The popular French white hat hacker Robert Baptiste (aka @fs0c131y) discovered how to brick all Samsung mobile phones.
French white hat hacker Robert Baptiste (aka @fs0c131y) discovered how to brick all Samsung mobile phones.
Baptiste bought a Samsung mobile phone a few months ago and decided to analyze it. After a few hours of tests, he discovered an unprotected receiver in the ContainerAgent application.
The researcher noticed the presence of a broadcast receiver called
SwitcherBroadcastReceiver into the ContainerAgent application version 2.7.05001015.
The receiver is enabled and exported by default, Baptiste focused its analysis on the implementation to understand how to trigger the receiver.
Below some considerations made by the expert in a blog post published on Medium:
By looking the onReceive method of the SwitcherBroadcastReceiver, we are able to deduce that This receiver:
- expect com.samsung.android.knox.containeragent.LocalCommandReceiver.ACTION_COMMANDas an action.
- It check the value of an integer extra called com.samsung.android.knox.containeragent.LocalCommandReceiver.EXTRA_COMMAND_ID. This extra can have 2 values: 1001 and 1002.
- It check the value of an integer extra called android.intent.extra.user_handle.
The expert started working to the creation of the intents when noticed that if the extra ACTION_COMMAND is set to 1001, the immediateLock method is invoked using the value of the extra user_handle as a parameter.
This means that using setting the value of user_handle to 150, the user id associated with the “Knox user”, it is possible to lock immediately the Knox container. Baptiste was able to create the final intent to lock the Knox container.
He also discovered that setting the extra ACTION_COMMAND to 1002 it is possible to call ‘switchToProfile‘ method with the value of the extra user_handle as a parameter.
“So, if I set the value of user_handle to 0, the user id of the first user, it will switch automatically to the first page of the launcher.” continues the expert.
The expert was able to create the final intent to switch to the first page of the launcher.
In order to exploit this flaw, the white hat hacker created a specially crafted “Locker application:”
The Proof Of Concept (POC) developed by Baptiste sends the 2 intents developed by the expert every second, he also noticed that once opened the app for the 1st time, the app icon will disappear.
This will cause the device will be inoperable due to this local DoS attack.
Every time the victim will open the SecureFolder app, the container will be locked and every time he will try to use his phone, the phone will come back directly to the first page of the launcher. concludes the expert.
Below the timeline of the attack:
- 04/02/19: Initial finding by Elliot Alderson
- 11/03/19: Responsible disclosure to the Samsung Security Team
- 18/03/19: The Samsung Security Team considered this issue as no/little security impact
If you are interested in the “intents” created by Elliot give a look at his post: