+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 21
Netbooks, PDA and Phones Thread, Nasty Samsung Galaxy S3 Factory Reset Bug in Technical; ...
  1. #1


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,464
    Thank Post
    245
    Thanked 2,834 Times in 2,093 Posts
    Rep Power
    816

    Nasty Samsung Galaxy S3 Factory Reset Bug



    Source: Twitter

    the USSD code to factory data reset a Galaxy S3 is *2767*3855# can be triggered from browser like this: <frame src="tel:*2767*3855%23" />
    Security researcher Ravi Borgaonkar demoed a dangerous and nasty bug that allows various devices, including the popular Samsung Galaxy S III, to be factory reset without user permission. Using Unstructured Supplementary Service Data, the researcher was able to exploit a factory reset code through a link. Embedded in an HTML frame/iframe tag, the link can be auto loaded without user permission. The link, which we won’t mention here due to its exploitative and dangerous nature, automatically loads on some Android phones. We’ve confirmed the problem using a Galaxy S III (see update below), and it’s likely that other Samsung TouchWiz phones suffer from this problem. When the link loads, a factory reset is initiated without user permission. This reset wipes all user data and restores the phone to a near-stock state.

    The problem lies with Samsung, in this case, which enabled two things that should never go together: automatic USSD triggering and dangerously capable USSD codes like the factory reset one. If Samsung had disabled automatic triggering or disabled/not added factory reset USSD codes, then the bug would not be a problem. But, the two coexisting proves a dangerous combination.

    Borgaonkar demonstrates the execution of the exploit through a browser link on stage. See the video below.

    Unfortunately, the exploit can be executed from a QR code, NFC swipe, WAP Push SMS, internet link, or embedded frame. Surely Samsung will push an update as soon as possible. We urge users to keep backups of all personal data on hand in the meantime.

    Side note: stock Android phones do not automatically trigger USSD codes. They will not suffer from this problem. The Samsung Galaxy Nexus does not have a USSD factory reset code. (Source)
    Last edited by Arthur; 25th September 2012 at 03:16 PM.

  2. 2 Thanks to Arthur:

    AngryTechnician (25th September 2012), LosOjos (25th September 2012)

  3. #2

    LosOjos's Avatar
    Join Date
    Dec 2009
    Location
    West Midlands
    Posts
    5,578
    Thank Post
    1,473
    Thanked 1,227 Times in 835 Posts
    Rep Power
    753
    I hope they push an update out soon! Still, there's an evil little part of me that's tempted to send the text to a couple of "mates"

  4. #3

    X-13's Avatar
    Join Date
    Jan 2011
    Location
    /dev/null
    Posts
    9,475
    Thank Post
    637
    Thanked 2,118 Times in 1,454 Posts
    Blog Entries
    19
    Rep Power
    882
    wait... so anyone browsing this via mobile mode on a S3 is going to get a nasty surprise?

  5. #4

    LosOjos's Avatar
    Join Date
    Dec 2009
    Location
    West Midlands
    Posts
    5,578
    Thank Post
    1,473
    Thanked 1,227 Times in 835 Posts
    Rep Power
    753
    Quote Originally Posted by X-13 View Post
    wait... so anyone browsing this via mobile mode on a S3 is going to get a nasty surprise?
    not this post, but a website with the above HTML embedded in an iframe, yes (as the iframe will act like a link, launching the command to make a "call" to the USSD code, thus triggering a factory reset).

  6. #5

    LosOjos's Avatar
    Join Date
    Dec 2009
    Location
    West Midlands
    Posts
    5,578
    Thank Post
    1,473
    Thanked 1,227 Times in 835 Posts
    Rep Power
    753
    just to be on the safe side, I think I'll disable push messages for the time being!

  7. #6

    X-13's Avatar
    Join Date
    Jan 2011
    Location
    /dev/null
    Posts
    9,475
    Thank Post
    637
    Thanked 2,118 Times in 1,454 Posts
    Blog Entries
    19
    Rep Power
    882
    Quote Originally Posted by LosOjos View Post
    not this post, but a website with the above HTML embedded in an iframe, yes (as the iframe will act like a link, launching the command to make a "call" to the USSD code, thus triggering a factory reset).
    Damn, there goes my plan to send a link to this thread to people with an S3...


