[Android] Nasty Samsung Galaxy S3 Factory Reset Bug

[Arthur]

Source: Twitter

the USSD code to factory data reset a Galaxy S3 is *2767*3855# can be triggered from browser like this: <frame src="tel:*2767*3855%23" />

Security researcher Ravi Borgaonkar demoed a dangerous and nasty bug that allows various devices, including the popular Samsung Galaxy S III, to be factory reset without user permission. Using Unstructured Supplementary Service Data, the researcher was able to exploit a factory reset code through a link. Embedded in an HTML frame/iframe tag, the link can be auto loaded without user permission. The link, which we won’t mention here due to its exploitative and dangerous nature, automatically loads on some Android phones. We’ve confirmed the problem using a Galaxy S III (see update below), and it’s likely that other Samsung TouchWiz phones suffer from this problem. When the link loads, a factory reset is initiated without user permission. This reset wipes all user data and restores the phone to a near-stock state.

The problem lies with Samsung, in this case, which enabled two things that should never go together: automatic USSD triggering and dangerously capable USSD codes like the factory reset one. If Samsung had disabled automatic triggering or disabled/not added factory reset USSD codes, then the bug would not be a problem. But, the two coexisting proves a dangerous combination.

Borgaonkar demonstrates the execution of the exploit through a browser link on stage. See the video below.

Unfortunately, the exploit can be executed from a QR code, NFC swipe, WAP Push SMS, internet link, or embedded frame. Surely Samsung will push an update as soon as possible. We urge users to keep backups of all personal data on hand in the meantime.

Side note: stock Android phones do not automatically trigger USSD codes. They will not suffer from this problem. The Samsung Galaxy Nexus does not have a USSD factory reset code. (Source)

[LosOjos]

I hope they push an update out soon! Still, there's an evil little part of me that's tempted to send the text to a couple of "mates"

[X-13]

wait... so anyone browsing this via mobile mode on a S3 is going to get a nasty surprise?

[LosOjos]

wait... so anyone browsing this via mobile mode on a S3 is going to get a nasty surprise?

not this post, but a website with the above HTML embedded in an iframe, yes (as the iframe will act like a link, launching the command to make a "call" to the USSD code, thus triggering a factory reset).

[LosOjos]

just to be on the safe side, I think I'll disable push messages for the time being!

[X-13]

not this post, but a website with the above HTML embedded in an iframe, yes (as the iframe will act like a link, launching the command to make a "call" to the USSD code, thus triggering a factory reset).

Damn, there goes my plan to send a link to this thread to people with an S3...


TBH, this sounds like one of the things they should have kept quiet about and fixed in the background.

[Arthur]

An OTA update for the S3 should now be available.

Samsung has fix for Galaxy S III reset vulnerability, asks users to update software
Yesterday's big bad news for Samsung — that a number of Galaxy Android devices were exposed to being hard-reset when their user clicked a link in the browser — is being quickly rectified by the Korean company, which has just issued a statement saying a fix is "already" in place. While Samsung hasn't specified the particular software version (or given any assurances for devices other than its flagship Galaxy S III), it encourages all affected users to update their phones to the latest software available over-the-air. That should keep you safe from the dangers of inadvertently wiping your GS III, though the fate of the other TouchWiz devices in Samsung's portfolio remains unclear.

Samsung's Belgian Twitter mouthpiece has promised a firmware patch is currently undergoing testing for the Galaxy S II, so the company is at least working on the issue. We're seeking to get more details from Samsung directly and will update you as soon as we hear more.

"We would like to assure our customers that the recent security issue concerning the GALAXY S III has already been resolved through a software update. We recommend all GALAXY S III customers to download the latest software update, which can be done quickly and easily via the Over-The-Air (OTA) service." (Source)

[Oaktech]

Damn, there goes my plan to send a link to this thread to people with an S3...


TBH, this sounds like one of the things they should have kept quiet about and fixed in the background.

Have you ever tried to keep a security researcher quiet when he thinks he's found a big juicy flaw?

Le Edit: Without contravening the Geneva convention @X-13

[X-13]

Have you ever tried to keep a security researcher quiet when he thinks he's found a big juicy flaw?

I'm sure that if I tried, I would be quite successful.

[Oaktech]

I'm sure that if I tried, I would be quite successful.

Without contravening the Geneva convention...

[X-13]

Without contravening the Geneva convention...

As far as I'm aware, Duct tape doesn't contravene the Geneva convention.

[AngryTechnician]

And what about all the network-locked devices that get their updates from the service provider, not direct from Samsung? On my last O2 phone it would be months before they trickled down, if at all.

At least Samsung are finally doing OTA now. My wife's S2 can only be updated through her laptop using Samsung Keis, which is an awful POS.

[aerospacemango]

And what about all the network-locked devices that get their updates from the service provider, not direct from Samsung? On my last O2 phone it would be months before they trickled down, if at all.

At least Samsung are finally doing OTA now. My wife's S2 can only be updated through her laptop using Samsung Keis, which is an awful POS.

Don't get me started on that shocking load of sh*te!

That's the only downside to Samsung! Having to deal with Kies!*



*Although if you get the app, it works surprisingly well!!!

[X-13]

That's the only downside to Samsung! Having to deal with Kies!*

Just put it in media storage mode and use it like a USB pen drive.

[Arthur]

This bug is worse than first thought.

Remote USSD Attack - It's not just Samsung
The remote USSD vulnerability I detailed in my last post (and now covered widely in the tech media) is not just a Samsung problem. The same general vulnerability (executing a USSD code without user intervention from a website, or other delivery vector) affects many phones. I've personally verified it on an HTC One X (running HTC Sense 4.0 on Android 4.0.3) and a Motorola Defy (running Cyanogen Mod 7 on Android 2.3.5).

I've also heard reports of the proof of concept working on a Sony Xperia Active.

The potential impact of the issue is limited only by whatever USSD codes can be executed on a given phone. It's not clear if all manufacturers have Factory Reset USSDs on but at least some do.

I have only been testing with the IMEI code and have no intention to test with anything more damaging, but it is possible that in some cases different USSD codes could be handled differently. So while the IMEI code may work, it's possible that other more damaging codes would not. This is, however, very speculative and there's no safe way to know without testing.

Regardless it is very poor design to allow a passed value to execute as if it were keyed in interactively.

It would appear that the root of the problem is probably the standard Android dialer - the vulnerability was identified and patched three months ago. For this reason it's likely to affect any phone using the standard dialer (as it existed three months ago) or a dialer based on it.

It would be fairly trivial to weaponise the vulnerability to detect phone model with browser User Agent and tailor the response to suit.

As I mentioned in my earlier post - the simplist to mitigate the risk from this issue is to install another dialer. Either setting one that exhibit the risky behaviour as default, or simply having more than one installed to force a "Complete action using.." choice. (Source)

And what about all the network-locked devices that get their updates from the service provider, not direct from Samsung?

Google really need to sort the update situation out. As it stands, 50% of Android smartphones have unpatched vulnerabilities and it's only going to get worse!