If you own a Samsung smartphone from a U.S. cell phone operator, you may want to avoid using the Internet until your carrier patches a pretty simple flaw that would let an attacker reset your phone.
On Tuesday, researcher Ravi Borgaonkar demonstrated how he wiped out a Samsung Galaxy SIII simply by opening a website containing an HTML tag for a call function, and replacing the telephone number with the USSD code for a factory reset. USSD codes are commands that are executed by entering them in your keypad—for instance if you dial #*#INFO”*” you can access certain menu settings. For every Samsung phone running Touchwiz, there’s a unique set of USSD codes that performs various commands.
The problem appears to lie within both the Samsung dialer and Touchwiz’s stock Android browser. Unlike most dialers, Samsung’s automatically makes the call while others still require the user to hit “send.” Borgaonkar noted that the code can be sent from a website or pushed to the handset by a Charlie Miller-like NFC attack, or through a malicious QR code, in which case absolutely no user interaction is necessary.
Proof Of Concept
the USSD code to factory data reset a Galaxy S3 is *2767*3855# can be triggered from browser like this:
<frame src=”tel:*2767*3855%23″ />
CAUTION: The following QR codes will may cause unwanted behavior to your device, DO NOT SCAN YOUR FRIENDS MOBILE DEVICES!!!
Full factory reset (Don’t dial it does not ask you to confirm unless you have problem)
Factory Default QR Code (scan to restore factory default 😦 ):
Check software version of phone:
Factory data reset
Check If Your Phone’s Safe
We’ve reached out to all the U.S. carriers and will update the article once they respond. Meanwhile, Borgaonkar also created a test that lets you check if your Android device is vulnerable. Click here from your phone. If you can see your IMEI (like on the Verizon GSIII pictured above), Borgaonkar advises, tongue in cheek, to disconnect from the Internet.
CREDIT: securitywatch, Frogteam|Security