding extra systems and the maintenance […]
Does your gaming setup need an upgrade? No need to wait for Christmas. We’ve rounded up the latest tech accessories for your favorite video game platforms. All of them are already sale priced, but you can knock an additional 15% off the final price for Memorial Day by using the online code WEEKEND15. Audeze Mobius […]
Raspberry Pi is one of the world’s most versatile open-source computers. Alexa is a home automation hub with limitless potential. Together, they’re a dream team for ambitious makers, opening the door to everything from automatic lights to voice-controlled robots. Learning Raspberry Pi is meant to be relatively easy for newbies, but its applications with Alexa […]