Feeds

back to article Samsung slaps swift patch over phone-wiping Galaxy S III vuln

Samsung has whipped out a fix for an embarrassing flaw in its smartphones that allows miscreants to wipe victims' phones with a simple web link. The South Korean electronics giant is pushing out the patch right now. The Galaxy S III has a firmware update available that closes the security hole, and it can be picked up from an …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

hrm

I didn't notice an OTA popping on my stock carrier-free S3, yet it seems not to be vulnerable.. some sort of ninja patch?

2
0
Bronze badge

Not a (just) Touchwiz problem

I have a Galaxy S i9000 running Cyanogenmod 7.2 and it's definitely vulnerable to this.

2
0
Anonymous Coward

Re: Not a (just) Touchwiz problem

Interesting... Best I check my CM7.2 running HTC then! (eeek).

1
0

Re: Not a (just) Touchwiz problem

I've tested a HTC One X, an S2, and a Sony Xperia.

The exploit for running the IMEI code *#06# works on all of them, currently only the Samsung is in danger as none of the others have Factory Reset USSD codes. hopefully.

1
0

Re: Not a (just) Touchwiz problem

"none of the others have Factory Reset USSD codes. hopefully."

You can hope, but in all likelihood this facility exists in all handsets.

Don't know why the reporters keep saying it is down to TouchWiz when the basic vuln has been shown to work on other phones. The only thing missing for other phones is the reset USSD code, security through obscurity is not security.

3
0
Anonymous Coward

Re: Not a (just) Touchwiz problem

Because it is TouchWiz, and possibly Sense that is doing this. Stock behaviour is to show the number before calling it. Which is exactly what is documented in the developer API for the DIAL intent which the browser and other applications use to dial a number.

Why Samsung, HTC and possibly CyanogenMod have decided to go against what is documented and call the number without user confirmation is beyond me. Especially when there is a separate intent for that which *requires* a permission which will warn the user that the application can cost them money.

1
2

Re: Not a (just) Touchwiz problem

>Don't know why the reporters keep saying it is down to TouchWiz when the basic vuln has been shown to work on other phones

It's TouchWiz that shortcuts special USSD codes into other phone functions like Factory Reset.

0
0
Facepalm

Re: Not a (just) Touchwiz problem

The exploit for running the IMEI code *#06#

Ditto for HTC Desire HD. Reading the XDA Dev Forum thread, it's widespread. Samsung GS2 as well.

1
1

Re: Not a (just) Touchwiz problem

Its not just TouchWiz that shortcuts the codes, HTC and Sony phones do too, many people have come to the conclusion it must be an Android problem.

0
0
Thumb Up

Re: Not a (just) Touchwiz problem

Indeed, What people aren't grasping is that Samsung, HTC, Sony and Motorola, didn't all make the same screw up, stock android must have done this.

0
0
Anonymous Coward

@AC 15:23 Re: Not a (just) Touchwiz problem

They are not dialling the number, they don't need to dial the number to run these codes, that is why they are vulnerable. If you type this number into your handset it will display the IMEI without pressing Dial.

Even some old Nokias and other dumbphones would do it.

0
0

Re: Not a (just) Touchwiz problem

Also other phones may need you to click call, as my Xperia Arc S on the *#06# example did.

0
0
Anonymous Coward

Re: Not a (just) Touchwiz problem

"Also other phones may need you to click call, as my Xperia Arc S on the *#06# example did."

This is the stock behaviour that everyone is confusing. The problems with HTC/Samsung etc. is two-fold:

1. Their dialler application is auto-calling the supplied number instead of waiting for user confirmation

2. They have added magic USSD codes that can factory reset the device

Neither of these problems exist on stock Android because:

1. The dialler will want user confirmation when an application supplies a number to dial (not if you enter it yourself in the case of *#06#)

2. Stock Android doesn't have magic USSD codes to factory reset the device or it's pin numbers

0
0
Silver badge

Re: Not a (just) Touchwiz problem

It's not just an HTC/Samsung add-on issue. I just tested on CyanogenMod 7.2, and it brought up my IMEI without me having to press dial.

I'm on the verge of going back to 7.1 anyway (7.2 seems to eat all the memory and bring the phone to a grinding halt within an hour or two of being turned on). This might be just the push I need to revert to my previously saved CM7.1 nandroid image.

0
0
Stu

Re: Not a (just) Touchwiz problem

So you're also at the mercy of the CyanogenMod Developers et al, hope they didn't plant a back door, or contacts / web / email snatching malware or anything like that in CyanogenMod!

I know so many ppl use it, but I wouldn't be so trusting of 3rd party Android images at all.

I've actually been stung before with an XDA Developers provided image for an old Windows Mobile 6 phone. The phone kept chucking up really weird errors suggesting attempts at dialing numbers! With Android apparently this can be done 'more' silently nowadays, so no, wouldn't touch 3rd party firmware with a barge pole.

0
0
FAIL

Er, actually Samsung's patch was a while ago - hence why people aren't getting OTA notifications now.

5
1

That seems to be so.

I have a S3 from Three and have not received an update for a couple of weeks. The IMEI test did not work for me.

0
0
Anonymous Coward

What path?

If they were doing OTA, it would be on www.sammobile.com/firmware/ - it isn't.

It was already patched a while back. Though some carriers haven't pushed the patch, go figure.

Not sure where the source is for this news article.

1
1
Anonymous Coward

1 day response is unheard of of.

Microsoft 0 day exploits at best take 14 days, Apple take months.

Congrats to Samsung for jumping on this so promptly. It might also stop the Apple brainwashed idiots that claim that Android doesn't get updated in a timely manner. But I somehow doubt it...

8
5
Anonymous Coward

Re: 1 day response is unheard of of.

Samsung have known about this problem for some time (months?) - they didn't just produce this fix over night.

0
0

Re: 1 day response is unheard of of.

Apple don't have security flaws in their products. What you think is a vulnerabilities is actually a feature, which are will be disabled at the next feature enhancement release.

2
1
Stop

Stop skinning Android

Just a suggestion, stop putting these shitty skins on Android phones. It's why I only buy the Nexus range - so I don't get all these stupid skins and un-removable apps.

I've seen HTC Sense regularly crash on a colleagues Desire HD, it's never happened to me on stock firmware.

7
1
Silver badge
Headmaster

Re: Stop skinning Android

the apps aren't unmoveable as such, as they sit in the system partition, All you need is root and they can be removed.

0
1
HMB
Bronze badge

Re: Stop skinning Android

I agree 100%, this is exactly why I do the same and just go for Nexus Devices.

I've never looked at a skin and found it more attractive than Android in the post ICS world.

@ukgnome - I don't think the average user wants to root their phone and as a technical user, I don't fancy running unsigned software not tested by the manufacturer. I have tried Cyanogenmod, but after running into problems with an issue patched in the Galaxy Nexus' official firmware, I switched back to the official stuff.

3
0
Anonymous Coward

Re: Stop skinning Android

It's funny how Android is seen as open source yet OEMs then go and throw this closed source crap over the top of it.

Why don't they all contribute to Android and make it better for everyone?

Can you imagine the state Linux would be in if it wasn't developed by Microsoft, IBM, Oracle and others? they all contribute to Linux.

1
0
FAIL

Facts are all wrong in this story - Samsung fixed this vulnerability ages ago, and in fact most people walking around now with one of these in their pockets are almost certainly already running insusceptible firmware.

So no, Samsung hasn't just "has whipped out a fix" in response to this. Most incorrect article I've seen on El Reg for years...

2
1
Anonymous Coward

They may well have patched it for the S3, but not other devices. My stock Samsung operator-crapware-free S2 running 4.0.4 suffers from this feature (based on the test using a non-reset code).

0
0
Z3d
Happy

OK here

S3 with Orange branded firmware 4.0.4 BVLG1

interesting that the builtin browser brought up the dialer without the IMEI but Opera suppressed the frame and I had to then manually click on the link to bring the dialer up

0
0
Facepalm

My galaxy just broke

After falling from 2ft up. I had spent the previous two weeks fixing all of the problems Samsung had created with their awful overlay, such as their awful keyboard, terrible animations and godawful software. I can confidently state that Samsung have the worst overlay I've ever used and I actually miss HTC's Sense.

0
1
Anonymous Coward

Re: My galaxy just broke

That's why you buy a case for a mobile phone.

3
1
Anonymous Coward

Re: fixing all of the problems

If you're having phone problems

I feel bad for you son

I got 99 problems but the S3 ain't one

// so sorry

0
0
Wam

Got Mine Through

I got an update today - just an unsolicited pop-up message saying do I want to download Samsung Update. Took a few seconds. I'd already tested my S3 yesterday and it seemed ok then TBH

0
0
Anonymous Coward

HTC also shows IMEI

Just tried the test on my HTC Wildfire and found that, without any other user interaction, it dialled the IMIE number and showed me the results.

Now I don't know what range of "special" number the HTC phone will respond to, but given its donkey gonad-sucking behaviour elsewhere I am willing to bet it is vulnerable to something

Did nobody learn the lessons of MS Outlooks "lets run whatever is attached" lesson in stupidity? I mean, how hard would it have been to make sure you are always prompted to dial a number?

1
0
Anonymous Coward

Lots of problems with info in those links

1) These aren't USSD codes. Displaying your IMEI number has nothing to do with USSD.

2) Link says this only affects Touchwiz dialers, and only Samsung phones. This is not true, tested on HTC One X, stock dialer, same issue.

3) Someone said HTC aren't affected because there is no HTC factory reset code. Yes there is. Use Google.

1
0
Thumb Up

Great bug

This bug reminds me of the good old days of sending +++ath0 to people on modems.

Works even better too.

0
0
Mushroom

Count me in...

My Sprint Galaxy S2 running ICS popped up with the IMEI number. So I s'pose I ought to surf carefully... though the Sprint network is so slow, surfing is nearly worthless anyway...

0
0

Weirdly, this seems patched on my Vodafone S3

I say weirdly, as the firmware they're punting is about six iterations behind Samsung's latest. And because it identifies itself as being from Vodafone, I can't download any other version using the official methods.

I'm more concerned by my phone being singularly unable to see 2.4Ghz wi-fi connections meaning that if I'm in a building that doesn't get 3G reception but doesn't have a 5Ghz wi-fi, I have a phone that can't really be described as "smart" as its only use is for taking phone calls. This is due to the firmware I'm being forced to use by Vodafone no longer giving me the option to turn 2.4Ghz back on, and me being stupid enough to have set mine up to use the 5Ghz channel I have in my house when I still had the wi-fi option available to me.

0
0

Re: Weirdly, this seems patched on my Vodafone S3

Make sure you have NFC switched on. If it is disabled this test seems to show everyghing is ok.

0
0
Silver badge
Thumb Up

Faster than a speeding bullet, more powerful than a locomotive ...

How many companies respond that quickly with a patch? Well done, Samsung!

The other alternative is the Ostrich technique where a company denies it has a problem, such as with Antennagate. Less effective, but cheaper.

1
0
Alert

Short term solution

Apparently, as short term fix, you can install a third party dialler from Google Play, such as Dialer One.

If a dial string is detected on a web page, you will be asked to select which dialler app you wish to use, allowing you to intercept the rogue command.

Haven't tested this myself, but worth a try..

0
0

Re: Short term solution

I can confirm it works.

Orange branded HTC desire - the androidcentral test was bringing up the IEME number before - I've installed Dialler one and it now asks which dialler should be used.

0
0

Re: Short term solution

And as a further tweak - you can set the default for when you hit the main 'Phone' button - and this won't affect the fact that the web page with the 'tel' link will still ask for which dialler to use.

0
0

hmmm...

I wonder if Orange will release a fix for my two year old HTC Desire? Probably not.

This is one of the reasons I'm switching to a sim-only deal and can then have any phone I want.

0
0
This topic is closed for new posts.