Be careful what links you click: A single line of HTML code can wipe the data on certain Samsung smartphones running Google’s Android software. The issue is specific to Samsung phones that also use the company’s TouchWiz software, says SlashGear, which actually means most of the current Samsung smartphones. Google’s Galaxy Nexus, also made by Samsung, is not affected by the exploit, which was demonstrated by Ravi Borganokar at the Ekoparty security conference.
Borganokar’s session, titled “Dirty use of USSD Codes in Cellular Network” demonstrated the issue when he tapped a link that causes Samsung’s TouchWiz phone dialer to execute the data wipe. Such codes are commonly used to register a phone on a network or perform other phone-level diagnostics, but this becomes an issue because TouchWiz automatically dials the code when the link is tapped. Here’s a video demonstration and explanation of the issue:
The short line of HTML code, Borganokar says, can also be executed through an embedded QR code or NFC wireless transfer. Even worse than an unintended factory restore or data wipe, this exploit can render the phone’s SIM card useless.
Some will surely condemn Android as a whole for this issue, but since it’s specific to Samsung’s TouchWiz software — likely as a feature to quickly dial phone numbers by way of links, QR codes or NFC data — the problem is limited to Samsung devices. I’d expect that Samsung releases a patch to disable the automatic phone dialing soon.
As a long-time Android user, however, these security — or insecurity issues, rather — are getting old in general. I mainly use Android devices because they fit my mantra of “use the best tool for the task at hand.” As someone embedded deeply in Google’s world of apps and data, Android simply works better. Even my limits are getting tested though: An open platform that can be endlessly tweaked is great until the wrong folks are tweaking it.