close
MENU
Hot Topic EARNINGS
How to guide
How to guide
Home
NBR Marketplace
The NBR List
NBR Video

Categories

General Business Investment Economics Te Ao Māori Politics Infrastructure Australia Tech & Innovation Finance Law Professional Services Primary Industries Retail Property Deals Aviation News Comings & Goings

Analysis

All Economy Matters Edwards on Politics Hunter’s Corner Last Word Margin Call On the Money Shoeshine Underarm NBR Focus

Featured

Podcasts Audio Articles Entrepreneurs Your Business Beehive Banter Morning Brew Toil & Trouble NZ Aviation News Back Issues Market Outlook Dollars & Sense Private Bin Opinion (Archive) NBR Radar (Archive) NBR Rich List (Archive)
Hot Topic EARNINGS
2 mins to read
5

Samsung moves to fix Android remote wiping threat highlighted by NZ blogger

Thu, 27 Sep 2012

Click on the wrong web link from your Android phone, and it could factory reset your handset, wiping all your data (for good, if you haven't backed up).

Android phone owners – particularly the Samsung Galaxy S3, but also other phones – are being warned about a malicious threat that could wipe their handset when they use their phone's web browser to visit a website with tel:*2767*3855# in its HTML (the software code used to create web pages).

NZ blogger Dylan Reeve, whose post on a workaround for vulnerability has been picked up by tech sites around the world, including Gizmodo and CNet, explains:

  • Phones support special dialing codes called USSDs that can display certain information or perform specific special features. Among these are common ones (*#06# to display IMEI number [a unique 15 digit number that identifies a mobiel device]) and phone specific ones (including, on some phones, a factory reset code).
  • There is a URL scheme prefix called tel: which can, in theory, be used to hyperlink to phone numbers. The idea being that clicking on a tel: URL will initiate the phone's dialer to call that number.
  • In some phones the dialer will automatically process the incoming number. If it's a USSD code then it will be handled exactly as if it had be keyed in manually, requiring no user intervention to execute.
  • A tel: URL can be used by a hostile website as the SRC for an iframe (or potentially other resources like stylesheets or scripts, I guess). It may then be loaded and acted upon with no user intervention at all.

Samsung now says it has it has a fix for the vulnerability for the Galaxy S3 and is encouraging owners to update their phone's Android software (click Apps, About Device, then Software Update). Presumably, it's in the pipeline. When I tried, my S3 said no update was available. For those confident with Android, Reeve has suggested an alternative fix: installing a new dialler.

Read Reeve's latest post on the issue here.

Also check out a simple test page Reeve created here: dylanreeve.com/phone.php.

If you click on it using your Android phone's browser but it makes your phone bring up its dialler (virtual keypad) showing an IMEI code (my S3 did) then you know your handset is vulnerable:

ckeall@nbr.co.nz

© All content copyright NBR. Do not reproduce in any form without permission, even if you have a paid subscription.
Tags
Technology
Samsung moves to fix Android remote wiping threat highlighted by NZ blogger
24154
false
Subscribe Login