back to article Boffins break Samsung Galaxies with one SMS carrying WAP crap

A single TXT message is enough to cause Samsung S5 and S4 handsets to return to factory settings, likely wiping users' data along the way. And because the attack exploits Android's innards, other vendors' handsets are at risk. The vulnerabilities, thankfully patched by Samsung, means attackers can send WAP configuration …

  1. Carl D

    Wonder if my nearly 5 year old still going strong Samsung Galaxy S2 4G which never received a single update after Android 4.0.4 (Ice Cream Sandwich) in late 2012 is vulnerable?

    Lucky I don't have anything important on it and don't let it connect to the Internet.

    Hopefully, Samsung (and others) have finally woken up and started providing timely updates and not abandoning devices after 12 or 18 months like my abovementioned phone and my Galaxy Tab3 10.1 inch tablet which is also still going strong and hasn't seen an update for nearly 3 years.

    1. tiggity Silver badge

      Timely updates from handset manufacturers will sadly never happen unless a few governments get together & make a few regulations to demand it.

      And the whole "root is bad" (including lots of apps testing for root & not running on rooted phones*) makes things worse, as at least with a rooted phone you can take more steps to secure yourself (and as a bonus can remove handset manufacturer / carrier added crud software that is otherwise uninstallable)

      * Yes I know there are various steps to try & hide rooted phone but ots PITA.

      Should not need root to do simple, improving security stuff such as android equivalent of setting IPs / domains to block in hosts file.

    2. Timbo

      I have found that the biggest issue is that UK mobile phone companies prefer to sell you a new phone (and a new contract) rather than update any firmware for mobiles that might be more than (say) 18 months old.

      I have a perfectly good Sammy S2, which has proven itself to be a great device...no issues ever with it and apart from having 2 new batteries (since summer 2012 when I got it), it's still in "original" condition.

      And T-Mobile (now EE) only ever offered ONE update over all this time (going from 2.3.6 to 4.1.2 (Kernel dated 31st May 2013)).

      I wonder if the operators are still subsidising new mobile phone contracts, as they used to do (say) 10 years ago...when retailers could earn big money for hitting monthly targets when getting people to sign up for new contracts (and hence getting new phones) and ditching their old mobiles which usually end up in a drawer somewhere.

  2. Anonymous Coward
    Anonymous Coward

    Samsung model names?

    What about other older models?

    <rant>

    Samsung naming conventions (?) are terrible. Here is the list of models released in Brazil in 2015:

    Galaxy A3, Galaxy A5, Galaxy A7, Galaxy E5, Galaxy E7, Galaxy Note Edge, Galaxy Win 2, Galaxy J1, Galaxy S6, Galaxy S6 Edge, Galaxy Ace 4 Neo, Galaxy S6 Edge Plus, Galaxy Note 5, Galaxy J5, Galaxy J7, Gran Prime 4G, Galaxy J1 Ace, Galaxy S5 New Edition and Galaxy On7.

    </rant>

  3. Dan 55 Silver badge

    Samsung S4 (March 2013) and S5 (April 2014)

    Are Samsung really still patching these phones? Will any patch they release now be able to jump the operator hurdle?

    1. Tony W

      Re: Samsung S4 (March 2013) and S5 (April 2014)

      I suppose it depends on whether the phone was customised (being polite) by a network and if so which one. My secondhand S5 doesn't seem to have any network specific stuff on it and it is still receiving updates (currently 6.01) and patches (currently Dec 2016.)

      Makes me consider rooting the phone though.

    2. John Brown (no body) Silver badge

      Re: Samsung S4 (March 2013) and S5 (April 2014)

      Same here, an S5 with a kernel date of May 6th, 2014.

  4. Anonymous Coward
    Anonymous Coward

    Pity EE customers in the UK

    For some reason the EE network in the UK seems to authorise the release of firmware updates 6 months or more after the other major networks (if at all).

    The S5 Neo's that EE supplied to my company less than 12 months ago, were last updated with the July 2016 SMR, and I suspect still vulnerable to this attack. Sadly we can't use an alternative firmware without losing vital EE services like wifi calling.

