One line of HTML can wipe or reset Samsung smartphones

32 Comments

Be careful what links you click: A single line of HTML code can wipe the data on certain Samsung smartphones running Google’s Android(s goog) software. The issue is specific to Samsung phones that also use the company’s TouchWiz software, says SlashGear, which actually means most of the current Samsung smartphones. Google’s Galaxy Nexus, also made by Samsung, is not affected by the exploit, which was demonstrated by Ravi Borganokar at the Ekoparty security conference.

Borganokar’s session, titled “Dirty use of USSD Codes in Cellular Network” demonstrated the issue when he tapped a link that causes Samsung’s TouchWiz phone dialer to execute the data wipe. Such codes are commonly used to register a phone on a network or perform other phone-level diagnostics, but this becomes an issue because TouchWiz automatically dials the code when the link is tapped. Here’s a video demonstration and explanation of the issue:

[youtube=http://youtu.be/Q2-0B04HPhs]

The short line of HTML code, Borganokar says, can also be executed through an embedded QR code or NFC wireless transfer. Even worse than an unintended factory restore or data wipe, this exploit can render the phone’s SIM card useless.

Some will surely condemn Android as a whole for this issue, but since it’s specific to Samsung’s TouchWiz software — likely as a feature to quickly dial phone numbers by way of links, QR codes or NFC data — the problem is limited to Samsung devices. I’d expect that Samsung releases a patch to disable the automatic phone dialing soon.

As a long-time Android user, however, these security — or insecurity issues, rather — are getting old in general. I mainly use Android devices because they fit my mantra of “use the best tool for the task at hand.” As someone embedded deeply in Google’s world of apps and data, Android simply works better. Even my limits are getting tested though: An open platform that can be endlessly tweaked is great until the wrong folks are tweaking it.

Update: Samsung is quickly working on a software update to address the issue.

32 Comments

jalal

hello Samsung android users
the code is*2767*3855#
type the above code in your phone dialler
and see that it will wipe out and reset mobile

Federico Garcia

Update: Samsung is quickly working on a software update to address the issue.
Good to hear that they acted fast and is now resolving it

Samy

Its not a flaw it was a convienent way to factory hard reset samsung phones and its not a security issue but peaple should stay away from dangerous sites like that.I called samsung and they said its not a security flaw and its not even heard of as of yet but my opinion peaple are trying to make Samsung look bad and of of myself owning a Samsung Galaxy S3 Phone It’s the best phone out there and fun to use.Thank You Samsung love it.

Giancarlo

Using Chrome or Firefox instead of the stock browser should prevent this. I have my data backed up on the cloud, especially the Nexus. I’ve wiped out my data manually and flawlessly restored.

s3ntrax

uninstall touchwiz, and install 3rd party launcher, Go Launcher (Free) for example.
Problem solved

Dave

This speaks to the need for a quick and easy ability to upgrade OS. Gotta have it to deal with unforseen issues like this. Last weeks articles about 15% iOS users upgraded to iOS6 in 24 hours versus 1.5% JellyBean users in 2 months is crazy and speaks clearly to the update issue. If Samsung users could easily update their OS, this latest issue could quickly become a forgotten non-issue.

android user

“I’d expect that Samsung releases a patch to disable the automatic phone dialing soon.” “An open platform that can be endlessly tweaked is great until the wrong folks are tweaking it.”

The platform may be open, but the device is not. If the device were open, there would already be a patch or a safe workaround. Users of Zirco Browser (Open source) won’t have the html activate the phone. (NFC, qc still vulnerable.) Users of Dialer2 (Open source) MAY have to push “dial” before the exploit works, unlike Touchwiz’s autodial.

But the wipe code itself is a “feature” of a closed ROM. Users who have rooted their phone to make it truly an open system are immune to the wipe code, but not the dialer exploit yet. At least they’re not at the mercy of Samsung to fix it.

Why pretend this has anything to do with Android being “open?” The iPhone has similar exploits (otherwise, how would you jailbreak it?) and they are found and used while the system is entirely “closed” up. Make Android open and this sort of thing is trivial to fix, just as secure as the open source nginx servers that Gigaom runs on. (Or would you trust those to proprietary ROMs instead?)

eideard

Sounds like all the reasons why the most experienced geeks in my family walked away from Linux. You can only waste so much time on diminishing returns.

EddieT

no. this is a good thing. what’s important is that Samsung & Google continuously test the security of Android, so that these loop holes can be found and fixed. no system is impervious. and to boast that it is, is ludicrous

Rene

What would be nice is of somebody explained to us less tech savvy users how to fix the problem.

Matt

Until a patch comes out don’t click on shady links. Or at least cross your fingers when you do.

Mike Meyer

Yes, the flaw is in Samsung’s code, not Android, but the fact that the Android APIs give you the ability to wipe the phone programmatically is not good.

DarwinSurvivor

It can actually be very useful for remote-wiping stolen phones. Something that is a REAL problem in many countries.

Papapau

Yes its not. its an old Android bug which has been fixed decade ago(smartphone timeline. ^^)

Samsung just didn’t updated some of their phones. read the article you gave.

Ankush Thakur

And let’s not forget that Apple itself faced a string of embarrassing hacks last few months. Technology can protect you only so much — the real onus lies on you!

John Nemesh

OK, so there is a proof of concept hack out there…not an actual attack, and we will be getting a patch soon that will fix the problem. No one freaks out anymore when Microsoft releases WEEKLY patches to their 1000s of vulnerabilities, why do mobile platforms get treated differently? In the end, its the USER that is responsible for keeping their phone and data safe. Password protect your phone, keep NFC off unless you are using it, don’t pirate apps or go to shady web sites, keep your phone updated. Its not hard people, but if you do those few things, you will eliminate 90% of the vulnerabilities that hackers are exploiting.

Alex

That is a techie-centric way of viewing responsibility. It is not the responsibility of the device user to prevent exploits; the user doesn’t even have that ability.

Imagine your car breaks down when you turn the radio to a certain station. Would you blame yourself for dialing to a “shady radio station”, or would you blame the car manufacturer for an inherent defect in their product? And imagine taking your car to a know-it-all mechanic who laughs at you: “You didn’t know about the 101.3FM bug? Ha! You really don’t know how to use your car properly.”

And even in the case of your cell phone, if you clicked a link and your phone was instantly wiped, I doubt you’d blame yourself.

C L

You really need to educate yourself on the difference between a bug and vulnerability.

Jerry

There really should better standards in place, sure Android is great because it’s open – but this sort of thing could be a serious issue as more and more vendors join the market and Android is further customized.

Maddroxx

I own a GNote (i717) and since the 2nd day I’ve had it I haven’t had TouchWiz on it thanks to custom Roms. On the other hand you should have a data recovery plan for total loss of the phone like cloud back ups of data which is very easy with the plethora of apps on the market that are free. I know Samsung should take the brunt of this but as an end user I protect my data as much as possible.

Papapau

Hey. millions of Apple ID has been stolen right? it can wipe your whole account also. your statement would be hypocritic you think?

ConAime

For those stupid Fandroid out there, those UUID meant nothing to Apple. It’s like reference number for identify device (similar to serial numbers). Fake UUID had been exist 2-3 years ago that can generate million of UUID if needed, can easy installed on Jailbreak iPhone.

Comments are closed.