Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Android Security News

Samsung Left Millions Vulnerable To Hackers Because It Forgot To Renew a Domain (vice.com) 54

Posted by msmash from the security-woes dept.
An anonymous reader writes: Samsung cellphones used to have a stock app called S Suggest. The company apparently discontinued the app recently, and then forgot to renew a domain that was used to control it. This snafu left millions of smartphone users vulnerable to hackers who could've registered the domain and installed malicious apps on the phones.
This discussion has been archived. No new comments can be posted.

Samsung Left Millions Vulnerable To Hackers Because It Forgot To Renew a Domain More

Samsung Left Millions Vulnerable To Hackers Because It Forgot To Renew a Domain

Comments Filter:

  • what happens if a company goes under (Score:4, Interesting)

    by redback ( 15527 ) on Wednesday June 14, 2017 @04:43PM (#54621633)

    What would have happened with something like this if a company goes under?

    We almost need a charity foundation of some sort to maintain domains like this in that situation.

    • Maybe there needs to be a mechanism to disable the app. Or updates to the app. Or further downloads. Etc.

      Then there needs to be an officer in the company who is responsible to activate this mechanism in the event that the company ceases operations. Prior to that happening, the product manager of the affected product would be responsible to use this mechanism to disable further updates to the app when it is being discontinued.

      • ah, script kiddies newest target, that mechanism. render massive slice of a market unable to use their internet dependent product.

      • You can disable any app in Android. Instead of "uninstall" you'll see a button to uninstall updates, then if you uninstall updates you'll see a button to disable the app.

        • You can disable any app in Android. Instead of "uninstall" you'll see a button to uninstall updates,

          Most user loaded apps do not have a "disable" feature. It's either let it run as it wants or uninstall it lock, stock and barrel.

          I wish they all had "disable", since there are apps (like Nook with at least 5, FileManager+ with one, Accuweather with 3 or 4) that run multiple services all the time, even when you haven't used the app for a month. And some of them simply won't go away when you kill them (Google Location Services service, I'm pointing at you.) It's a pain to have to uninstall apps and then rei

          • You can disable any app in Android. Instead of "uninstall" you'll see a button to uninstall updates,

            Most user loaded apps do not have a "disable" feature. It's either let it run as it wants or uninstall it lock, stock and barrel.

            Like I said, if you've been paying attention, " Instead of 'uninstall' you'll see a button to uninstall updates".
            If a user installed it, you'll just see "uninstall". If it's a factor app you'll get the "uninstall updates" -> "disable".
            Of course Android is different with every OEM, but I haven't run into any that totally prevented me from disabling an OEM app. Samsung's definitely gives you scary warnings if you attempt it but it lets you.

            • Like I said, if you've been paying attention, " Instead of 'uninstall' you'll see a button to uninstall updates".

              And like I said, if you had been paying attention, is that most USER LOADED apps do not have a disable feature. Many system apps do, but user installed do not. It would be a good feature for the user to have to be able to disable instead of uninstall those apps.

              If it's a factor app you'll get the "uninstall updates" -> "disable".

              Which does not contradict in any way what I said about user-installed apps, so keep your insults to yourself.

              Of course Android is different with every OEM, but I haven't run into any that totally prevented me from disabling an OEM app.

              For just one example, I have a factory test app that becomes active every time I reboot one of my Samsung tablets. I can kill it and it will

              • And one bit more -- you said you can disable "any app". You cannot disable user-loaded apps. You can only uninstall them. Uninstall is not the same as disable.

                • Oh you really zinged me. Yes I said "any app". I should have said something like "any app that the article was talking about"

                  I don't care what you think you want to do. Android lets you disable factor apps, except in the rare cases the vendor hacks that feature out. Users can either have additional apps installed or if they don't want to use them, not have them installed. That's the model, we all understand that you don't like that model, but that's how it works today. The functionality is effectively equiv

                  • I don't care what you think you want to do.

                    Thanks.

                    Android lets you disable factor apps, except in the rare cases the vendor hacks that feature out.

                    As I pointed out already, the survey of "factor" apps I made on my Samsung device showed less than 50% of them could be disabled. It isn't rare if more than 50% of the apps cannot be disabled.

                    Users can either have additional apps installed or if they don't want to use them, not have them installed.

                    Of course. But that means that any app that a user needs only occasionally must be reinstalled from scratch before it can be used for a short period of time, and then re-uninstalled. That's a lot more work that simply disabling/enabling/disabling an app. This difference seems to be lost on you. For example, the

              • And like I said, if you had been paying attention, is that most USER LOADED apps do not have a disable feature. Many system apps do, but user installed do not. It would be a good feature for the user to have to be able to disable instead of uninstall those apps.

                Yes, you'd uninstall those, not disable them. Fucking idiots these days.

