~~~~THIS INFORMATION I'M SHARING IS FOR EDUCATIONAL PURPOSES ONLY.PLEASE USE IT TO YOUR DISCRETION...~~!
Samsung which is currently
believed to the highest Smartphone’s Seller in the World is now providing a
Remote tracking solution in all its smart phones to Track the lost phone with
the name "Samsung Dive".
The Service
is based on the Architecture which primarily acquires precise location of the
smart phone using it GPS and other subsidiary location acquisition techniques.
The Service is basically meant to be used by the users to track their phone in
case of theft or lost phone.
Security Researcher Jiten Jain discovered that this GPS
based location tracking service provided by manufacturer (Samsung) is also
vulnerable to Theft and Malwares.
To use this inbuilt tracking Service, User
has to simply create an account with Samsung (www.samsungdive.com). Users than
have to enable remote services to track device and wipe data remotely. The
permission can be disabled or modified only by the Samsung account holder after
logging in and cannot be disabled by anyone else.
When a user wants to track his device, He
simply has to log on to Samsung tracking Service website "www.samsungdive.com" and
just press track my device button. The application will then remotely connect
to the lost device and switch on its GPS receiver automatically and acquire the
precise location of device. In case of GPS unavailability other subsidiary
location acquisition techniques like Wi-Fi or cell tower triangulation may be used.
The acquired location is then sent to the Server and shown on a Map to the
User.
During Research Mr. Jain found that this
location based tracking Service provided by Device Samsung in its Android based
Smartphone is completely vulnerable to Location Spoofing Attacks. Which means
in case of Phone theft the Thief can simply broadcast a fake location on
Samsung tracking server and mislead Original Phone User/Owner to believe that
the phone is genuinely at fake location? The locations can be faked
continuously to random places anywhere in the world. All this happens because
Samsung’s Location API's are completely vulnerable to be manipulated by
installing commonly available simple GPS location spoofed on the device.
To demonstrate this flaw a simple easily
available location spoofing app was installed in the targeted Device in Delhi
and Spoof Location was set to somewhere in Jordan. The location Spoofed
application was then activated to Override any GPS location request in the
device and instead provide the pre-set spoofed location coordinates of Jordan.
Then Samsung’s Device tracking Service was used to track the Targeted Device.
The Location shown on the Samsung's Device Tracking Map on Web Interface showed
that Phone was Indeed in Jordan.
Pictures of Spoofed Location
of a Samsung Galaxy Note are shown below.
Though
other applications AVG and famous tracking application like Lookout also
provide similar Services were are also vulnerable to location spoofing but
Samsung's own tracking service becomes far more critical and important as
Samsung is the device Manufacturer and tracking module comes inbuilt in the
phone and most widely used. Since such tracking applications also provide
remote data wipe service also, Phone owners always prefers device manufacturers
solution instead of a Third party tracking application
Apart
from this Location spoofing Vulnerability, To make thing worse, Samsung
tracking application also shows notification that device is being tracked
remotely. This simply alerts the hacker or thief. This defeats the very
fundamental principal and purpose of a tracking application, which should
always work on the principal of hidden remote tracking in case of theft.
This
leaves Millions of Samsung smartphone owners who rely on Samsung’s tracking
service vulnerable and helpless and in case of phone theft. Since Samsung's
Location API's are so vulnerable to location spoofing attacks, This
vulnerability may well be Used by malware writers to remotely spoof the
location of a device, Which will throw the Navigation applications like Google
Maps show the incorrect current location and wrong crazy Routes to destinations
and it may also be well used by an hackers to write malwares to throw Location
based services on the device in complete disarray.