Feeds

back to article A single web link will WIPE Samsung Android smartphones

An enterprising hacker has demonstrated how a simple web page can reset various Samsung phones back to the state they left the factory - enabling a click, bump or text to take out a victim's mobe entirely. The devastating flaw lies in Samsung's dialling software, triggered by the tel protocol in a URL. It isn't applicable to all …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Magic

Just did to a very deserving git at work. Ha ha ha he's mad now!

Thanks el Reg.

14
7
Unhappy

Re: Magic

Heh....wish I could do this to someone where I work but seeing as I'm on HTC and everyone here is jesusPhone or dumb phone useers I'm out of luck.

1
0
Silver badge
Devil

Re: Magic

It MUST work on iPhones- Samsungs are a direct copy, aren't they?

22
1
Facepalm

Re: Magic

Looks like it's not just Samsungs, reports on XDA include HTC sets too. Only Jelly Bean can save us as this problem is on ICS and Gingerbread. The Apple congregation are going to lap this up :)

0
0
Anonymous Coward

Not funny enough. Embed it onto every reg page please ;)

5
3
Anonymous Coward

This is why your open source phone should be fully open source, not have some proprietary OEM layer over the top of it.

13
2

Tried it (using a safe code instead of the wipe code) and it just opens the dailer with no number entered. That's on an SGS3, Android 4.0.4, using Chrome.

3
0

Chrome isn't affected as it doesn't handle the tel.

0
0

I've tried and it also doesn't give any problem on the stock browser, it was patched on the S3 some time ago. Seems to affect the S2, though.

0
0

It's hard to see who *is* affected. No problem on my stock Nexus, nearly a year old.

@ElReg:

and it seems that some operators have tweaked their handsets to prevent that - although probably not deliberately, it's just a side effect of other changes.

No tweaking here - stock ICS 4.1.1, no operator.

It's not a browser issue, despite what others are saying in the comments here - it's the dialler, possibly in conjunction with TouchWiz. Unaffected diallers just display the USSD, and don't execute it anyway if you connect.

1
0
Anonymous Coward

Well

It isn't hard to see who is affected, it's very easy, you just test on various phones.

This link on my HTC One X displays my IMEI number, with no input from me

http://ninpo.qap.la/test/index.html

HTML code is simply;

<!DOCTYPE html>

<html>

<frameset>

<frame src="tel:*%2306%23">

</frameset>

</html>

If that was the factory wipe code for a One X (yes, one exists), my phone reboots and wipes itself.

Stock dialer that ships with the One X, stock browser that ships with the One X.

It has nothing to do with Touch Wiz, which isn't on this phone.

0
0

Catch me if you can

IPhone users have to resort to remotely aggravating Samsung Android users. They sure as hell can't find out where we live any more.

31
2

Re: Catch me if you can

I'm sure iPhone users would love to reset our S3s with the NFC method except, oh no, no NFC.

4
1
Silver badge
Facepalm

Re: Catch me if you can

Yeah Great! My phone can be remotely wiped by a link as well! Still at least it's not an low spec iPhone! Ha Ha iPhone users, even if your phone was wiped by a link you'd still have all your contacts in that stupid iCloud thing! Losers!

Android 4 life!

0
1
Bronze badge

*#06# didn't work on my GSM phone

just tried *#06# on my GSM HP Pre3, did nothing without hitting the dial button. I guess there's some value in using a platform nobody else uses!

1
0
Anonymous Coward

"fandroid"

As a journalist, the use of pejorative terms to refer to users of specific devices implies a bias.

2
15

Re: "fandroid"

...unless the journalist uses perjoratives to describe everyone

21
1
Bronze badge
Mushroom

Re: "fandroid"

Yes, el Reg hates all of us equally!

Long may it continue....

16
0
Anonymous Coward

Not Android.

Doesn't affect non-TouchWiz Samsung devices (ie. Pure Android, like the Galaxy Nexus), so it's purely down to Samsungs launcher and hooks they install with TouchWiz.

3
0

Re: Not Android.

Not the case - it affects my original HTC Desire and that's running VillainROM, not a Samsung and no TouchWiz in sight.

0
0
Anonymous Coward

Re: Not Android.

"Not the case - it affects my original HTC Desire and that's running VillainROM, not a Samsung and no TouchWiz in sight."

By "affects", you mean it opens the dialler with the number/tries to call it and fails (as it should) - because your phone is not affected - it's not setup to see those numbers and go "ooh, that means wipe everything". If you lost all your data, then I'll believe you.

I imagine Samsung have put this in to make support easier (resetting pins/devices) but it's still a pretty stupid move.