    TBH, this sounds like one of the things they should have kept quiet about and fixed in the background.

  8. #7


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,464
    Thank Post
    245
    Thanked 2,834 Times in 2,093 Posts
    Rep Power
    816
    An OTA update for the S3 should now be available.

    Samsung has fix for Galaxy S III reset vulnerability, asks users to update software
    Yesterday's big bad news for Samsung — that a number of Galaxy Android devices were exposed to being hard-reset when their user clicked a link in the browser — is being quickly rectified by the Korean company, which has just issued a statement saying a fix is "already" in place. While Samsung hasn't specified the particular software version (or given any assurances for devices other than its flagship Galaxy S III), it encourages all affected users to update their phones to the latest software available over-the-air. That should keep you safe from the dangers of inadvertently wiping your GS III, though the fate of the other TouchWiz devices in Samsung's portfolio remains unclear.

    Samsung's Belgian Twitter mouthpiece has promised a firmware patch is currently undergoing testing for the Galaxy S II, so the company is at least working on the issue. We're seeking to get more details from Samsung directly and will update you as soon as we hear more.

    "We would like to assure our customers that the recent security issue concerning the GALAXY S III has already been resolved through a software update. We recommend all GALAXY S III customers to download the latest software update, which can be done quickly and easily via the Over-The-Air (OTA) service." (Source)

  9. #8

    Oaktech's Avatar
    Join Date
    Jul 2011
    Location
    Bournemouth
    Posts
    2,988
    Thank Post
    842
    Thanked 585 Times in 457 Posts
    Rep Power
    276
    Quote Originally Posted by X-13 View Post
    Damn, there goes my plan to send a link to this thread to people with an S3...


    TBH, this sounds like one of the things they should have kept quiet about and fixed in the background.
    Have you ever tried to keep a security researcher quiet when he thinks he's found a big juicy flaw?

    Le Edit: Without contravening the Geneva convention @X-13
    Last edited by Oaktech; 26th September 2012 at 12:11 PM.

  10. #9

    X-13's Avatar
    Join Date
    Jan 2011
    Location
    /dev/null
    Posts
    9,475
    Thank Post
    637
    Thanked 2,118 Times in 1,454 Posts
    Blog Entries
    19
    Rep Power
    882
    Quote Originally Posted by Oaktech View Post
    Have you ever tried to keep a security researcher quiet when he thinks he's found a big juicy flaw?
    I'm sure that if I tried, I would be quite successful.

  11. #10

    Oaktech's Avatar
    Join Date
    Jul 2011
    Location
    Bournemouth
    Posts
    2,988
    Thank Post
    842
    Thanked 585 Times in 457 Posts
    Rep Power
    276
    Quote Originally Posted by X-13 View Post
    I'm sure that if I tried, I would be quite successful.
    Without contravening the Geneva convention...

  12. #11

    X-13's Avatar
    Join Date
    Jan 2011
    Location
    /dev/null
    Posts
    9,475
    Thank Post
    637
    Thanked 2,118 Times in 1,454 Posts
    Blog Entries
    19
    Rep Power
    882
    Quote Originally Posted by Oaktech View Post
    Without contravening the Geneva convention...
    As far as I'm aware, Duct tape doesn't contravene the Geneva convention.
    Last edited by X-13; 26th September 2012 at 12:16 PM. Reason: Jeebus Chris... I can't spell.

  13. Thanks to X-13 from:

    Oaktech (26th September 2012)

  14. #12

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,212 Times in 761 Posts
    Rep Power
    395
    And what about all the network-locked devices that get their updates from the service provider, not direct from Samsung? On my last O2 phone it would be months before they trickled down, if at all.

    At least Samsung are finally doing OTA now. My wife's S2 can only be updated through her laptop using Samsung Keis, which is an awful POS.

