Researchers from Context Security have identified a vulnerability in Samsung Galaxy phones: by embedding commands in the obsolete, 17-year-old WAP proptocol in an SMS message, attackers can put them into endless reboot loops, or encrypt their storage and charge the phone's owners for a decryption key.
The devices known to be vulnerable to this attack are the Samsung Galaxy S4, S4 Mini, S5 and Note 4.
Samsung released a security update for this attack in November 2016.
The complexity of exploiting an Android device in recent years has escalated to the point that more often than not a chain of bugs is required to achieve the desired effect. This case is no different and we have shown here that it took two bugs to produce a viable attack vector, combined with some in-depth knowledge of the bespoke message format.
If you have a rooted device, a fix for this is to simply use adb as the phone is coming up and delete the default_ap.conf file. If your device is not rooted, the only two solutions are to factory reset the phone (losing all your data) or hope that the attacker is kind enough to send you another OMA CP message containing a valid configuration.
Given the reversible nature of this attack (a second SMS could be sent that restored the device to its unbroken state) it does not require much imagination to construct a potential ransomware scenario for these bugs. Samsung have now released a security update that addresses these amongst other vulnerabilities and as is our usual advice, it is recommended that users prioritise the installation of these updates.
WAP just happened to my Samsung Galaxy?
SMS-Exploitable Bug in Samsung Galaxy Phones Can Be Used for Ransomware Attacks
[Catalin Cimpanu/Bleeping Computer]
The wonderful Aquabats, nearly killed when the network they'd signed with went out of business, are back, and they want to produce a new TV special episode of Super Show! with a new album to go with it.
Two years ago, I delivered the closing keynote at the Internet Archive's inaugural Decentralized Web event; last week, we had the second of these, and once again, I gave the closing keynote, entitled Big Tech's problem is Big, not Tech. Here's the abstract:
Uni's Kuru Toga Roulettes are mechanical pencils that solve a problem I've never had, which is that the tip wears differentially, eventually creating a blunt instrument (I am a clod whose draftsmanship looks like I tried writing in a zeppelin caught in a tornado, so this is not a problem for me) -- the Roulette […]
Traveling isn’t always the most comfortable experience, but at least you have your music to keep you company on those long flights. That is, until your chatty neighbor and that crying baby three seats over drown out your playlist. These Paww WaveSound 3 Noise-Cancelling Bluetooth Headphones block up to 20 decibels of audio, so you can […]
SEO can be a fickle creature, but it can work in your favor—you just need the right tools. When it comes to getting your site on that coveted first page of Google, SERPstash Premium simplifies the process with 21 user-friendly tools designed to break down your page’s performance and show you where you can improve. Lifetime […]
Running a Shopify store is a great way to net some extra cash on the side or—if you really know what you’re doing—replace your 9-to-5 altogether. However, success doesn’t come naturally, and newcomers tend to receive mixed results when starting on their own. This E-Commerce Bootcamp can help start your Shopify venture off on the right […]