How to brick all Samsung phones

Image for post
Image for post

Few months ago, I bought a Samsung phone in order to analyse it. After few hours I found an unprotected receiver in the ContainerAgent application.

Analyse

The ContainerAgent application, version 2.7.05001015, contained a broadcast receiver called SwitcherBroadcastReceiver.

Image for post
Image for post
SwitcherBroadcastReceiver

As you can see, this receiver is enabled and exported by default. Let’s check the implementation in order to understand how to trigger this receiver.

Image for post
Image for post
onReceive method of SwitcherBroadcastReceiver

By looking the onReceive method of the SwitcherBroadcastReceiver, we are able to deduce that:
- This receiver expect com.samsung.android.knox.containeragent.LocalCommandReceiver.ACTION_COMMAND as an action.
- It check the value of an integer extra called com.samsung.android.knox.containeragent.LocalCommandReceiver.EXTRA_COMMAND_ID. This extra can have 2 values: 1001 and 1002.
- It check the value of an integer extra called android.intent.extra.user_handle.

It’s time to construct the intents and understand what are their effects. If the extra ACTION_COMMAND is equal to 1001, the immediateLock method is called with the value of the extra user_handle as a parameter.

Image for post
Image for post
immediateLock method

That’s interesting! So, if I set the value of user_handle to 150, the user id of the “Knox user”, it will lock immediately the Knox container. The final intent to lock the Knox container is:

In the same way, if the extra ACTION_COMMAND is equal to 1002, the switchToProfile method is called with the value of the extra user_handle as a parameter.

Image for post
Image for post
switchToProfile method

So, if I set the value of user_handle to 0, the user id of the first user, it will switch automatically to the first page of the launcher. The final intent to switch to the first page of the launcher is:

Exploitation

The next question is: How can we weaponize this vulnerability? Simple, we will create a “Locker application”.

In this Proof Of Concept (POC), I send these 2 intents every second. Moreover, after opening this app the 1st time, the app icon will disappear.

As a consequence, the device will be inoperable due to this local DoS. Every time the victim will open the SecureFolder app, the container will be locked and every time he will try to use his phone, the phone will come back directly to the first page of the launcher.

Timeline

  • 04/02/19: Initial finding by Elliot Alderson
  • 11/03/19: Responsible disclosure to the Samsung Security Team
  • 18/03/19: The Samsung Security Team considered this issue as no/little security impact

Contact

Follow me on Twitter! You can also find a small part of my work at https://fs0c131y.com

Written by

🇫🇷 Hacker. Fight disinformation at Predicta Lab. Not completely schizophrenic. Not related to USANetwork.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store