Last week there was news of exploits being beamed between Samsung Galaxy SIIIs using Near Field Communication (NFC). This week it would seem that there is the possibility for hackers to remotely engage a factory reset of the S3 via concealed code on an infected web page. This reset will wipe off all contacts, photos and installed applications. Having said that, some S3 testers have not effected a factory reset via the code so it may be handset and/or carrier dependent.
The code required to achieve this feat is only 11 digits long and can now easily be found in various locations on the net. It also affects the Galaxy S2 as well as other Android devices produced by the company. It appears that no other manufacturers’ devices are affected.
The issue was discovered by a security researcher, Ravi Borgaonkar, from the Berlin university who demonstrated the vulnerability at a security conference in Argentina last week. He claims that Samsung’s particular implementation of Unstructured Supplementary Service Data (USSD) could be the issue with it allowing the devices to be exploited with the malicious code.
Borgaonkar said that the code can be embedded in a web page’s HTML, a NFC tag or even a QR code (anyone still use those?). Once the phone visits the web page, scans the code, etc the factory reset process starts and cannot be stopped. Within just a few seconds all of the owner’s personal data will be wiped (you have a backup of your phone book, pictures, etc, right?).
According to The Daily Telegraph Borgaonkar said that the vulnerability can be mitigated by switching off Samsung’s ‘Service Loading’ feature. He also tweeted a link that you can use to discover if your own handset is vulnerable or not -
— Ravishankar (@raviborgaonkar) September 25, 2012
In the meantime one would assume that Samsung themselves are taking this issue very seriously indeed and are looking for a swift and more appropriate fix.
According to V3, Samsung have now released an over the air update to fix this USSD vulnerability – read about that here.
Also, Paul Ducklin from Sophos suggests this issue may affect a wider range of Android handsets.