Watch: Samsung Galaxy S III 4G On Android 4.1.1 Still Vulnerable To USSD Reset

We got all excited when the Samsung Galaxy S III 4G was announced for Australia, not just because of the fast speeds, but also because of the fact that it will ship with Android 4.1.1, also known as Jelly Bean. This morning, a vulnerability was discovered in Samsung's TouchWiz UI that factory resets the phone sans-confirmation. Samsung says it was fixed in the Android 4.0.4 release, so why is it working on this 4.1.1 handset?

Here's how it works: A USSD code, or Unstructured Supplementary Service Data code, is used by carriers to trigger commands on your phone. If you've ever recharged with prepaid phone credit or gone and found your IMEI number via your phone app, you've used USSD.

This particular code isn't anything out of the ordinary, either. The problem is that when you type it in to trigger a factory reset, the device is meant to stop before it executes the command and ask if you're sure. That's what's missing here — confirmation. That means that anyone can show their friends a "cool trick" or social engineering can be deployed to lure people into resetting their phones.

Samsung says that the issue was fixed in Android 4.0.4 — a maintenance release for Ice Cream Sandwich. This handset that we did it on is running Android 4.1.1 Jelly Bean, so why is it working?

We've reached out to Samsung for comment, but until then, don't on any codes you aren't sure of.


Comments

    Can anyone comment if this has actually happened to them?

    People are BRUTAL with comments about the smallest things with Apple or Microsoft - this is a HUGE thing and Samsung have lied to the market. This is not just a terrible fault, it's a terrible company that would lie about something like this!

      Typing in a code designed to factory reset the phone... factory resets the phone... OH MY GOD THE HUMANITY!

        Typing in a code designed to factory reset the phone... factory resets the phone without any confirmation prompt. That's the issue.

          But there is absolutely no way someone typed in that code without that exact intent in mind. They didnt just accidentally find it, they went on google and searched for "how to reset my galaxy s III" and then followed the instructions. No one anywhere ever is going around saying "Oh no, I pocket dialed *2767*3855# and now my phone has been wiped, damn that samsung!"

            From the other article: Basically, if you access a web page from your phone containing the specific USSD code in the form of a tel: URL, it could trigger a factory data reset that wipes your phone back to factory settings.

            That means I could create a link that resets peoples phone:
            Click here to win a prize!

            That is a problem. I think it is a fairly serious problem. Imagine if somebody hacked Gizmodo and put a URL redirect to that number when it detected a Samsung device? That shouldn't be possible.

            (If the above link actually came out in the comment as a link DON'T CLICK IT).

            The problem here is that USSD codes can be initiated via any app on the phone, not just the dallier, including someone embedding it into a website. when someone goes to the site on their phone. bam! bye bye data.

              Actually no, the can't after the fix. Any USSD code sent to the dialer via an intent (ie. any other way than typing it in manually) will be ignored. That's why this article makes no sense.

              Typing it in manually is designed to factory reset the phone. The same code works on pretty much all platforms.

          I think its more concerning for Galaxy S II users who can be link baited and see their phone wiped WITHOUT dialling a thing..

          This is a serious warning to Galaxy S 2 users.

          http://eftm.com.au/2012/09/video-samsung-galaxy-sii-vulnerable-to-complete-data-loss-by-clicking-one-link-8336

        Yes it is a bit of an issue if you visit a hyperlink called "See Kate Middleton's boobs" and instead your phone gets wiped.

      haha although I agree if it were Apple there would be 3 pages of comments complaining about how outrageous it is, I don't think this makes them a terrible company. Unless I'm a shareholder I never entertain delusions that any corporation is on my side.

        See: http://www.gizmodo.com.au/2012/09/touchwiz-security-bug-could-wipe-your-samsung-galaxy-phone

        2nd paragraph

        Finally, someone who realises that fanboism is only for the needy who see profit-churning companies as their friends. You, sir, win.

      One missing confirmation dialog? This is barely even on the scale, it's certainly not HUGE by any stretch of the imagination. I once to forget to put a confirmation dialog into a command I was coding for an (unnamed but widely-used) enterprise-grade Version Control System (and no, it wasn't VSS - I said "enterprise-grade"). The command was a combined "drop and purge" of the selected product repository, something that REALLY needs a confirmation dialog. At least a dozen companies lost their entire code history for major products and one of those companies was foolish enough to have every single one of their products arranged in sub-projects of the same repository so they literally lost every shred of code across their entire product portfolio. They're bankrupt now unfortunately; but hey, mistakes get made and all good companies know that, which must be why I've been promoted twice since that particular faux-pas.

      Anyway, my point is that a missing confirmation dialog CAN be huge - it can destroy an entire company in a single button press - but this Samsung issue doesn't even register. Worse case scenario: a few e-mails and a handful of cat pictures get lost... forgive my cynicism but I hardly count that as HUGE. It certainly won't be bankrupting anyone and let's not forget that it's only going to affect those foolish enough to visit malicious websites. So unless you're a pirate or a big fan of questionable porn I doubt you have anything to worry about - if you're that concerned, just wait for the next patch before hitting up any torture porn.

      BTW, no brand loyalty here; I use a 5 year old HTC running Windows Mobile 6 (the last version before they moved over to "100%-fondle mode", which I can't stand - I don't know where these fingers have been, I'm not going to smear them all over my phone!). I don't own any Samsung products so I can't really rate them objectively but I hope my anecdote has helped to put things into perspective about this so-called HUGE thing!

    I think the worse thing here is that any website can embed one line of code with an iframe that triggers this code to be dialed. Or that it can be passed over NFC, embedded into a QR code (which directs to a site with it).

    So you can be browsing along and bam, there goes your phone.

      No app has access to the phones main dialer for USSD codes, its not possible, I tried it to make a NFC chip or website show you your IMEI.

    It is a interesting issue, Yeah you cant accidentally do it as have to type in the code to do it, confirmation or no confirmation, but its interesting you dont hear too many troubling stories with Samsung. Its always Apple that has problems and in a way i think kinda drives people to samsung or other brands because they think they have no problems, when in fact they have just as many problems. Everyone jumps on the Apple hate wagon as So easy to call someone a Apple fanboy or girl or sheep, but dont you dare call someone a Fandroid or say got a major problem with their Galaxy S3.

      To think that only 10 years ago being tech-savvy was something to be ashamed of.

    So no reports that this has happened to anyone? Or would Samsung users not admit to it if it did happen?

    It's the auto-execution of this dialer code from a web script that Samsung patched - not the lack of a confirmation after manually entering the code.

    what is the difference type that number or using the setting from your menu 'factory reset'?

    This should be obvious to many: As far as development cycles go, 4.1.1 is not necessarily newer than 4.0.4.

    The fix probably hasn't made it into the 4.1 branch yet.

      @Greg you sir seem to be one of the few developers on here. Thank you.

    This comment has been deemed inappropriate and has been deleted.

    Install Telstop:

    https://play.google.com/store/apps/details?id=org.mulliner.telstop

    Problem solved.

    Hi there,

    Just wanted to let you know that we (Bitdefender) already released a tool on the Play Store that protects against this vulnerability. Now, once you would tap on a exploiting link, Bitdefender will intercept the wipe command and ask you to decide what to do next. You may, if unsure, dismiss the USSD command.

    You can download it from: http://bit.ly/BD_USSD_Wipe_Stopper

    /Alin Vlad
    Global Social Media Coordinator at Bitdefender

Join the discussion!

Trending Stories Right Now