If I do my job badly, a couple people are normally kind enough to come along in the comments and let me know. If a Samsung developer does his job badly, it turns out that millions of devices are left completely vulnerable to easy attack.
Motherboard talked to a security researcher who managed to snap up a former Samsung domain name that Samsung forgot to renew. Unfortunately, the domain name wasn’t a microsite for a Samsung ad campaign, but rather ssugest.com — the domain name for a server that controlled one of the stock apps that used to ship on Galaxy devices, S Suggest.
João Gouveia, the chief technology officer at Anubis Labs, noticed the lapse and decided to register it for himself. In a phone call with Motherboard, he told the site that “in just 24 hours, he saw 620 million “check ins,” or connections, from around 2.1 million unique devices. S Suggests has a bunch of permissions, including rebooting the phone remotely and installing apps or packages. Someone with bad intentions could have grabbed that domain and to nasty things to the phones,” he said.
Samsung disputes the claim, saying that although it let the domain lapse, control over the domain “does not allow you to install malicious apps, it does not allow you to take control of users’ phones.”
Even if Samsung is correct — that control of the domain doesn’t automatically grant those privileges — it’s still a major security risk. A malicious hacker could quite possibly use the domain to get control over the S Suggest app itself, and then abuse the permissions of the app to make it work in ways Samsung never imagined.
Luckily, all of this should remain strictly hypothetical, as Gouveia has agreed to had the domain back over to Samsung. But more than anything, it’s a reminder that security is a long-term game. After all, the bulk of the computers caught up in the recent ransomware storm were running old versions of Windows XP.
