Just did to a very deserving git at work. Ha ha ha he's mad now!
Thanks el Reg.
An enterprising hacker has demonstrated how a simple web page can reset various Samsung phones back to the state they left the factory - enabling a click, bump or text to take out a victim's mobe entirely. The devastating flaw lies in Samsung's dialling software, triggered by the tel protocol in a URL. It isn't applicable to all …
Just did to a very deserving git at work. Ha ha ha he's mad now!
Thanks el Reg.
Heh....wish I could do this to someone where I work but seeing as I'm on HTC and everyone here is jesusPhone or dumb phone useers I'm out of luck.
It MUST work on iPhones- Samsungs are a direct copy, aren't they?
Looks like it's not just Samsungs, reports on XDA include HTC sets too. Only Jelly Bean can save us as this problem is on ICS and Gingerbread. The Apple congregation are going to lap this up :)
Not funny enough. Embed it onto every reg page please ;)
This is why your open source phone should be fully open source, not have some proprietary OEM layer over the top of it.
Tried it (using a safe code instead of the wipe code) and it just opens the dailer with no number entered. That's on an SGS3, Android 4.0.4, using Chrome.
Chrome isn't affected as it doesn't handle the tel.
I've tried and it also doesn't give any problem on the stock browser, it was patched on the S3 some time ago. Seems to affect the S2, though.
It's hard to see who *is* affected. No problem on my stock Nexus, nearly a year old.
and it seems that some operators have tweaked their handsets to prevent that - although probably not deliberately, it's just a side effect of other changes.
No tweaking here - stock ICS 4.1.1, no operator.
It's not a browser issue, despite what others are saying in the comments here - it's the dialler, possibly in conjunction with TouchWiz. Unaffected diallers just display the USSD, and don't execute it anyway if you connect.
It isn't hard to see who is affected, it's very easy, you just test on various phones.
This link on my HTC One X displays my IMEI number, with no input from me
HTML code is simply;
If that was the factory wipe code for a One X (yes, one exists), my phone reboots and wipes itself.
Stock dialer that ships with the One X, stock browser that ships with the One X.
It has nothing to do with Touch Wiz, which isn't on this phone.
IPhone users have to resort to remotely aggravating Samsung Android users. They sure as hell can't find out where we live any more.
I'm sure iPhone users would love to reset our S3s with the NFC method except, oh no, no NFC.
Yeah Great! My phone can be remotely wiped by a link as well! Still at least it's not an low spec iPhone! Ha Ha iPhone users, even if your phone was wiped by a link you'd still have all your contacts in that stupid iCloud thing! Losers!
Android 4 life!
just tried *#06# on my GSM HP Pre3, did nothing without hitting the dial button. I guess there's some value in using a platform nobody else uses!
As a journalist, the use of pejorative terms to refer to users of specific devices implies a bias.
...unless the journalist uses perjoratives to describe everyone
Yes, el Reg hates all of us equally!
Long may it continue....
Doesn't affect non-TouchWiz Samsung devices (ie. Pure Android, like the Galaxy Nexus), so it's purely down to Samsungs launcher and hooks they install with TouchWiz.
Not the case - it affects my original HTC Desire and that's running VillainROM, not a Samsung and no TouchWiz in sight.
"Not the case - it affects my original HTC Desire and that's running VillainROM, not a Samsung and no TouchWiz in sight."
By "affects", you mean it opens the dialler with the number/tries to call it and fails (as it should) - because your phone is not affected - it's not setup to see those numbers and go "ooh, that means wipe everything". If you lost all your data, then I'll believe you.
I imagine Samsung have put this in to make support easier (resetting pins/devices) but it's still a pretty stupid move.
"- it's not setup to see those numbers and go "ooh, that means wipe everything" "
I suspect that there are equivalent codes for most other phones, they'll be different codes but the same mechanism would work for activating them.
There are equivalent codes for HTC phones. Try Google.
I have an LG Optimus on Republic Wireless in the US and I just tested the non-destructive samples using Opera and the default Browser. The default browser displayed the IMEA as soon as the page loaded. This is not jsut a Samsung problem.
Fandroids were right about NFC being the Galaxy S III killer feature
"but those that are vulnerable can have their PIN changed or be wiped completely just by visiting a web page or snapping a bad QR code, or even bonking up against the wrong wireless NFC tag."
Latest update for it fixes the issue. So unless the reporting is old it sounds like it's been fixed before it's got into the wild.
@HMB: Which fix, please?
But will the owners be allowed to upgrade the fix? We are talking Android, afterall.
Mine's the one with the rotary phone hooked to the Hayes modem in the pocket
Good question, I'm not entirely sure. XDA reports that 4.0.4 is ok, but then you could have multiple updates on that one version number. Only way to be sure would be to run the safe tests on your phone.
"UPDATE2: Lennyuk has confirmed that you shouldn't be affected by this so long as you're using the latest S3 rom."
"Lennyuk" - "All current S3 firmware should be patched, samsung were informed of this issue some months ago and actively fixed it."
I could do more, but if you're interested, go read the thread! :P
In other words, you've not tried this on a Samsung phone. Come back when you know what you're talking about.
Update fixes it! Great! I'll just hold my breath while I wait for that....
At least until a proper fix comes out (as the workaround is annoying) is install a different dialer, but don't set the default (hell install Skype it'll have the same effect). System will then ask which one you want to use, giving you opportunity to go "ooo shit" before wiping.
Someone did mention removing system/app/keystringxxx.apk files but they didn't exist when I ssh'd into my SG2 so couldn't try that.
Bit of a major fuck up eh?
I feel sorry for Samsung, but seriously, WTF.
TBH, this almost sounds like one of those deliberate backdoors requested by spooks/spies.
I wonder how many more phones have them lurking as-yet undetected.
Mine's the one with the N900 in the pocket.
Most of the codes have already been published on XDA but this is the first time that I have of them being integrated into a URL.
Must admit that it would piss me off. I suppose its an advantage that at least we know that it can be done.
My vanilla android Jelly Bean Galaxy Nexus isn't affected. I tried the reset code first because I was cocky.
Wahoo, my first Facebook post has been decided!
To make things worse, if you have FoxToPhone installed, it automatically forwards tel: links to your phone meaning your desktop Firefox could kill your phone.
If this fits you, you may want to change Chrome to Phone's settings on your device to manually open links.
One of the original reporting folks posted an update:
He also states a good work around if you can't get a patched dialer is to install a different one to force the phone to prompt with an action. :)
What? Other than the lulz you mean.
Just tried the URL from a previous post on my HTC Desire HD bog-standard and yes, it shows the IMEI immediately on opening the page.
USSD is a protocol for communicating between the handset and the network. It's used for things like finding out your prepay balance, or what your phone number is - the SIM doesn't know the phone number. An example would be *#100# <dial> on Vodafone, which will give your phone number.
What you're describing is not USSD - it's executed locally by the handset. Granted, it looks similar, but it's not the same thing at all.