Samsung moves to fix Android remote wiping threat highlighted by NZ blogger
Click on the wrong web link from your Android phone, and it could factory reset your handset, wiping all your data (for good, if you haven't backed up).
Android phone owners – particularly the Samsung Galaxy S3, but also other phones – are being warned about a malicious threat that could wipe their handset when they use their phone's web browser to visit a website with tel:*2767*3855# in its HTML (the software code used to create web pages).
NZ blogger Dylan Reeve, whose post on a workaround for vulnerability has been picked up by tech sites around the world, including Gizmodo and CNet, explains:
- Phones support special dialing codes called USSDs that can display certain information or perform specific special features. Among these are common ones (*#06# to display IMEI number [a unique 15 digit number that identifies a mobiel device]) and phone specific ones (including, on some phones, a factory reset code).
- There is a URL scheme prefix called tel: which can, in theory, be used to hyperlink to phone numbers. The idea being that clicking on a tel: URL will initiate the phone's dialer to call that number.
- In some phones the dialer will automatically process the incoming number. If it's a USSD code then it will be handled exactly as if it had be keyed in manually, requiring no user intervention to execute.
- A tel: URL can be used by a hostile website as the SRC for an iframe (or potentially other resources like stylesheets or scripts, I guess). It may then be loaded and acted upon with no user intervention at all.
Samsung now says it has it has a fix for the vulnerability for the Galaxy S3 and is encouraging owners to update their phone's Android software (click Apps, About Device, then Software Update). Presumably, it's in the pipeline. When I tried, my S3 said no update was available. For those confident with Android, Reeve has suggested an alternative fix: installing a new dialler.
Read Reeve's latest post on the issue here.
Also check out a simple test page Reeve created here: dylanreeve.com/phone.php.
If you click on it using your Android phone's browser but it makes your phone bring up its dialler (virtual keypad) showing an IMEI code (my S3 did) then you know your handset is vulnerable:
Back to home
Back to top
Print
Latest
NBR SERVICES
SUBSCRIPTIONS
Sign up for NBR subscriber content or email alerts
Comments and questions5
Android 4.04 doesn't parse TEL links in the same way, so is not going to blindly enter service codes into the dialer.
I'm surprised that you've managed to find an SIII not running 4.04, considering the OTA update has been available for several months now... Your carrier not rolling out the update perhaps? Update via KIES.
Let's not forget that even IO6 is open to a potentially major security snafu:
http://www.zdnet.com/mobile-pwn2own-iphone-4s-hacked-by-dutch-team-7000004498/
From the article above: "We specifically chose this one because it was present in iOS 6 which means the new iPhone coming out today will be vulnerable to this attack," Pol said. Over the course of the research, Pol and Keuper tested the exploit on the iOS 6 GM (golden master) code and also confirmed that it worked on the iPad, iPhone 4, iPod touch (all previous versions).
The drive-by download attack did not crash the browser so the user was oblivious to the data being uploaded to the attacker's remote server. "If this is an attack in the wild, they could embed the exploit into an ad on a big advertising network and cause some major damage."
Because an unrelated iOS6 problem is relevant to this problem in Android?
I find it pretty interesting timings wise that this ha come to light as the iphone 5 is being launched????
Crumbs! That test even works on my Samsung with cyanogen mod. Not good.