UPDATE: The vulnerability has been fixed, claims Samsung employee. [See below]
Find My Mobile by Samsung allows users to track their phone and in case of a theft, remotely lock or wipe the phone and even ring the phone. Although a nifty service, a serious vulnerability has been found that could enable hackers to use the same tool to remotely lock your device and set a passcode of their choice.
The issue with the vulnerability is that the “Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network.” National Institute of Standards and Technology (NIST) – a US Government repository – rates the base score of the vulnerability at 7.8, impact score at 6.9 and exploitability score at 10 (all out of 10).
There’s no word from Samsung yet but I assume they’ll release a statement soon. For now, the best bet seems to deactivate the Find My Mobile service that can be found under Settings > More > Find My Mobile > Remote controls.
Folks reporting on the 'Find My Mobile' issue: Our teams confirmed this was patched and fixed on October 13.
— Philip (@philipberne) October 29, 2014