    When the contract is due for review next month, I'm going to be switching to an operator that releases security updates promptly!

    1. Anonymous Coward Silver badge
      Paris Hilton

      Re: Pity EE customers in the UK

      "without losing vital EE services like"

      ...does not correlate with...

      "I'm going to be switching to an operator"

      Either the EE services are vital, or you can switch. You can't have both.

      1. Anonymous Coward
        Anonymous Coward

        Re: Pity EE customers in the UK

        Except other operators provide near identical services.

        The point is that to use EE Wifi calling you have to use an EE supplied firmware. I can't simply patch my phone by flashing with a BTU firmware as EE wouldn't allow it to access the wifi calling service.

        If I switched to a different operator (e.g. O2 or Vodafone) I would have to comply with their rules, and likely have to use a firmware they have approved. BUT Vodafone, for example, tend to release firmware updates within a few weeks or less of the manufacturer's.

    2. John Brown (no body) Silver badge

      Re: Pity EE customers in the UK

      "When the contract is due for review next month, I'm going to be switching to an operator that releases security updates promptly!"

      Can you let us all know who it is if you find one?

  5. John Smith 19 Gold badge
    WTF?

    " that no authentication is used to protect OMA CP "

    Can it be sent to a phone Yes.

    Can it alter devices configuration up to and including bricking it Yes.

    Should we authenticate any such message before acting on it No.

    If this is a part of the core Android built then that would suggest it's Google's fault. If not then it's Samsungs.

    I'd like to think that this is a learning process and companies will tighten up over time.

    Trouble is they never seem to learn from their mistakes.

    1. Nick Ryan Silver badge

      Re: " that no authentication is used to protect OMA CP "

      This seems to be an extension of the carrier inflicted ass-hattery where you got a perfectly good phone and then were sent "carrier settings" to it by text/sms which murdered the performance of the device and removed all the useful stuff that the carrier thought they could charge you for instead.

      No excuse for not range checking and treating the entire message and payload as untrustworthy though.

    2. asdf

      Re: " that no authentication is used to protect OMA CP "

      >If this is a part of the core Android built

      Pretty obvious Android was not built with security in mind and now they are having to bolt it on. Unsolicited SMS and MMS (stage fright) owning a device or flashing is just beyond the pale.

  6. 45RPM Silver badge
    Devil

    Further details please so that we can (ahem) verify this for ourselves!

  7. Anonymous Coward
    Anonymous Coward

    Why would Android even support WAP?

    It has always included a proper browser, supporting WAP in a modern smartphone OS would be like including parallel port drivers in case someone wanted to plug in a dot matrix printer.

    1. JCitizen
      Coffee/keyboard

      Re: Why would Android even support WAP?

      Precisely! How lone have we known WAP was crap?!

  8. southen bastard
    Happy

    stupid

    can we get this patch and install manualy?

    if so where?

  9. Anonymous Coward
    Anonymous Coward

    My data point

    The S4 sent to a guy in the Netherlands mysteriously broke around mid December, the symptoms he reported included a sudden reset to defaults and loss of the data stored on the handset.

    Also affected the headphone port, speakers stopped working and other strange problems.

    He couldn't use it after that on 3/4G probably because all the settings were wiped out, but WiFi still worked fine.

  10. Anonymous Coward
    FAIL

    WAP configuration messages applied without authorization

    "The pair explain the attack in detail here finding that no authentication is used to protect OMA CP text messages."

    Did no one at Samsung test the devices for such basic vulnerabilities. These kind of incidents are occuring too frequently to make me suspect that rather than an accidental oversight, most/all connected devices are being deliberatly compromised with secret backdoors.

  11. David Roberts

    S4 and S5

    S4 on 3 - no updates for ages.

    S5 (SIM only) currently on Tesco still getting regular updates.

    Is there anyone with an S4 still getting updates?

    If so, which carrier?

    Possibly worth getting a PAYG SIM just to get the updates.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like