I’ve never been a huge fan of the TouchWiz UI Samsung throws onto most of its smartphones (for aesthetic reasons, mostly), but now it seems there’s another reason to be wary of the custom Android interface. At a recent security conference in Argentina, Technical University Berlin researcher Ravi Borgaonkar showed off a slightly disturbing vulnerability that could prompt a Samsung phone to wipe itself completely after an unsuspecting user clicks a link.
Here’s the exploit in a nutshell: a simple line of HTML (which we won’t be reproducing for obvious reasons) goads a vulnerable device into dialing a specific USSD code that triggers a full wipe/reset. According to SlashGear and The Next Web, vulnerable devices include the popular Galaxy S II and S III series, as well as the Galaxy S Advance, Galaxy Beam, and Galaxy Ace.
Well damn.
This whole thing boils down to how Samsung’s TouchWiz dialer handles these USSD codes — stock Android devices like the Galaxy Nexus interpret the code properly and loads the key-combination for a reset into the dialer but doesn’t actually pull the trigger on its own. Meanwhile, the TouchWiz dialer takes things a step further by dialing the code automatically, which in South Park parlance means you’re going to have a bad time.
As it turns out, it’s not just the dialer’s fault here — the way the stock browser handles the “tel:” protocol handler seems partially to blame too. Using Chrome and other third-party browsers seems to help mitigate the issue, though some reports on the xda-developers forum claim otherwise.
That said though, the easiest way for an utter asshole to spread a bit of despair would be wrap that offending code in an iframe, run it through a URL shortener (as some have already done purely in the name of science), and spread it around. Oh, but it doesn’t end there — Borgaonkar also noted on-stage that a simple text message could also be used as an attack vector, as well as QR codes (only with some QR code scanners) and link sharing through NFC/Android Beam. Samsung hasn’t yet released an official statement on the matter, but representatives have told The Verge that the company is looking into it.
Curious to see if your Samsung phone is vulnerable? A chap named Dylan Reeve cobbled together a test site that replaces the reset code with one that prompts your device to display its IMEI number. If your phone willingly offers up its identifier number, well, just be careful of what links you follow until Samsung gets something figured out (and switch to a new dialer app while you’re at it).