Posted on Leave a comment

Samsung Galaxy S II and S Advance zero-day exploit allow complete phone wipe when tel: link clicked [UPDATE]

image thumb1841

Samsung Galaxy S IISecurity researchers presented a Samsung Galaxy exploit at the ekoparty security conference (Spanish language) in which they demonstrated an instant hard reset (a factory reset in which all user settings and phone data are erased) of the Galaxy S II and Galaxy S Advance when a simple web page link is clicked. The bug relates to Samsung specific diagnostic reset codes (USSD codes) which are accessible via the phone dialer and the fact that the Samsung browser allows for automatic dialing of linked phone numbers. An offending web page can include a diagnostic code, in this case the code that performs a hard reset on the phone, formatted in a link as a tel: URI resource, to initiate the phone reset. In theory, a single line of code can be placed in an <iframe> and manipulated with javascript to perform the phone wipe without the user’s consent.

e.g. <frame /> src=”tel:*2767*3855#”</iframe> Note: you can test the exploit using *#1234# which displays the phone’s current firmware version.

Given the format of the attack, it appears as if the malicious code could be delivered via NFC or QR codes too and since the attack is related to Samsung USSD codes, it is possible that a SIM card reset could be initiated too (Samsung includes a USSD code for SIM resets in their custom codebase).

Reports indicate the other Galaxy phones may be vulnerable including the Galaxy Ace and Galaxy Beam.  Some have reported that the exploit does not work on the Samsung Galaxy S III (the dialer is brought up instead) nor in rooted Samsung phones running the stock Android operating system. Others report that they have successfully utilized the attack vector against an S III.  The bug is also not exploitable via the Chrome web browser.  Regardless, the nature of the bug points to the exploit being directly related to Samsung’s TouchWiz UI and not the Android OS itself.

To protect yourself, you can disable the “Internet” app through Settings > Apps > All and use the Google Chrome browser instead.

UPDATE (9/26/12): Less than 24 hours after we published this article, Samsung made an OTA update available for customers that patches the problem.

Leave a Reply

Your email address will not be published. Required fields are marked *