32 Comments

Summary:

At a security conference a scary demonstration showed that a single line of HTML code can remotely wipe out a Samsung Galaxy S III handset. Worse: It appears to work on many Samsung smartphones that run TouchWiz, which is most of Samsung’s line of handsets.

Be careful what links you click: A single line of HTML code can wipe the data on certain Samsung smartphones running Google’s Android software. The issue is specific to Samsung phones that also use the company’s TouchWiz software, says SlashGear, which actually means most of the current Samsung smartphones. Google’s Galaxy Nexus, also made by Samsung, is not affected by the exploit, which was demonstrated by Ravi Borganokar at the Ekoparty security conference.

Borganokar’s session, titled “Dirty use of USSD Codes in Cellular Network” demonstrated the issue when he tapped a link that causes Samsung’s TouchWiz phone dialer to execute the data wipe. Such codes are commonly used to register a phone on a network or perform other phone-level diagnostics, but this becomes an issue because TouchWiz automatically dials the code when the link is tapped. Here’s a video demonstration and explanation of the issue:

The short line of HTML code, Borganokar says, can also be executed through an embedded QR code or NFC wireless transfer. Even worse than an unintended factory restore or data wipe, this exploit can render the phone’s SIM card useless.

Some will surely condemn Android as a whole for this issue, but since it’s specific to Samsung’s TouchWiz software — likely as a feature to quickly dial phone numbers by way of links, QR codes or NFC data — the problem is limited to Samsung devices. I’d expect that Samsung releases a patch to disable the automatic phone dialing soon.

As a long-time Android user, however, these security — or insecurity issues, rather — are getting old in general. I mainly use Android devices because they fit my mantra of “use the best tool for the task at hand.” As someone embedded deeply in Google’s world of apps and data, Android simply works better. Even my limits are getting tested though: An open platform that can be endlessly tweaked is great until the wrong folks are tweaking it.

Update: Samsung is quickly working on a software update to address the issue.

  1. Wow.. Samsung again and again ;)

    Share
  2. Maybe Apple’s ‘evil’ closed system ain’t such a bad idea after all ;0)

    Share
    1. Hey. millions of Apple ID has been stolen right? it can wipe your whole account also. your statement would be hypocritic you think?

      Share
      1. For those stupid Fandroid out there, those UUID meant nothing to Apple. It’s like reference number for identify device (similar to serial numbers). Fake UUID had been exist 2-3 years ago that can generate million of UUID if needed, can easy installed on Jailbreak iPhone.

        Share
  3. Yes, ok… But maps are ok, right? ;)

    Share
  4. I own a GNote (i717) and since the 2nd day I’ve had it I haven’t had TouchWiz on it thanks to custom Roms. On the other hand you should have a data recovery plan for total loss of the phone like cloud back ups of data which is very easy with the plethora of apps on the market that are free. I know Samsung should take the brunt of this but as an end user I protect my data as much as possible.

    Share
  5. There really should better standards in place, sure Android is great because it’s open – but this sort of thing could be a serious issue as more and more vendors join the market and Android is further customized.

    Share
  6. OK, so there is a proof of concept hack out there…not an actual attack, and we will be getting a patch soon that will fix the problem. No one freaks out anymore when Microsoft releases WEEKLY patches to their 1000s of vulnerabilities, why do mobile platforms get treated differently? In the end, its the USER that is responsible for keeping their phone and data safe. Password protect your phone, keep NFC off unless you are using it, don’t pirate apps or go to shady web sites, keep your phone updated. Its not hard people, but if you do those few things, you will eliminate 90% of the vulnerabilities that hackers are exploiting.

    Share
    1. I couldn’t have said it better myself John. Thank you.

      Share
    2. That is a techie-centric way of viewing responsibility. It is not the responsibility of the device user to prevent exploits; the user doesn’t even have that ability.

      Imagine your car breaks down when you turn the radio to a certain station. Would you blame yourself for dialing to a “shady radio station”, or would you blame the car manufacturer for an inherent defect in their product? And imagine taking your car to a know-it-all mechanic who laughs at you: “You didn’t know about the 101.3FM bug? Ha! You really don’t know how to use your car properly.”

      And even in the case of your cell phone, if you clicked a link and your phone was instantly wiped, I doubt you’d blame yourself.

      Share
      1. You really need to educate yourself on the difference between a bug and vulnerability.

        Share
  7. And let’s not forget that Apple itself faced a string of embarrassing hacks last few months. Technology can protect you only so much — the real onus lies on you!

    Share
  8. It’s an Android bug. Not just samsung. Nothing happens with the last OTA updates…
    http://www.androidpolice.com/2012/09/25/new-exploit-could-force-factory-reset-on-many-samsung-phones-running-touchwiz/

    Share
    1. Yes its not. its an old Android bug which has been fixed decade ago(smartphone timeline. ^^)

      Samsung just didn’t updated some of their phones. read the article you gave.

      Share
  9. Yes, the flaw is in Samsung’s code, not Android, but the fact that the Android APIs give you the ability to wipe the phone programmatically is not good.

    Share
    1. It can actually be very useful for remote-wiping stolen phones. Something that is a REAL problem in many countries.

      Share
  10. What would be nice is of somebody explained to us less tech savvy users how to fix the problem.

    Share
    1. Rene, this actually isn’t something a phone owner can fix; it’s the way Samsung has set up TouchWiz and the phone dialer software.

      Share
    2. Until a patch comes out don’t click on shady links. Or at least cross your fingers when you do.

      Share

Comments have been disabled for this post