Security researcher Ravi Borgaonkar demoed a dangerous and nasty bug that allows various devices, including the popular Samsung Galaxy S III, to be factory reset without user permission. Using Unstructured Supplementary Service Data, the researcher was able to exploit a factory reset code through a link. Embedded in an HTML frame/iframe tag, the link can be auto loaded without user permission. The link, which we won’t mention here due to its exploitative and dangerous nature, automatically loads on some Android phones. We’ve confirmed the problem using a Galaxy S III (see update below), and it’s likely that other Samsung TouchWiz phones suffer from this problem. When the link loads, a factory reset is initiated without user permission. This reset wipes all user data and restores the phone to a near-stock state.
The problem lies with Samsung, in this case, which enabled two things that should never go together: automatic USSD triggering and dangerously capable USSD codes like the factory reset one. If Samsung had disabled automatic triggering or disabled/not added factory reset USSD codes, then the bug would not be a problem. But, the two coexisting proves a dangerous combination.
Borgaonkar demonstrates the execution of the exploit through a browser link on stage. See the video below.
Unfortunately, the exploit can be executed from a QR code, NFC swipe, WAP Push SMS, internet link, or embedded frame. Surely Samsung will push an update as soon as possible. We urge users to keep backups of all personal data on hand in the meantime.
Side note: stock Android phones do not automatically trigger USSD codes. They will not suffer from this problem. The Samsung Galaxy Nexus does not have a USSD factory reset code. (Source