Uh-oh. I think Samsung may be facing one of the biggest security loopholes we've ever seen.
A single line of code has been found to be able to remotely wipe a Samsung Galaxy S3, Galaxy S2 and a number of other Samsung phones, according to security researchers. The USSD code can be sent from a website, pushed to a phone by NFC or triggered by a QR code. Once it's been sent, the phone begins systematically wiping everything on the SD card, and the erasing process cannot be stopped.
While the user can see what's happening to their phone, they cannot stop the process by hitting "back." Moreover, there's no way a user would be able to prevent the wiping from taking place, as a QR reader typiscally loads whatever website has been stored to each code automatically, as does an NFC reader. On Samsung Touchwiz, the default action is to dial the code automatically.
Even more distubring, it seems that a separate USSD code could also be used to kill the SIM card as well, leaving users with a wiped SD card and a broken SIM card to boot.
So far, the security loophole has been found to affect a number of Samsung phones, including the Galaxy Beam, S Advance, Galaxy Ace and the Galaxy S2. The fact that the Galaxy Nexus has stock Android seems to be preventing the phone from being affected.
For now, the advice is to deactivate automatic site-loading in whatever QR and or NFC reader software you use, and don't click on links you can't explictly trust. Hopefully, Samsung will come up with a patch for the code quickly, as it has already been shared on social sites like Reddit, which could make your phone even more at risk.
You better believe Samsung is scrambling to create a patch for this truly massive potential breach of security. More on this story as it develops...
UPDATE: We're hearing from a few Twitter users that HTC phones (specifically the HTC One X) are also vulnerable to this security flaw, so this could be a much bigger issue than we previously imagined.
Related Articles
Comments
is there a recommended virus protection app (or other app) available that would thwart this?
I was hoping the single line of code is:
<a href="tel:SteveJobs">Click here to call Steve directly</a>
BTW, please make hyperlinks available in the App Center app comments. I had to open the AndroidPIT website in my browser, copy and paste to get to Jörg's link. Just a suggestion. :)
@Jörg, thank you. You can really count on the Android dev community to solve problems loke these while waiting for an official OEM patch. It's nice that no permissions are required by the app. Hopefully it does its job.
@Dvoraak, seriously though, it's at times like these that one would or should appreciate the closed ecosystem of iOS. It may not fully protect you but i guess it makes it harder for the casual hacker.
@Patrick - I love your reasoning. Samsung couldn't stand to be out of the news cycle :D
Fixed?
http://www.androidpolice.com/2012/09/25/video-most-galaxy-s-iii-devices-are-not-vulnerable-to-ussd-wiping-exploit-it-was-already-fixed-in-an-update/
@Patrick on Galaxy Note even Chrome does trigger the payload. But there's help availiable.
Check out: https://play.google.com/store/apps/details?id=com.voss.notelurl
I developed this nifty little app quickly to give a little protection against this thread.
I did a little research on this, thanks for the heads up. Apparently only the stock browser is affected. If you use Google Chrome, it will not trigger the bug.
so this can be pushed to my phone by anyone?
good thing there's nothing particularly important on my phone I guess.
Samsung wouldn't allow themselves to be outdone by Apple. After the maps and Siri debacle, Sammy had to beat apple on the glitch front. LOL.
This is bad though. Would this wipe trigger the eMMC hard brick bug on the S2 ans Note? I hope they push out the patch soon. If I get hit by this... 64GB Slate iPhone 5 it is. haha!
thank god for nexus
Good God. Another reason to stay stock :-)