Security Researcher Jiten Jain has found that the tracking system implemented by Samsung to allow owners to track down their stolen or lost phones contains a flaw that allows anyone with the proper knowhow to spoof the device's location.
According to experts, 113 devices are lost or stolen every minute in the Unites States. Because of the large number of incidents, many phone owners deploy some sort of anti-theft/anti-loss solutions to protect their data or to track down their smartphones in case they get lost.
In the case of Samsung smartphones, the service is called Samsung Dive. The system allows the phone’s owner to pinpoint the whereabouts of the device via GPS and other location acquisition techniques.
However, Jain explains that a thief can use an application to spoof the location of the device.
“In case of Phone theft the Thief can simply broadcast a fake location on Samsung tracking server and mislead Original Phone User/Owner to believe that the phone is genuinely at fake location. The locations can be faked continuously to random places anywhere in the world,” the expert explained.
“All this happens because Samsung’s Location API's are completely vulnerable to be manipulated by installing commonly available simple GPS location spoofer on the device.”
In order to demonstrate his findings, Jain installed a spoofing application which could override any GPS locations request in the device and provide the phone owner with an arbitrary location.
Another noteworthy thing is that Samsung’s tracking application shows notifications when the device is being remotely monitored.
“This simply alerts the hacker or thief. This defeats the very fundamental principal and purpose of a tracking application, which should always work on the principal of hidden remote tracking in case of theft,” he said.
The researcher claims that other similar solutions, including the ones provided by AVG and Lookout, are vulnerable to location spoofing.
We’ve contacted Samsung to find out if they’re aware of this issue and if they plan on doing anything to address it. We’ll return with more details once they become available.