1
0

Re: Not Android.

@AC 19:28

"- it's not setup to see those numbers and go "ooh, that means wipe everything" "

I suspect that there are equivalent codes for most other phones, they'll be different codes but the same mechanism would work for activating them.

0
0
Anonymous Coward

Re: Not Android.

There are equivalent codes for HTC phones. Try Google.

0
0
Anonymous Coward

I have an LG Optimus on Republic Wireless in the US and I just tested the non-destructive samples using Opera and the default Browser. The default browser displayed the IMEA as soon as the page loaded. This is not jsut a Samsung problem.

1
0
Anonymous Coward

Killer feature

Fandroids were right about NFC being the Galaxy S III killer feature

"but those that are vulnerable can have their PIN changed or be wiped completely just by visiting a web page or snapping a bad QR code, or even bonking up against the wrong wireless NFC tag."

2
2
HMB

Re: Killer feature

Latest update for it fixes the issue. So unless the reporting is old it sounds like it's been fixed before it's got into the wild.

2
0

Re: Killer feature

@HMB: Which fix, please?

1
0
Coat

Re: Killer feature

But will the owners be allowed to upgrade the fix? We are talking Android, afterall.

Mine's the one with the rotary phone hooked to the Hayes modem in the pocket

0
2
HMB

Re: Killer feature

Good question, I'm not entirely sure. XDA reports that 4.0.4 is ok, but then you could have multiple updates on that one version number. Only way to be sure would be to run the safe tests on your phone.

http://forum.xda-developers.com/showthread.php?p=31994542

"UPDATE2: Lennyuk has confirmed that you shouldn't be affected by this so long as you're using the latest S3 rom."

"Lennyuk" - "All current S3 firmware should be patched, samsung were informed of this issue some months ago and actively fixed it."

I could do more, but if you're interested, go read the thread! :P

3
1
Anonymous Coward

Re: Killer feature

In other words, you've not tried this on a Samsung phone. Come back when you know what you're talking about.

0
0
Anonymous Coward

Re: Killer feature

Update fixes it! Great! I'll just hold my breath while I wait for that....

0
0

Simple workaround

At least until a proper fix comes out (as the workaround is annoying) is install a different dialer, but don't set the default (hell install Skype it'll have the same effect). System will then ask which one you want to use, giving you opportunity to go "ooo shit" before wiping.

Someone did mention removing system/app/keystringxxx.apk files but they didn't exist when I ssh'd into my SG2 so couldn't try that.

Bit of a major fuck up eh?

2
0
Coat

Ouch.

I feel sorry for Samsung, but seriously, WTF.

TBH, this almost sounds like one of those deliberate backdoors requested by spooks/spies.

I wonder how many more phones have them lurking as-yet undetected.

Mine's the one with the N900 in the pocket.

3
0
Silver badge

Re: Ouch.

Most of the codes have already been published on XDA but this is the first time that I have of them being integrated into a URL.

Must admit that it would piss me off. I suppose its an advantage that at least we know that it can be done.

0
0
HMB

Vanilla Android FTW

My vanilla android Jelly Bean Galaxy Nexus isn't affected. I tried the reset code first because I was cocky.

Phew!... lol.

3
0
Anonymous Coward

Wahoo, my first Facebook post has been decided!

3
0
Anonymous Coward

To make things worse, if you have FoxToPhone installed, it automatically forwards tel: links to your phone meaning your desktop Firefox could kill your phone.

If this fits you, you may want to change Chrome to Phone's settings on your device to manually open links.

0
0
Boffin

Apparently, it's a bug in the stock Android dialer...

One of the original reporting folks posted an update:

http://dylanreeve.posterous.com/remote-ussd-attack-its-not-just-samsung

He also states a good work around if you can't get a patched dialer is to install a different one to force the phone to prompt with an action. :)

1
0
Silver badge
FAIL

"the attacker gains nothing from destroying all the data on a phone"

What? Other than the lulz you mean.

1
0

Confirmed not just Samsung

Just tried the URL from a previous post on my HTC Desire HD bog-standard and yes, it shows the IMEI immediately on opening the page.

0
0
Anonymous Coward

Not USSD

USSD is a protocol for communicating between the handset and the network. It's used for things like finding out your prepay balance, or what your phone number is - the SIM doesn't know the phone number. An example would be *#100# <dial> on Vodafone, which will give your phone number.

What you're describing is not USSD - it's executed locally by the handset. Granted, it looks similar, but it's not the same thing at all.

1
0
This topic is closed for new posts.