from the another-day-another-attack-surface dept.
Samsung computer phones used to have a stock app called S Suggest. Then Samsung didn't renew the domain that controls it, having made it possible for villains to register the domain and malware infest millions of computer phone users... had they spotted the opportunity.
Samsung, the most popular smartphone maker in the world, left millions of customers vulnerable to hackers after it let expire a domain that was used to control a stock app installed on older devices, security researchers say.
If you own an older Samsung smartphone, chances are you have a stock app designed to recommend other popular apps named S Suggest installed on it. The company says it discontinued S Suggest in 2014, and it recently let one of the domains used to control the app—ssuggest.com—expire, according to a security researcher who took over the domain.
By letting the domain expire, Samsung effectively gave anyone willing to register it a foothold inside millions of smartphones, and the power to push malicious apps on them, according to João Gouveia, the chief technology officer at Anubis Labs. Gouveia says he took over the domain Monday.
[...] Gouveia said that in just 24 hours, he saw 620 million "check ins," or connections, from around 2.1 million unique devices. S Suggests has a bunch of permissions, including rebooting the phone remotely and installing apps or packages.
This is on parity in severity with CVE-2015-2865 from 2015-06-17 when updates were not authenticated properly.
That is unless the phone goes into mission impossible flight mode and self destructs as in 2016-09-08.
(Score: 0) by Anonymous Coward on Friday June 16 2017, @02:25AM (3 children)
They let the domain lapse but a researcher snapped it up (and is even offering it back to Samsung). Something bad could have happened but nothing bad did happen.
This doesn't let Samsung off the hook for stupidity and poor security practices, but TFA is clickbait.
(Score: 0) by Anonymous Coward on Friday June 16 2017, @02:38AM (1 child)
At least the domain didn't explode.
(Score: 0) by Anonymous Coward on Friday June 16 2017, @02:41AM
Trump should have bought it for the public good.
(Score: 2) by bob_super on Friday June 16 2017, @04:26PM
So, when do we pass a law that says that any manufacturer app fetching data from a fixed domain has to be removed, or at least become removable once the service is discontinued?
Abandonware isn't a problem per se, people not being allowed to remove apps is the security hole.
(Score: 0) by Anonymous Coward on Friday June 16 2017, @03:56AM (1 child)
They'll put this into phones sooner or later, so you have to buy a new one, considering every company is working it out so that all software, even operating systems, is "subscription-based" and so you don't control any computer involved without their permission anymore.
(Score: 2) by c0lo on Friday June 16 2017, @06:28AM
Samsung already tried it, the cheapest version of self-destruct.
They'll need to try some more, the cheapest approach (the wonder battery) was waaayy too effective.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by KGIII on Friday June 16 2017, @04:34AM (2 children)
This seems pretty much like a solved problem. Why did they need a TLD? Making subdomains is pretty trivial. You don't even have to point them at the same IP address as the FQDN. I am not even sure why they'd do it this way.
ssuggest.samsung.tld
They can still have a TLD, even. They would only need to use the subdomain in the code itself. I have to be missing something, 'cause this seems pretty silly.
"So long and thanks for all the fish."
(Score: 3, Interesting) by Lagg on Friday June 16 2017, @06:37AM
Cookieless assets, chrome has a cap of 6 asynchronous connections to same origin. Easier to isolate rules from depending on server. Etc.
Or maybe I'm just giving them too much credit and they don't know you can do that. idunno
http://lagg.me [lagg.me] 🗿
(Score: 4, Insightful) by kaszz on Friday June 16 2017, @07:16AM
When you need to get shit done and don't have time for ivory tower bureaucrats. It's a lot more efficient to create something in parallel and get on with your project.
What they should have done is to make the phone software demand a signed message to act on anything at all. That would make owning the domain or MITM pointless.
(Score: 3, Informative) by stormwyrm on Friday June 16 2017, @08:38AM (1 child)
I remember once upon a time Microsoft did something similar back in 1999, when they forgot to renew the Passport.com domain, which was vital to the proper operation of Hotmail and many of their other online properties (e.g. MSN Messenger, Outlook Express) at the time. Some bloke over on the other site paid Network Solutions $35 to renew the domain [slashdot.org], and gave it back to Microsoft, receiving $500 as a gesture of thanks from MS. And well, they did it again in 2003, allowing hotmail.co.uk to lapse.
Samsung really should have just kept ssuggest.com rather than letting it lapse. If the service was discontinued they should have just removed all records from it, so nothing would resolve. The company that ranks 13 in the Fortune Global 500 [fortune.com] with $16 billion in profits last year is really pinching $11 a year [dynadot.com] for a domain name?
Numquam ponenda est pluralitas sine necessitate.
(Score: 2) by nobu_the_bard on Friday June 16 2017, @12:56PM
It's more likely the guys that were maintaining it left the company or assumed new unrelated duties after the service was discontinued, and everyone just sort of forgot about it. They probably don't have management of their domains centralized in such a way that its importance was made obvious.
(Score: 0) by Anonymous Coward on Friday June 16 2017, @12:58PM
It's as if all this "software" is written by interns.