A single web link will WIPE Samsung Android smartphones
An enterprising hacker has demonstrated how a simple web page can reset various Samsung phones back to the state they left the factory - enabling a click, bump or text to take out a victim's mobe entirely. The devastating flaw lies in Samsung's dialling software, triggered by the tel protocol in a URL. It isn't applicable to all …
This topic is closed for new posts.
Magic
Just did to a very deserving git at work. Ha ha ha he's mad now!
Thanks el Reg.
Re: Magic
Heh....wish I could do this to someone where I work but seeing as I'm on HTC and everyone here is jesusPhone or dumb phone useers I'm out of luck.
Re: Magic
It MUST work on iPhones- Samsungs are a direct copy, aren't they?
Re: Magic
Looks like it's not just Samsungs, reports on XDA include HTC sets too. Only Jelly Bean can save us as this problem is on ICS and Gingerbread. The Apple congregation are going to lap this up :)
Not funny enough. Embed it onto every reg page please ;)
This is why your open source phone should be fully open source, not have some proprietary OEM layer over the top of it.
Tried it (using a safe code instead of the wipe code) and it just opens the dailer with no number entered. That's on an SGS3, Android 4.0.4, using Chrome.
I've tried and it also doesn't give any problem on the stock browser, it was patched on the S3 some time ago. Seems to affect the S2, though.
It's hard to see who *is* affected. No problem on my stock Nexus, nearly a year old.
@ElReg:
and it seems that some operators have tweaked their handsets to prevent that - although probably not deliberately, it's just a side effect of other changes.
No tweaking here - stock ICS 4.1.1, no operator.
It's not a browser issue, despite what others are saying in the comments here - it's the dialler, possibly in conjunction with TouchWiz. Unaffected diallers just display the USSD, and don't execute it anyway if you connect.
Well
It isn't hard to see who is affected, it's very easy, you just test on various phones.
This link on my HTC One X displays my IMEI number, with no input from me
http://ninpo.qap.la/test/index.html
HTML code is simply;
<!DOCTYPE html>
<html>
<frameset>
<frame src="tel:*%2306%23">
</frameset>
</html>
If that was the factory wipe code for a One X (yes, one exists), my phone reboots and wipes itself.
Stock dialer that ships with the One X, stock browser that ships with the One X.
It has nothing to do with Touch Wiz, which isn't on this phone.
Catch me if you can
IPhone users have to resort to remotely aggravating Samsung Android users. They sure as hell can't find out where we live any more.
Re: Catch me if you can
I'm sure iPhone users would love to reset our S3s with the NFC method except, oh no, no NFC.
Re: Catch me if you can
Yeah Great! My phone can be remotely wiped by a link as well! Still at least it's not an low spec iPhone! Ha Ha iPhone users, even if your phone was wiped by a link you'd still have all your contacts in that stupid iCloud thing! Losers!
Android 4 life!
*#06# didn't work on my GSM phone
just tried *#06# on my GSM HP Pre3, did nothing without hitting the dial button. I guess there's some value in using a platform nobody else uses!
"fandroid"
As a journalist, the use of pejorative terms to refer to users of specific devices implies a bias.
Re: "fandroid"
...unless the journalist uses perjoratives to describe everyone
Re: "fandroid"
Yes, el Reg hates all of us equally!
Long may it continue....
Not Android.
Doesn't affect non-TouchWiz Samsung devices (ie. Pure Android, like the Galaxy Nexus), so it's purely down to Samsungs launcher and hooks they install with TouchWiz.
Re: Not Android.
Not the case - it affects my original HTC Desire and that's running VillainROM, not a Samsung and no TouchWiz in sight.
Re: Not Android.
"Not the case - it affects my original HTC Desire and that's running VillainROM, not a Samsung and no TouchWiz in sight."
By "affects", you mean it opens the dialler with the number/tries to call it and fails (as it should) - because your phone is not affected - it's not setup to see those numbers and go "ooh, that means wipe everything". If you lost all your data, then I'll believe you.
