General Board

  • Recommend useful replies to give out SEEDs and raise your level as well.
  • You can select the most useful reply as the Best Answer for your thread.
  • Share topics you want to discuss on Facebook or Twitter and earn SEEDs!
  • Share your knowledge by posting in threads that interest you.
Subscription preference

Notification emails are sent to your Samsung account email address.

* Email : anonymous@samsung.com

  

Close

Samsung S3 - Partial Screen Lock Bypass

Forums View
Started by Newbie ukpentestinfo , 0 Seed Feb 21, 2013 12:25 Posts : 4 View : 12360 Likes : 0

Usually Vulnerability Disclosures are made privately to a vendor before posted to public forums; however, when asked for a method to inform Samsung about a security vulnerability found in one of their devices, their guidance to us was:

*******************************************************************************************************************

Thank you for contacting Samsung Customer Support.
Please note if the issue is not specific to Samsung devices please see the links below for information on reporting Android security issues:

http://developer.android.com/guide/faq/security.html
http://code.google.com/p/android/issues/list

If you have information regarding the security specific to Samsung devices you may post it on our developer forum at the link below:
http://developer.samsung.com/forum/android/general-board

If there is anything else we can help with, please let us know.

Our Customer Support Team love feedback! Share your thoughts on this response by completing the survey at the bottom of this page.



As no method of resposne was provided within the email other than a link to the main Contuct Us page (where a referecne number can't be entered), and it was sent from a no-reply account, no addiotnal clarification was sought.

*************************************************************************************************

MTI Technology – Vulnerability Research Team

www.mti.com

ukpentestinfo"at"mti.com

Samsung Galaxy S3 – partial screen-lock bypass



Date found:

17th Feb 2012

Vendor Notified:

20th Feb 2012

Vendor Affected:

Samsung

Device:

Galaxy S3

Model:

GT-19300

OS:

Android 4.1.2

Kernel Version:

3.0.31-742798


Affects:

Only tested on Samsung S3 kernel version 3.0.31-742798.



I. Background

MTI technology recently conducted a 45 day internal research program aimed at locating new attacks and vulnerabilities in Android devices. Specifically the Samsung S3 and LG Nexus 4 were tested. Several new issues where located and many of them have or will be reported to the relevant vendors.

MTI will be releasing new advisories in cooperation with the relevant vendors.

II. Overview


Partial device functionality is available to a user from a locked S3, which permits certain activities to be carried out.


III. Problem Description

It is possible to access any functionality available from the S-Voice utility on a Samsung S3 when the phone it locked and a PIN (or other locking method) is set. Any command that can be issued via S-Voice can be issued when the phone is locked; however, only the actual phone / keypad becomes available to a user. Any other applications launched, will still open and execute commands but are not visible to a user and the device will revert back to the lock screen.

To access S-Voice the following steps are followed (assuming the phone is locked with a PIN number)

Press the power / home button to turn phone on,

Swipe the screen to access the PIN entry screen,

Select Emergency Call

Select Emergency Contacts (bottom left icon)

On the Emergency Contact screen, press the Home button twice in quick succession (to active S-Voice)

As soon as the Home button is pressed twice, tap the bottom centre of the screen (the S-Voice Microphone button)

Issue any S-Voice Command.

Commands such as the following can be issued:

Call 12345 - will active the phone, dial the number and display it to a user. The command can be used to call any user, or contact (if the name is known) or even Voicemail if Voicemail has been saved as a contact.

What is number / address – will cause S-Voice to say the number or address associated with a contact

Message

Turn Wi-Fi On / off

Turn Bluetooth on / off

What is on my calendar

The S-Voice help screen can be used to obtain a listing of supported / documented commands. MTI were not able to locate any commands not listed in this help page.

A crude method to enumerate contact names is to press the home button from the Emergency Contacts screen and quickly press the message / SMS icon (if stored on the main page) this will briefly display the users SMS inbox, which will reveal contact names.


IV. Impact

Low to Medium depending on the information stored on a phone. A malicious user who has access to a locked S3 would be able to obtain information from the schedule / calendar, make phone calls to any phone number (such as a premium rate number), message contacts, update a user’s Facebook / twitter status (if S-Voice is configured to do so), enumerate contact addresses and phone numbers, active Bluetooth and Wi-Fi.


V. Workaround

In S-Voice settings, disable the ‘Open S-Voice by double pressing the Home Key’ setting.


VI. Solution

Awaiting vendor response.

Post Reply
Board View
Newbie a.panasiuk , 380 Seed Feb 21, 2013 14:46 Post #1 0
Hi,

Thanks for reporting this, we will transfer this information to the right people.

