If this is your first visit, be sure to check out the FAQ by clicking the link above.
You may have to register before you can post: click the register link above to proceed.
To start viewing messages, select the forum that you want to visit from the selection below.
A flaw in Samsung's equivalent to Siri, S-Voice, allows for a very limited workaround of most of Samsung's Android 4.1.1 and 4.1.2 device security. Enthusiast Terence Eden discovered that given a very specific set of circumstances, the devices will allow an unauthorized user or thief to run apps and dial numbers, even when the device is locked. Five days after insuring that the Samsung security team was aware of the issue, Eden reports that he has not heard back from the Korean manufacturer about the flaw.
The procedure relies on nimble fingers to implement properly. Following a press of the "emergency call" button, if the user depresses the "ICE" button and holds down the physical home key for a few seconds, then the phone's home screen will be briefly displayed, allowing for a user to click an app or widget and allow it to execute. If the widget is a "direct dial," then the phone will dial the number, and start ringing.
The discoverer does admit the attack as it stands is of "limited value." Other than non-standard revisions of the OS being installed by the user, there is no protection against the procedure. Eden mentioned in his blog post that he "spoke to several external security people, and Samsung relationship managers within the industry, who have raised the issue directly with Samsung." He also claims Samsung has a "really poor record on Android security" and has yet to hear back from the security response team.
Superficially, the bug is similar to one found in Apple's iOS 6.1. The Apple bug requires a much more complex sequence to initiate, but allows greater access.
Last edited by NewsPoster; Mar 5, 2013 at 03:44 AM.