Stories
Slash Boxes
Comments

SoylentNews is people

Samsung Drops Domain and Potentially Let Hackers Into Millions of Phones

posted by Fnord666 on Friday June 16 2017, @02:16AM   Printer-friendly
from the another-day-another-attack-surface dept.

kaszz writes:

Samsung computer phones used to have a stock app called S Suggest. Then Samsung didn't renew the domain that controls it, having made it possible for villains to register the domain and malware infest millions of computer phone users... had they spotted the opportunity.

Samsung, the most popular smartphone maker in the world, left millions of customers vulnerable to hackers after it let expire a domain that was used to control a stock app installed on older devices, security researchers say.

If you own an older Samsung smartphone, chances are you have a stock app designed to recommend other popular apps named S Suggest installed on it. The company says it discontinued S Suggest in 2014, and it recently let one of the domains used to control the app—ssuggest.com—expire, according to a security researcher who took over the domain.

By letting the domain expire, Samsung effectively gave anyone willing to register it a foothold inside millions of smartphones, and the power to push malicious apps on them, according to João Gouveia, the chief technology officer at Anubis Labs. Gouveia says he took over the domain Monday.

[...] Gouveia said that in just 24 hours, he saw 620 million "check ins," or connections, from around 2.1 million unique devices. S Suggests has a bunch of permissions, including rebooting the phone remotely and installing apps or packages.

This is on parity in severity with CVE-2015-2865 from 2015-06-17 when updates were not authenticated properly.

That is unless the phone goes into mission impossible flight mode and self destructs as in 2016-09-08.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Samsung Drops Domain and Potentially Let Hackers Into Millions of Phones | Log In/Create an Account | Top | 12 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by KGIII on Friday June 16 2017, @04:34AM (2 children)

    by KGIII (5261) on Friday June 16 2017, @04:34AM (#526312) Journal

    This seems pretty much like a solved problem. Why did they need a TLD? Making subdomains is pretty trivial. You don't even have to point them at the same IP address as the FQDN. I am not even sure why they'd do it this way.

    ssuggest.samsung.tld

    They can still have a TLD, even. They would only need to use the subdomain in the code itself. I have to be missing something, 'cause this seems pretty silly.

    --
    "So long and thanks for all the fish."
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 3, Interesting) by Lagg on Friday June 16 2017, @06:37AM

    by Lagg (105) on Friday June 16 2017, @06:37AM (#526342) Homepage Journal

    Cookieless assets, chrome has a cap of 6 asynchronous connections to same origin. Easier to isolate rules from depending on server. Etc.

    Or maybe I'm just giving them too much credit and they don't know you can do that. idunno

    --
    http://lagg.me [lagg.me] 🗿

  • (Score: 4, Insightful) by kaszz on Friday June 16 2017, @07:16AM

    by kaszz (4211) on Friday June 16 2017, @07:16AM (#526353) Journal

    When you need to get shit done and don't have time for ivory tower bureaucrats. It's a lot more efficient to create something in parallel and get on with your project.

    What they should have done is to make the phone software demand a signed message to act on anything at all. That would make owning the domain or MITM pointless.