Watch: Samsung Galaxy S III 4G On Android 4.1.1 Still Vulnerable To USSD Reset


We got all excited when the Samsung Galaxy S III 4G was announced for Australia, not just because of the fast speeds, but also because of the fact that it will ship with Android 4.1.1, also known as Jelly Bean. This morning, a vulnerability was discovered in Samsung’s TouchWiz UI that factory resets the phone sans-confirmation. Samsung says it was fixed in the Android 4.0.4 release, so why is it working on this 4.1.1 handset?

Here’s how it works:
A USSD code, or Unstructured Supplementary Service Data code, is used by carriers to trigger commands on your phone. If you’ve ever recharged with prepaid phone credit or gone and found your IMEI number via your phone app, you’ve used USSD.

This particular code isn’t anything out of the ordinary, either. The problem is that when you type it in to trigger a factory reset, the device is meant to stop before it executes the command and ask if you’re sure. That’s what’s missing here — confirmation. That means that anyone can show their friends a “cool trick” or social engineering can be deployed to lure people into resetting their phones.

Samsung says that the issue was fixed in Android 4.0.4 — a maintenance release for Ice Cream Sandwich. This handset that we did it on is running Android 4.1.1 Jelly Bean, so why is it working?

We’ve reached out to Samsung for comment, but until then, don’t on any codes you aren’t sure of.


The Cheapest NBN 50 Plans

It’s the most popular NBN speed in Australia for a reason. Here are the cheapest plans available.

At Gizmodo, we independently select and write about stuff we love and think you'll like too. We have affiliate and advertising partnerships, which means we may collect a share of sales or other compensation from the links on this page. BTW – prices are accurate and items in stock at the time of posting.