A French man named Robert Baptiste, a white hat hacker also known as “@fs0c131y” recently discovered the means to hack into every single Samsung smartphone available on the market.
He published his findings on twitter this past May 12th with a link to a Medium article detailing the procedure:
I just published “How to brick all Samsung phones” on @Medium https://t.co/B0uibgZRr5
— Elliot Alderson (@fs0c131y) May 12, 2019 –
Robert acquired a Samsung smart phone a few months ago and decided to take a crack at it to analyze it. After running tests for few hours, he found an unprotected receiver located in the Container/Agent application of the device.
Robert also noted the presence of a broadcast receiver named as it follows:
“SwitcherBroadcastReceiver” located in the “Container/Agent” ver. 2.7.05001015.
The receiver comes active and is exported by default. The white hat hacker also used his analysis to understand how to fire up the receiver as well.
A Brief Resume of @fs0c131y Findings in Meidum
Although you can follow the link provided in his tweet to get all the information you need, this is a brief compilation of the things that stood out on his findings:
- If you look at the on Receive procedure of the SwitcherBroadcastReceiver, we can tell that this receiver is capable of these handling these functions:
- Expect com.samsung.android.knox.containeragent.LocalCommandReceiver.ACTION_COMMANDas as an action.
- It can check the overall value of an integer extra named: samsung.android.knox.containeragent.LocalCommandReceiver.EXTRA_COMMAND_ID. This peculiar extra can have two values: 1001 and 1002.
- It can check the value of an integer extra named android.intent.extra.user_handle.
More Findings on the Samsung Galaxy S10
- Richard started his tasks with the creation of intents when he noticed that if the extra ACTION_COMMAND is set on 1001, the immediate Lock method will be summoned by using the value of extra user handle as field parameter.
- This also means that using these settings for the value of user handle on 150, the user identification associated with it will be the “Knox user” so it is possible to lock the Knox container. Richard was able to form the final intent to lock the Knox container.
- The white hat hacker also found out that that by placing the extra ACTION_COMMAND to 1002 it is possible to call the “switchToProfile” method using the value of the extra user_handle as a field parameter as well.
- He claimed that by setting the value of user_handle to 0, the user identification of the first user will change automatically to the first page of the launcher.
- Richard was also able to create the final intent and switch to the first page of the launcher.
- To be able to exploit this flaw, the white hat hacker created a “Locker application” that is encoded as it follows:
- Samsung ContainerAgent Vulnerability – Local DoS for Samsung smartphone – fs0c131y/SamsungLockergithub.com
- Proof of Concept (POC) code that was created by Baptiste sends the two intents developed by him every second. He noticed that once he opening the app for the first time makes the icon of it disappear.
- The outcome is an inoperable device that will not work due to DoS attack.
He stated that every time the victim opens the SecureFolder app, the container will remain locked and if the user tries to make it work, the phone will go back to the first page of the launcher.