A security researcher has discovered a flaw that could potentially allow hackers to force a factory reset of Samsung Galaxy S III smartphones with a single line of code.
Ravi Borgaonkar announced his findings at the Ekoparty security conference.
The flaw reportedly affects Galaxy S IIIs with Samsung’s TouchWiz interface.
The vulnerability apparently also exists in other Samsung mobile devices — the Galaxy Beam, the S Advance, the Galaxy Ace, and the Galaxy S II, SlashGear reports.
More on the Flaw
The flaw in TouchWiz is really a vulnerability of the Unstructured Supplementary Service Data (USSD) protocol.
Owners of devices hit with this attack apparently cannot stop the reset although they can watch the attack in progress. The attack can be launched through an USSD message, QR code or near field communications connection.
QR code readers automatically load the websites that have been tagged with the codes, and NFC readers do the same thing with NFC tags. This means users have no warning and can’t stop their devices from running the code.
Another mode of attack might be to use a push SMS message to push vulnerable handsets to a poisoned website.
The attack also kills the handset’s SIM card, Borgaonkar reportedly said.
About USSD
USSD is a protocol used by GSM cell phones to communicate with the service provider’s computers. It can be used for Wireless Application Protocol browsing, prepaid callback services, mobile payment and location-based services, and as part of configuring a mobile phone on a network.
USSD messages are up to 182 alphanumeric characters long. Unlike SMS messages, they create a real-time connection during a session that allows a two-way data exchange. This makes USSD transmissions faster than SMS transmissions.
Several critical threats for USSD-based mobile payment applications are listed in a white paper from Aujas Security Lab.
An Android Problem
The USSD flaw affects every vendor as it is a generic Android issue, and “HTC, Pantech, ZTE and other vendors are affected just as badly as, if not worse than, Samsung,” security researcher Justin Case told TechNewsWorld.
Samsung was probably “the first to take action and fix this vulnerability,” Case remarked.
The flaw is technically a service code, and is not new. “I attempted to draw attention to [it] more than eight months ago with little to no luck,” Case said.
Are TouchWiz Users in Danger?
The UDDS flaw may not be as much of a threat as it seems.
“It’s been patched in i9300 and i747, as I have both phones and was able to test [them],” Case stated. Other Samsung devices may have had their firmware updated and so may not be vulnerable to this flaw.
The i747 is the version of the Galaxy S III running on AT&T’s network, and the i9300 the European version of the device.
However, “US carriers are notoriously slow on updates … so I can’t comment on the Sprint/T-Mobile and Verizon models [of the Galaxy SIII],” Case remarked. “I just don’t have them to verify.”
The vulnerability “is more of a potential problem than a real one,” Carl Howe, a vice president of research at the Yankee Group, told TechNewsWorld. “AT&T pushed out an update last week that eliminates the vulnerability, so this is a problem that can be fixed by a software update.”
There are no precautions mobile device users can take except to refrain from visiting strange websites, Howe said.