A single line of code can apparently trigger an unstoppable factory-reset of the Samsung Galaxy S III, security researchers have discovered, with the potential for malicious websites to wipe out users’ phones. The hack was detailed by Ravi Borgaonkar at the Ekoparty security conference, with a simple USSD code – that could be sent from a website, or pushed to the handset by NFC or triggered by a QR code – that can reset the Galaxy S III or indeed other Samsung handsets.
Although the phone user is able to see the process taking place, hitting back on the device will not stop the reset. For QR code readers that automatically load whatever website has been stored to each code, or indeed NFC readers that do the same with NFC tags, the user would have no warning – and no hope of stopping – their handset from running the malicious code.
Only Samsung devices running TouchWiz appear to be affected, with basic Android only showing the code in the dialer screen but not running it automatically, Pau Oliva reports. Samsung’s default, though, is to dial the code automatically.
Perhaps most concerning, it’s reportedly possible to double up on the attack, Borgaonkar says, including a USSD code that also kills the SIM card currently in the handset. That way, a single message could be used to wipe a Samsung phone and leave the user with a broken SIM too.
It’s also possible to push Samsung handsets straight to a website running the bad code using a WAP-push SMS message. For the moment, the advice is to deactivate automatic site-loading in whatever QR and/or NFC reader software you use, and be careful about clicking links that you don’t implicitly trust.
Update 2: Other Samsung device owners are claiming that the hack does not work on their device. We’re running our own tests and will update when we know more.
Update 3: Tweakers’ Arnoud Wokke has filmed a demo of the hack in action on a Galaxy S II.
Update 4: “The USSD code issue in the SGS3 is patched, and has been for some time” TeamAndIRC claims. “Current i747 [AT&T Galaxy S III] and i9300 [European Galaxy S III] firmware are not vulnerable.” An update pushed out to the AT&T Galaxy S III last week apparently patched the loophole, with the i9300 being updated beforehand. We’re still yet to hear from Samsung with an official comment.
We’ve reached out to Samsung for comment.
[via Steve Troughton-Smith]