Regards,
Adam Panasiuk
Samsung Developers

This content has been quoted from ukpentestinfo@’s thought. (Link to original post)

 

Usually Vulnerability Disclosures are made privately to a vendor before posted to public forums; however, when asked for a method to inform Samsung about a security vulnerability found in one of their devices, their guidance to us was:

*******************************************************************************************************************

Thank you for contacting Samsung Customer Support.
Please note if the issue is not specific to Samsung devices please see the links below for information on reporting Android security issues:

http://developer.android.com/guide/faq/security.html
http://code.google.com/p/android/issues/list

If you have information regarding the security specific to Samsung devices you may post it on our developer forum at the link below:
http://developer.samsung.com/forum/android/general-board

If there is anything else we can help with, please let us know.

Our Customer Support Team love feedback! Share your thoughts on this response by completing the survey at the bottom of this page.



As no method of resposne was provided within the email other than a link to the main Contuct Us page (where a referecne number can't be entered), and it was sent from a no-reply account, no addiotnal clarification was sought.

*************************************************************************************************

MTI Technology – Vulnerability Research Team

www.mti.com

ukpentestinfo"at"mti.com

Samsung Galaxy S3 – partial screen-lock bypass



Date found:

17th Feb 2012

Vendor Notified:

20th Feb 2012

Vendor Affected:

Samsung

Device:

Galaxy S3

Model:

GT-19300

OS:

Android 4.1.2

Kernel Version:

3.0.31-742798


Affects:

Only tested on Samsung S3 kernel version 3.0.31-742798.



I. Background

MTI technology recently conducted a 45 day internal research program aimed at locating new attacks and vulnerabilities in Android devices. Specifically the Samsung S3 and LG Nexus 4 were tested. Several new issues where located and many of them have or will be reported to the relevant vendors.

MTI will be releasing new advisories in cooperation with the relevant vendors.

II. Overview


Partial device functionality is available to a user from a locked S3, which permits certain activities to be carried out.


III. Problem Description

It is possible to access any functionality available from the S-Voice utility on a Samsung S3 when the phone it locked and a PIN (or other locking method) is set. Any command that can be issued via S-Voice can be issued when the phone is locked; however, only the actual phone / keypad becomes available to a user. Any other applications launched, will still open and execute commands but are not visible to a user and the device will revert back to the lock screen.

To access S-Voice the following steps are followed (assuming the phone is locked with a PIN number)

Press the power / home button to turn phone on,

Swipe the screen to access the PIN entry screen,

Select Emergency Call

Select Emergency Contacts (bottom left icon)

On the Emergency Contact screen, press the Home button twice in quick succession (to active S-Voice)

As soon as the Home button is pressed twice, tap the bottom centre of the screen (the S-Voice Microphone button)

Issue any S-Voice Command.

Commands such as the following can be issued:

Call 12345 - will active the phone, dial the number and display it to a user. The command can be used to call any user, or contact (if the name is known) or even Voicemail if Voicemail has been saved as a contact.

What is number / address – will cause S-Voice to say the number or address associated with a contact

Message

Turn Wi-Fi On / off

Turn Bluetooth on / off

What is on my calendar

The S-Voice help screen can be used to obtain a listing of supported / documented commands. MTI were not able to locate any commands not listed in this help page.

A crude method to enumerate contact names is to press the home button from the Emergency Contacts screen and quickly press the message / SMS icon (if stored on the main page) this will briefly display the users SMS inbox, which will reveal contact names.


IV. Impact

Low to Medium depending on the information stored on a phone. A malicious user who has access to a locked S3 would be able to obtain information form the schedule / calendar, make phone calls to any phone number (such as a premium rate number), message contacts, update a user’s Facebook / twitter status (if S-Voice is configured to do so), enumerate contact addresses and phone numbers, active Bluetooth and Wi-Fi.


V. Workaround

In S-Voice settings, disable the ‘Open S-Voice by double pressing the Home Key’ setting.


VI. Solution

Awaiting vendor response.

 

 
Post Reply
Board View
Newbie ukpentestinfo , 0 Seed Feb 21, 2013 15:31 Post #2 0
Thanks, if you do have an internal email address you would like us to use please let us know.
Post Reply
Board View
Newbie subs , 0 Seed Feb 26, 2013 08:31 Post #3 0
 

This content has been quoted from ukpentestinfo@’s thought. (Link to original post)

 

 

IV. Impact

Low to Medium depending on the information stored on a phone. A malicious user who has access to a locked S3 would be able to obtain information from the schedule / calendar, make phone calls to any phone number (such as a premium rate number), message contacts, update a user’s Facebook / twitter status (if S-Voice is configured to do so), enumerate contact addresses and phone numbers, active Bluetooth and Wi-Fi.

 

 

Can you copy stuff in clipboard by the voice command? 
because it is accessible in the lock mode: http://developer.samsung.com/forum/board/thread/view.do?boardName=GeneralB&messageId=210142 (apparantly samsung is happy with this feature and wants to keep it)
Post Reply
Board View
Newbie secincedentmanager , 0 Seed Mar 08, 2013 14:06 Post #4 0

Dear ukpentestinfo@

Your input already reached to the right engineers and has been analyzed to fix.  And we'd like to show our appreciation of your informing Samsung of the symptom with detailed information.  As one of the manufacturers who consider user privacy and the security of user data its top priority, we will do our best to release the fix at the earliest possibility. And we hope you to report  next time to m.security@samsung.com where security issues can be received by and reached to the engineers as the fastest way.

Best regards,

Incident Response Manager


This content has been quoted from ukpentestinfo@’s thought. (Link to original post)

 

Usually Vulnerability Disclosures are made privately to a vendor before posted to public forums; however, when asked for a method to inform Samsung about a security vulnerability found in one of their devices, their guidance to us was:

*******************************************************************************************************************

Thank you for contacting Samsung Customer Support.
Please note if the issue is not specific to Samsung devices please see the links below for information on reporting Android security issues:

http://developer.android.com/guide/faq/security.html
http://code.google.com/p/android/issues/list

If you have information regarding the security specific to Samsung devices you may post it on our developer forum at the link below:
http://developer.samsung.com/forum/android/general-board

If there is anything else we can help with, please let us know.

Our Customer Support Team love feedback! Share your thoughts on this response by completing the survey at the bottom of this page.



As no method of resposne was provided within the email other than a link to the main Contuct Us page (where a referecne number can't be entered), and it was sent from a no-reply account, no addiotnal clarification was sought.

*************************************************************************************************

MTI Technology – Vulnerability Research Team

www.mti.com

ukpentestinfo"at"mti.com

Samsung Galaxy S3 – partial screen-lock bypass



Date found:

17th Feb 2012

Vendor Notified:

20th Feb 2012

Vendor Affected:

Samsung

Device:

Galaxy S3

Model:

GT-19300

OS:

Android 4.1.2

Kernel Version:

3.0.31-742798


Affects:

Only tested on Samsung S3 kernel version 3.0.31-742798.



I. Background

MTI technology recently conducted a 45 day internal research program aimed at locating new attacks and vulnerabilities in Android devices. Specifically the Samsung S3 and LG Nexus 4 were tested. Several new issues where located and many of them have or will be reported to the relevant vendors.

MTI will be releasing new advisories in cooperation with the relevant vendors.

II. Overview


Partial device functionality is available to a user from a locked S3, which permits certain activities to be carried out.


III. Problem Description

It is possible to access any functionality available from the S-Voice utility on a Samsung S3 when the phone it locked and a PIN (or other locking method) is set. Any command that can be issued via S-Voice can be issued when the phone is locked; however, only the actual phone / keypad becomes available to a user. Any other applications launched, will still open and execute commands but are not visible to a user and the device will revert back to the lock screen.

To access S-Voice the following steps are followed (assuming the phone is locked with a PIN number)

Press the power / home button to turn phone on,

Swipe the screen to access the PIN entry screen,

Select Emergency Call

Select Emergency Contacts (bottom left icon)

On the Emergency Contact screen, press the Home button twice in quick succession (to active S-Voice)

As soon as the Home button is pressed twice, tap the bottom centre of the screen (the S-Voice Microphone button)

Issue any S-Voice Command.

Commands such as the following can be issued:

Call 12345 - will active the phone, dial the number and display it to a user. The command can be used to call any user, or contact (if the name is known) or even Voicemail if Voicemail has been saved as a contact.

What is number / address – will cause S-Voice to say the number or address associated with a contact

Message

Turn Wi-Fi On / off

Turn Bluetooth on / off

What is on my calendar

The S-Voice help screen can be used to obtain a listing of supported / documented commands. MTI were not able to locate any commands not listed in this help page.

A crude method to enumerate contact names is to press the home button from the Emergency Contacts screen and quickly press the message / SMS icon (if stored on the main page) this will briefly display the users SMS inbox, which will reveal contact names.


IV. Impact

Low to Medium depending on the information stored on a phone. A malicious user who has access to a locked S3 would be able to obtain information from the schedule / calendar, make phone calls to any phone number (such as a premium rate number), message contacts, update a user’s Facebook / twitter status (if S-Voice is configured to do so), enumerate contact addresses and phone numbers, active Bluetooth and Wi-Fi.


V. Workaround

In S-Voice settings, disable the ‘Open S-Voice by double pressing the Home Key’ setting.


VI. Solution

Awaiting vendor response.

 

 
Post Reply