Following a demonstration at the Ekoparty security conference in Buenos Aires, Argentina, last Friday, reports have sprung up across the web about a USSD exploit on Samsung smartphones that can wipe a user’s phone with just one tap.
During his Ekoparty talk, ‘Dirty Use of USSD Codes in Cellular Network’, Ravi Borgaonkar, a researcher from the Security in Telecommunications department at Technical University Berlin, showed how a single line of code could be used to restore factory settings and even lock the SIM card of a Samsung smartphone.
USSD codes are special dialled codes that execute a command when input into a phone. Some networks use these to let users check their credit balance, while many users will be familiar with the code *#06# to discover their device’s IMEI number.
Borgaonkar explained that Samsung devices recognise a USSD code that executes the ‘Factory data reset’ command and wipes all data on the phone. In the wrong hands, this USSD code could be included in a line of a code triggered by users when clicking a malicious link, unbeknownst to them.
The code could also be executed by a QR code or NFC tag, as demonstrated by Borgaonkar nine minutes into the video below. Here, contact with the NFC tag triggers a link to automatically open in the default browser of a Samsung Galaxy S III smartphone, without asking the user’s permission first. This link then executes the code which brings up the phone’s Dialler application, dialling the USSD code without any input from the user.
The security risks of NFC tags that don’t ask for permission to execute commands have been highlighted at security conferences before. Borgaonkar also points out the risk of using popular QR scanner QR Droid, which is guilty of loading links automatically without first asking permission.
Flaw widespread on Samsung devices
While Borgaonkar’s demo showed this exploit could be executed on Samsung Galaxy S II and S III devices, further investigations into this issue shared by users across the web show that the flaw exists on various models of Samsung devices. It appears the fault lies with Samsung’s TouchWiz user interface (which is used on most of its smartphones including the Galaxy S II, S III, Beam and Ace) and how it handles a ‘tel:’ prefix in hyperlinks to initiate the phone’s dialler.
Reports from Pocket-lint suggest that users running Android Gingerbread or newer are at risk, while investigations by The Next Web indicate that users with Android 4.1 Jelly Bean may be impervious to the automatic execution of the code, and others have suggested that users with a third-party browser as their default may also be safe.
Very helpful TV editor Dylan Reeve found a workaround to the issue by installing an alternative dialler. This prompts the phone first to ask which application to use on clicking the link containing the ‘tel:’ prefix, and using the alternative dialler meant the USSD code was not dialled automatically. To help allay confusion over what devices are affected by the flaw, Reeve also created a website that uses the standard IMEI USSD code. If users see their IMEI code on clicking this link, it’s likely their device is at risk. (As a Samsung Galaxy S II user, I have tried this link myself in the stock Android browser, Opera and Firefox for Android and my IMEI popped up on all three tries.)
SlashGear reports that this flaw has been patched in certain S III devices for some time, but it’s clear that vulnerabilities remain elsewhere as various contradicting experiments on the XDA Developers forums indicate.
Samsung has not yet officially commented on the matter but is reportedly investigating the issue. It is hoped that a security patch will be released for all devices soon.