  15. #13

    aerospacemango's Avatar
    Join Date
    Apr 2010
    Location
    Northants
    Posts
    1,994
    Thank Post
    283
    Thanked 249 Times in 200 Posts
    Blog Entries
    2
    Rep Power
    296
    Quote Originally Posted by AngryTechnician View Post
    And what about all the network-locked devices that get their updates from the service provider, not direct from Samsung? On my last O2 phone it would be months before they trickled down, if at all.

    At least Samsung are finally doing OTA now. My wife's S2 can only be updated through her laptop using Samsung Keis, which is an awful POS.
    Don't get me started on that shocking load of sh*te!

    That's the only downside to Samsung! Having to deal with Kies!*



    *Although if you get the app, it works surprisingly well!!!

  16. #14

    X-13's Avatar
    Join Date
    Jan 2011
    Location
    /dev/null
    Posts
    9,475
    Thank Post
    637
    Thanked 2,118 Times in 1,454 Posts
    Blog Entries
    19
    Rep Power
    882
    Quote Originally Posted by aerospacemango View Post
    That's the only downside to Samsung! Having to deal with Kies!*
    Just put it in media storage mode and use it like a USB pen drive.

  17. #15


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,464
    Thank Post
    245
    Thanked 2,834 Times in 2,093 Posts
    Rep Power
    816
    This bug is worse than first thought.

    Remote USSD Attack - It's not just Samsung
    The remote USSD vulnerability I detailed in my last post (and now covered widely in the tech media) is not just a Samsung problem. The same general vulnerability (executing a USSD code without user intervention from a website, or other delivery vector) affects many phones. I've personally verified it on an HTC One X (running HTC Sense 4.0 on Android 4.0.3) and a Motorola Defy (running Cyanogen Mod 7 on Android 2.3.5).

    I've also heard reports of the proof of concept working on a Sony Xperia Active.

    The potential impact of the issue is limited only by whatever USSD codes can be executed on a given phone. It's not clear if all manufacturers have Factory Reset USSDs on but at least some do.

    I have only been testing with the IMEI code and have no intention to test with anything more damaging, but it is possible that in some cases different USSD codes could be handled differently. So while the IMEI code may work, it's possible that other more damaging codes would not. This is, however, very speculative and there's no safe way to know without testing.

    Regardless it is very poor design to allow a passed value to execute as if it were keyed in interactively.

    It would appear that the root of the problem is probably the standard Android dialer - the vulnerability was identified and patched three months ago. For this reason it's likely to affect any phone using the standard dialer (as it existed three months ago) or a dialer based on it.

    It would be fairly trivial to weaponise the vulnerability to detect phone model with browser User Agent and tailor the response to suit.

    As I mentioned in my earlier post - the simplist to mitigate the risk from this issue is to install another dialer. Either setting one that exhibit the risky behaviour as default, or simply having more than one installed to force a "Complete action using.." choice. (Source)
    Quote Originally Posted by AngryTechnician View Post
    And what about all the network-locked devices that get their updates from the service provider, not direct from Samsung?
    Google really need to sort the update situation out. As it stands, 50% of Android smartphones have unpatched vulnerabilities and it's only going to get worse!

  18. Thanks to Arthur from:

    AngryTechnician (27th September 2012)



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Engadget:Samsung Galaxy S unlock codes stored in phone
    By JJonas in forum Netbooks, PDA and Phones
    Replies: 0
    Last Post: 31st August 2010, 08:40 AM
  2. Which one to keep? N86 or Samsung Galaxy Portal???
    By bensewell in forum Netbooks, PDA and Phones
    Replies: 4
    Last Post: 20th July 2010, 10:52 AM
  3. Kyocera FS-C5025N factory reset?
    By JHeaton in forum Hardware
    Replies: 5
    Last Post: 16th June 2010, 10:05 AM
  4. Samsung Galaxy Portal Drivers - Windows & 64-Bit
    By gtg93 in forum Netbooks, PDA and Phones
    Replies: 0
    Last Post: 12th May 2010, 11:59 AM
  5. Factory Reset a Saville ES-1200 projector
    By Gerry in forum AV and Multimedia Related
    Replies: 0
    Last Post: 25th January 2010, 01:23 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •