Although Samsung has yet to issue patches for most of the phones affected by a recently discovered remote-wipe vulnerability, a German security researcher has released an app that he says can block the exploit. As El Reg reported on Tuesday, a flaw in Samsung's dialing software causes its phones to execute some tel protocol URIs …
>> As El Reg reported on Tuesday, a flaw in Samsung's dialing software causes its phones to execute some tel protocol URIs (universal resource identifiers) without the user even pressing the Dial button. At worst, this allows a remote attacker to send the Unstructured Supplementary Service Data (USSD) code that resets the phone to its factory state, wiping all the data in the process.
URI, that is the bit that you felt needed further explanation?
Also what's with the 'without pressing the dial button', isn't that the usual practice - you enter the code into the dialler and it performs the associated command, I don't recall ever pressing the dial button. The flaw is that it is taking the code from outside of the dialler and processing it as though it had been entered in the dialer - then again with smart phones, you'd have thought there would be a better way to do this than the *#.... codes
There are two ways for an application to start a call - ACTION_CALL - which requires the application ask permission which is shown during install and ACTION_DIAL which *should* launch the dialler with the requested number and wait for the user to confirm the call (even for USSD codes - on stock the *#06# shows up in the dialler if it is sent from an application). This ACTION_DIAL mode is what the browser and other applications use with the tel: URI.
The problem is that Samsung and HTC decided they would override the ACTION_DIAL's documented behaviour and have it immediately make the call. That means essientally applications have ACTION_CALL functionality without needing permission on these devices (another issue being overlooked here).
To add to the problem, these manufactures then decided to add in special USSD codes for wiping the device and resetting pin codes. This, combined with the previous design flaw creates this vulnerability.
Dial without warning
Surely the biggest threat is unknown calls to premium-rate numbers, which nets a small fortune for the miscreants behind the scam. Follow the money...
Well, it seems like the bug was already largely patched OTA before today, anyway- at least on my sim-free retail S3 it was.
More like a gaping great chasm of a security hole.
" On Wednesday, Samsung issued a firmware fix that resolved the issue in the Galaxy S III, its flagship Android handset. "
FFS El Reg, you claimed that in the last article too, and were informed by many people in the comments that the fix was actually in an OTA update that was sent out earlier in the year. There has been no firmware fix on Wednesday, only an announcement that the latest OTA update has the fix so if users don't have it yet they should really go get it.
Granted, Samsung still need to sort it out for some of their other handsets, but crap as they have been at doing that it seems a little unfair to claim they're slower to react to patch their flagship handset than they really are.
A slightly more user-friendly option: