Stan Jez
- Forum posts: 51
Sep 25, 2012, 4:04:30 PM via Website
Sep 25, 2012 4:04:30 PM via Website
I came across this piece of info today. If it's correct then I would imagine Samsung would be looking at a fix ASAP.
If it's also a general Android issue it could be a problem.
Presumably a single line of code can trigger an unstoppable factory-reset of the Samsung Galaxy S III, security researchers have discovered, with the potential for malicious websites to wipe out users’ phones.
The hack was detailed by Ravi Borgaonkar at the Ekoparty security conference, with a simple USSD code – that could be sent from a website, or pushed to the handset by NFC or triggered by a QR code – that can reset the Galaxy S III or indeed other Samsung handsets.
The phone user is able to see the process taking place but hitting back on the device is no cure. For QR code readers that automatically load whatever website has been stored to each code, or indeed NFC readers that do the same with NFC tags, the user would have no warning – and no hope of stopping – their handset from running the malicious code.
It seems that Samsung devices running TouchWiz appear to be affected, with basic Android only showing the code in the dialer screen but not running it automatically, But its Samsung’s default to dial the code automatically.
Perhaps most concerning, it’s reportedly possible to double up on the attack, Borgaonkar says, including a USSD code that also kills the SIM card currently in the handset. That way, a single message could be used to wipe a Samsung phone and leave the user with a broken SIM too.
It’s also possible to push Samsung handsets straight to a website running the bad code using a WAP-push SMS message.
For the moment, the advice is to deactivate automatic site-loading in whatever QR and/or NFC reader software you use, and be careful about clicking links that you don’t implicitly trust.
Update: The same code has been found to work on the Galaxy Beam, S Advance, Galaxy Ace, and Galaxy S II.
However, the Samsung-made Galaxy Nexus, which runs stock Android, is not susceptible.
Update 2: Other Samsung device owners are claiming that the hack does not work on their device.
Update 3: Tweakers’ Arnoud Wokke has filmed a demo of the hack in action on a Galaxy S II.
Here is the link
http://www.youtube.com/watch?feature=player_embedded&v=Q2-0B04HPhs
If it's also a general Android issue it could be a problem.
Presumably a single line of code can trigger an unstoppable factory-reset of the Samsung Galaxy S III, security researchers have discovered, with the potential for malicious websites to wipe out users’ phones.
The hack was detailed by Ravi Borgaonkar at the Ekoparty security conference, with a simple USSD code – that could be sent from a website, or pushed to the handset by NFC or triggered by a QR code – that can reset the Galaxy S III or indeed other Samsung handsets.
The phone user is able to see the process taking place but hitting back on the device is no cure. For QR code readers that automatically load whatever website has been stored to each code, or indeed NFC readers that do the same with NFC tags, the user would have no warning – and no hope of stopping – their handset from running the malicious code.
It seems that Samsung devices running TouchWiz appear to be affected, with basic Android only showing the code in the dialer screen but not running it automatically, But its Samsung’s default to dial the code automatically.
Perhaps most concerning, it’s reportedly possible to double up on the attack, Borgaonkar says, including a USSD code that also kills the SIM card currently in the handset. That way, a single message could be used to wipe a Samsung phone and leave the user with a broken SIM too.
It’s also possible to push Samsung handsets straight to a website running the bad code using a WAP-push SMS message.
For the moment, the advice is to deactivate automatic site-loading in whatever QR and/or NFC reader software you use, and be careful about clicking links that you don’t implicitly trust.
Update: The same code has been found to work on the Galaxy Beam, S Advance, Galaxy Ace, and Galaxy S II.
However, the Samsung-made Galaxy Nexus, which runs stock Android, is not susceptible.
Update 2: Other Samsung device owners are claiming that the hack does not work on their device.
Update 3: Tweakers’ Arnoud Wokke has filmed a demo of the hack in action on a Galaxy S II.
Here is the link
http://www.youtube.com/watch?feature=player_embedded&v=Q2-0B04HPhs
Recommended editorial content
With your consent, external content is loaded here.
By clicking on the button above, you agree that external content may be displayed to you. Personal data may be transmitted to third-party providers in the process. You can find more information about this in our Privacy Policy.