A bug in the way Samsung’s TouchWiz UI interacts with USSD codes on Android smartphones may allow an attacker to perform a factory reset on susceptible devices, simply by embedding a link on a website or sending an SMS.
Update: Samsung has issued a response on the matter, scroll down to view updates.
The flaw was discovered by Ravi Borgaonkar and was shown off at the Ekoparty security conference, which showed that a simple piece of code with the correct dialer instructions could be pushed to a vulnerable handset.
An attacker could load the code in a website, SMS, an NFC Android Beam connection or via a QR code, have the user either visit the link or click it on their smartphone and it is possible to completely wipe the device without warning or giving the user the chance to stop it.
It can also be used to lock a SIM card, ensuring that the device’s owner cannot operate the device fully.
Borgaonkar shows how the data-wiping flaw works on a Galaxy S III in the video below (from around the 9:30 mark):
In our tests, we were unable to wipe our Samsung Galaxy S III, which is running Google’s new Jelly Bean (Android 4.1) software. The code loads the dialer, but it is not automatically executed like in the above video.
Some users have reported that Google’s Chrome browser doesn’t allow the code to be executed, which may suggest it is limited to the stock browser on affected devices. The test handset in the video also appears to be running Ice Cream Sandwich (Android 4.0), suggesting the flaw may have been fixed in Samsung’s new update.
So far the following devices have been reportedly been confirmed to be affected:
- Galaxy S Advance
- Galaxy S II (video)
- Galaxy S III
- Galaxy Ace
- Galaxy Beam
That means if you have a Galaxy Nexus or are using stock Android on your Samsung device, you should be unaffected.
We have not shared the code purposefully, ensuring that you don’t perform a factory reset your Samsung smartphone. We have contacted Samsung and will update the article should we receive a response.
Update: Samsung has issued a response on the matter. The good news is the issue has been patched in newer releases of the Android software. This means you should update your device if you haven’t already:
“We would like to assure our customers that the recent security issue concerning the GALAXY S III has already been resolved through a software update.
We recommend all GALAXY S III customers to download the latest software update, which can be done quckily and easily via the Over-The-Air (OTA) service.”