Yesterday we reported about a flaw in Samsung’s Touchwiz UI that allowed for data wiping, among other nasties. The good news is that the flaw has already been patched. The bad news is that self-described general geek Dylan Reevesays it’s not just limited to Samsung devices.
Reeve explains how the remote Unstructured Supplementary Service Data (USSD) vulnerability affects many phones, and he has personally verified it on an HTC One X (running HTC Sense 4.0 on Android 4.0.3) and a Motorola Defy (running Cyanogen Mod 7 on Android 2.3.5). Reports suggest the Sony Xperia Active and the Sony Xperia Arc S are also affected, our very own Nick Summers confirms his HTC Desire running Android 2.2 is vulnerable, and the list likely doesn’t stop there. As such, Reeve quickly put together a Web page you can use to check if your Android device is vulnerable to being remotely wiped by hackers: dylanreeve.com/phone.php.
So, how is the vulnerability exploited? Reeve explains the root of the problem is the standard Android dialer, the vulnerability for which was identified and patched three months ago:
- Phones support special dialing codes called USSDs that can display certain information or perform specific functions. Among these are common ones (*#06# to display IMEI number) and phone specific ones (including, on some phones, a factory reset code).
- There is a URL scheme prefix called tel: which can be used to hyperlink phone numbers. Clicking on a tel: URL will initiate the phone’s dialer to call that number.
- In some phones the dialer will automatically process the incoming number, thus requiring no user interaction. If it’s a USSD code then it will be handled exactly as if it had be keyed in manually, meaning it will be executed automatically.
- A tel: URL can be used by a hostile website as the source for an iframe (and potentially other resources like stylesheets or scripts). It may then be loaded and acted upon with no user intervention at all.
- The potential impact of this issue is thus limited to whatever USSD codes can be executed on a given phone (for example, if the Factory Reset one isn’t present, then that’s out of the question), as well as how tel: works on a given phone.
Although this security hole has been plugged, not every manufacturer has patched it, not every carrier has pushed out a fix, and of course not every consumer has installed all available updates. It is possible that any Android phone using the standard dialer from three months ago, or a dialer based on it, can be hacked.
So, what can you do about it? Aside from installing the latest patches for your Android device, Reeve has a suggestion: install another dialer. You can either set one that doesn’t exhibit the risky behaviour by default, or just have a second one installed so that a “Complete action using” prompt shows up whenever a website tries to hack your device, at which point you can just cancel or use the alternative dialer.
This workaround is only possible because Android allows you to install third-party dialers. The one above can be found on the official Google Play store. Since it does not take action on the incoming USSD code, Dialer One lets you avoid having your device hacked. If you prefer a different dialer, test it with Reeve’s site to make sure it doesn’t handle tel: URLs without direct user interaction.
Image credit: stock.xchng