I imagine Samsung have put this in to make support easier (resetting pins/devices) but it's still a pretty stupid move.
Re: Not Android.
@AC 19:28
"- it's not setup to see those numbers and go "ooh, that means wipe everything" "
I suspect that there are equivalent codes for most other phones, they'll be different codes but the same mechanism would work for activating them.
Re: Not Android.
There are equivalent codes for HTC phones. Try Google.
I have an LG Optimus on Republic Wireless in the US and I just tested the non-destructive samples using Opera and the default Browser. The default browser displayed the IMEA as soon as the page loaded. This is not jsut a Samsung problem.
Killer feature
Fandroids were right about NFC being the Galaxy S III killer feature
"but those that are vulnerable can have their PIN changed or be wiped completely just by visiting a web page or snapping a bad QR code, or even bonking up against the wrong wireless NFC tag."
Re: Killer feature
Latest update for it fixes the issue. So unless the reporting is old it sounds like it's been fixed before it's got into the wild.
Re: Killer feature
But will the owners be allowed to upgrade the fix? We are talking Android, afterall.
Mine's the one with the rotary phone hooked to the Hayes modem in the pocket
Re: Killer feature
Good question, I'm not entirely sure. XDA reports that 4.0.4 is ok, but then you could have multiple updates on that one version number. Only way to be sure would be to run the safe tests on your phone.
http://forum.xda-developers.com/showthread.php?p=31994542
"UPDATE2: Lennyuk has confirmed that you shouldn't be affected by this so long as you're using the latest S3 rom."
"Lennyuk" - "All current S3 firmware should be patched, samsung were informed of this issue some months ago and actively fixed it."
I could do more, but if you're interested, go read the thread! :P
Re: Killer feature
In other words, you've not tried this on a Samsung phone. Come back when you know what you're talking about.
Re: Killer feature
Update fixes it! Great! I'll just hold my breath while I wait for that....
Simple workaround
At least until a proper fix comes out (as the workaround is annoying) is install a different dialer, but don't set the default (hell install Skype it'll have the same effect). System will then ask which one you want to use, giving you opportunity to go "ooo shit" before wiping.
Someone did mention removing system/app/keystringxxx.apk files but they didn't exist when I ssh'd into my SG2 so couldn't try that.
Bit of a major fuck up eh?
Ouch.
I feel sorry for Samsung, but seriously, WTF.
TBH, this almost sounds like one of those deliberate backdoors requested by spooks/spies.
I wonder how many more phones have them lurking as-yet undetected.
Mine's the one with the N900 in the pocket.
Re: Ouch.
Most of the codes have already been published on XDA but this is the first time that I have of them being integrated into a URL.
Must admit that it would piss me off. I suppose its an advantage that at least we know that it can be done.
Vanilla Android FTW
My vanilla android Jelly Bean Galaxy Nexus isn't affected. I tried the reset code first because I was cocky.
Phew!... lol.
To make things worse, if you have FoxToPhone installed, it automatically forwards tel: links to your phone meaning your desktop Firefox could kill your phone.
If this fits you, you may want to change Chrome to Phone's settings on your device to manually open links.
Apparently, it's a bug in the stock Android dialer...
One of the original reporting folks posted an update:
http://dylanreeve.posterous.com/remote-ussd-attack-its-not-just-samsung
He also states a good work around if you can't get a patched dialer is to install a different one to force the phone to prompt with an action. :)
"the attacker gains nothing from destroying all the data on a phone"
What? Other than the lulz you mean.
Confirmed not just Samsung
Just tried the URL from a previous post on my HTC Desire HD bog-standard and yes, it shows the IMEI immediately on opening the page.
Not USSD
USSD is a protocol for communicating between the handset and the network. It's used for things like finding out your prepay balance, or what your phone number is - the SIM doesn't know the phone number. An example would be *#100# <dial> on Vodafone, which will give your phone number.
What you're describing is not USSD - it's executed locally by the handset. Granted, it looks similar, but it's not the same thing at all.
This topic is closed for new posts.