                • Yes, you'd uninstall those, not disable them. Fucking idiots these days.

                  You clearly do not understand the difference between disabling an app and uninstalling them. As I said a couple of times now, it would be nice if we could disable any app LIKE YOU SAID WE CAN, but which in truth cannot be done. You are not in a good position to be using insult to make your point.

      • Re: (Score:2)

        by vlad30 ( 44644 )
        It should also be much more difficult to register a domain especially a domain that has been used before. That registration fee should entail some actual work on the part of the domain registrar to fact check the applicant and potential use and removal if the use is nefarious. imagine how many fewer scam and spam website would exist if they actually did this
        • And how much more would it cost to register a domain? All that paper work and vetting is going to seriously increase the price of registering a domain. Heard of net neutrality? Same thing applies here. You raise the bar for something as simple as registering a domain and you start cutting out the smaller players, and then only the big boys can play, and we all know what happens then.

      • Re: (Score:2)

        by AmiMoJo ( 196126 )

        Neither of those things will help, unfortunately.

        Normal people don't install updates unless forced to. If it isn't 100% automatic it isn't happening. And anyway, how would they even know to disable the app? Most don't read security advisory mailing lists.

        Giving someone the job of handing over company assets for free to a charity at the precise moment that the company is being broken up for scrap isn't likely to fly either. They would just get blamed for giving away something that the bankruptcy team could h

    • The app can use certificate pinning. If someone else puts a new server up on the domain name the certificate will not match the expected one from the old site and the app will refuse to connect to it.

    • What would have happened with something like this if a company goes under?

      For one thing, you should have some kind of authentication. Basing security entirely around domain name is a known security flaw, since at least the 90s. Two to one odds says that they also programmed the app to communicate over HTTP instead of HTTPS.

    • What users need is software freedom (the freedom to run, edit, and share the complete corresponding source code to the software) so they can alter the software as they wish, point the device to whatever site they want for updates, and genuinely own their computers. There's no good reason to keep a domain going and address this in a monopoly-sustaining surface level way. Keeping a domain going is not really the issue nor is that a thorough solution to the underlying problem.

      • Re: (Score:1)

        by Gr8Apes ( 679165 )

        What users need is software freedom (the freedom to run, edit, and share the complete corresponding source code to the software) so they can alter the software as they wish, point the device to whatever site they want for updates, and genuinely own their computers.

        You already can. Just buy the appropriate hardware for whatever software you have rights to and want to install on it. Enjoy.

  • Left vulnerable by NEVER updating the operating systems on phones other than Flagship. I remember stage fright, they promised a security release. Still waiting on my 4.4.1.

  • Zero risk if done right (Score:3)

    by OrangeTide ( 124937 ) on Wednesday June 14, 2017 @05:01PM (#54621767) Homepage Journal

    It doesn't matter who controls or hijacks your domain because DNS is not an authoritative source of information. You go through numerous unsigned caches before you get queries through.
    If you write software without your head up your ass you'd use a certificate on the app to check every interaction with the server before you trust it.
     

  • You Fail It (Score:1)

    by Anonymous Coward

    I hope our goatse guy gets his domain renewed soon. I'd hate to see him fall victim to the same problem!

  • Why did they even need a separate domain for this? (Score:5, Insightful)

    by ZorinLynx ( 31751 ) on Wednesday June 14, 2017 @05:04PM (#54621793) Homepage

    You'd think they could have instead used "ssuggest.samsung.com" or similar, rather than registering an entirely separate domain for what is essentially a minor feature on a phone.

    The nice thing about DNS is that it was designed PRECISELY TO BE USED THIS WAY, being able to establish a hierarchy so that an entity can organize all their hostnames/services in one hierarchy.

    • Re: (Score:2)

      by mccalli ( 323026 )
      It's almost certainly an internal corporate division problem. I'll bet internal processes and/or corporate divisions meant that it was easier for one department to create an entirely new website with their own servers etc. than it was to get Samsung's corporate website, or more accurately the DNS for such, altered by the other project team.

  • Plus all of those Samsung crap apps.

    That's why I use stock Android on my Nexus, and my next phone will be a Pixel. It's a shame because the Samsung hardware is really nice (except the Galaxy S7 of course).

    • Or just get a knock off Chinese phone, the only problem with those is that what you get on the phone will be all you get on the phone. No updates. You will have to manage that yourself.

  • at fucking you over. ;)

  • Bought two Samsung TVs with all these networked smart features... Over six months, I see on the screen announcements of discontinued features.... I unplugged my TVs from the wifi connection and only watched TV on them.

  • Yeah, but they saved $9.99 by not renewing the domain so it was a huge win for Samsung.

  • It self destroys by design, hackers don't have enough time to compromise the phone.

Slashdot Top Deals

Whoever dies with the most toys wins.

Close