Security Protection – Harry Waldron MVP Rotating Header Image

Samsung Phones – Wiped clean by USSD factory reset hack on unpatched carriers

A new mobile phone vulnerability is circulating.  By visiting a malicious web site, some Samsung models can be reset completely (because they support advanced dialer automation). All internal data and customized user settings would be lost. OEMs and phone service carriers need to patch these vulnerabilities.  PC Magazine highlights this as follows:

QUOTE: If you own a Samsung smartphone from a U.S. cell phone operator, you may want to avoid using the Internet until your carrier patches a pretty simple flaw that would let an attacker reset your phone.

On Tuesday, researcher Ravi Borgaonkar demonstrated how he wiped out a Samsung Galaxy SIII simply by opening a website containing an HTML tag for a call function, and replacing the telephone number with the USSD code for a factory reset. The problem appears to lie within both the Samsung dialer and Touchwiz’s stock Android browser. Unlike most dialers, Samsung’s automatically makes the call while others still require the user to hit “send.” Borgaonkar noted that the code can be sent from a website or pushed to the handset by a Charlie Miller-like NFC attack, or through a malicious QR code, in which case absolutely no user interaction is necessary. 

But here’s the kicker. Borgaonkar told Security Watch that he’d disclosed the vulnerability to manufacturers and carriers in June, and a patch for the firmware was quickly released. But to date, only Google and certain European carriers have sent an over-the-air update to device owners. Hardware manufacturers, including Samsung, have applied the update to their phones as well. So if you buy an unlocked Samsung Galaxy S III from a Samsung store today, you’re safe.  “I decided to go public because everyone has the patch now, they’ve just been sitting on it for months,” he said. “It’s the duty of carriers to make sure everyone’s devices are safe.” 

Check If Your Phone’s Safe — We’ve reached out to all the U.S. carriers and will update the article once they respond. Meanwhile, Borgaonkar also created a test that lets you check if your Android device is vulnerable. Click here from your phone. If you can see your IMEI (like on the Verizon GSIII pictured above), Borgaonkar advises, tongue in cheek, to disconnect from the Internet.

Comments are closed.