Researchers from Context Security have identified a vulnerability in Samsung Galaxy phones: by embedding commands in the obsolete, 17-year-old WAP proptocol in an SMS message, attackers can put them into endless reboot loops, or encrypt their storage and charge the phone's owners for a decryption key.
The devices known to be vulnerable to this attack are the Samsung Galaxy S4, S4 Mini, S5 and Note 4.
Samsung released a security update for this attack in November 2016.
The complexity of exploiting an Android device in recent years has escalated to the point that more often than not a chain of bugs is required to achieve the desired effect. This case is no different and we have shown here that it took two bugs to produce a viable attack vector, combined with some in-depth knowledge of the bespoke message format.
If you have a rooted device, a fix for this is to simply use adb as the phone is coming up and delete the default_ap.conf file. If your device is not rooted, the only two solutions are to factory reset the phone (losing all your data) or hope that the attacker is kind enough to send you another OMA CP message containing a valid configuration.
Given the reversible nature of this attack (a second SMS could be sent that restored the device to its unbroken state) it does not require much imagination to construct a potential ransomware scenario for these bugs. Samsung have now released a security update that addresses these amongst other vulnerabilities and as is our usual advice, it is recommended that users prioritise the installation of these updates.
WAP just happened to my Samsung Galaxy?
SMS-Exploitable Bug in Samsung Galaxy Phones Can Be Used for Ransomware Attacks
[Catalin Cimpanu/Bleeping Computer]
Cards Against Humanity asked Spencer Kelly to teach a computer to write mean, funny joke-cards for a new, AI-based expansion pack to the game; Kelly trained the popular GPT-2 generative language model (previously) on existing cards, and now the company is livestreaming a 16-hour competition between its AI and its human joke-writers, with a voting […]
149 families' home movies are archived on Open Memory Box, a massive archive of 415 hours of footage from the former East German, shot from 1947-1990. The video is indexed and searchable by 2700 search-terms, and makes for fascinating browsing as well. (via Kottke)
Post 10 is a vlogger who devotes his channel to "videos of unclogging culverts and drains, trains, experiments, machines, animals, trailcams, howto, aquariums, reviews, things I love and much more." I just spent an hour watching this fellow unclog storm drains during ferocious rain storms and marveling as he created gigantic whirlpools that despatched lake-sized […]
Cheap massage chairs are a common Christmas gift, but we’re willing to bet they don’t get a lot of actual use from the people who could really use a massage. We’re talking about people with deep, chronic joint pain or anyone who does a serious workout on a regular basis. For that kind of soreness, […]
The bummers of adulthood are too many to count, but one of our least favorites is the inability to sit down and enjoy a nice bowl of cereal. When you’ve got a long commute ahead, let’s face it: That extra time it takes to pour the milk and chow down is too precious to spare. […]
Who are these people that have time for a job, social life, and actual healthy meals? With a nutrition segment on seemingly every talk show and entire networks devoted to food, it can sometimes seem like we’ve never left our mother’s house and her constant admonitions to “eat your vegetables!” And okay, she was right. […]