Forgot your password?
typodupeerror
Security Bug Cellphones Handhelds Technology

Samsung Smartphones Vulnerable To Remote Wipe Hack 151

Posted by timothy
from the big-oops-there dept.
DavidGilbert99 writes "Security researchers have discovered a single line of code embedded in websites which could wipe all data from your Samsung Galaxy S3 and other smartphones. Samsung smartphones including the Galaxy S3, Galaxy S2, Galaxy Ace, Galaxy Beam and Galaxy S Advance all appear to be affected by the bug which triggers a factory reset on your phone if your web browser is pointed to a particular website. Smartphones can also be directed to the code through NFC or using a QR code. Once the process has been initiated, users are have no way of stopping it. The hack was unveiled at the Ekoparty 2012 security conference in Argentina by Ravi Borgaonkar, a security researcher at the Security in Communications department at Technical University Berlin. ... Only Samsung smartphones running the company's proprietary TouchWiz user interface appear to be affected. According to telecoms engineer Pau Oliva, the Samsung Galaxy Nexus is not affected, as it runs on stock Android and doesn't use the TouchWiz skin on top." Hit the link above for a video demonstration.
This discussion has been archived. No new comments can be posted.

Samsung Smartphones Vulnerable To Remote Wipe Hack

Comments Filter:
  • by morcego (260031) on Tuesday September 25, 2012 @12:35PM (#41451105)

    People still use the manufacturer's version of Android ? (Any manufacturer, not only Samsung).

    It is bloated, slow, full of useless crap.

    The first thing I do on any new android phone that lands in my hands is to replace the firmware with something less full of )(@#*)(#$.

    • by DCstewieG (824956)

      Some people might not like voiding their warranty the day they buy their phone.

      • by morcego (260031)

        Some people might not like voiding their warranty the day they buy their phone.

        Which is why we all make a nandroid backup before flashing a new firmware.

        • by Miamicanes (730264) on Tuesday September 25, 2012 @04:08PM (#41454807)

          Some people might not like voiding their warranty the day they buy their phone.

          Which is why we all make a nandroid backup before flashing a new firmware.

          > Some people might not like voiding their warranty the day they buy their phone.

          Manufacturers can lie about warranty-invalidation until they're blue in the face. The Magnuson-Moss Warranty Act ( http://en.wikipedia.org/wiki/Magnuson%E2%80%93Moss_Warranty_Act [wikipedia.org] ) is a potent weapon that no manufacturer, not even Apple in their most arrogant AT&T-exclusive hissy fit, would dare to push back against because the FTC will smack them down and make a total example out of them.

          Under Magnuson-Moss, a manufacturer can only deny warranty coverage if they can demonstrate that whatever the consumer did was literally the cause of the failure... and historically, the FTC hasn't made their job easy. They basically get one chance to make their case to the FTC, and if the FTC thinks the company is harassing the customer and wasting their time on a silly excuse, it will instantly smack them down and hit them with a huge fine.

          If the manufacturer wanted to use "we had to reflash it via JTAG to stock" as an excuse for denying the claim or imposing a service fee, they'd have to testify that they don't routinely JTAG-reflash to stock as a troubleshooting step anyway.

          If they tried to argue that you somehow triggered a condition via software that caused damage (say, setting a pair of directly-connected GPIO pins to outputs, with one high and one low), they'd still be backed up against the wall and told they were idiots for not putting a resistor between them, or at least going out of their way to make it abundantly clear to end users that custom firmware must never, ever do that specific action. In stark contrast to most consumer non-law, the FTC takes consumer rights seriously, and doesn't take crap from companies who try to wave vague disclaimers around and use them as an excuse and blanket license to run roughshod over consumers. The barrier isn't quite insurmountable, but a company that tried to fight it would have an uphill battle, and quickly discover that its usual dirty tricks weren't going to work this time around.

          Companies doing dirty tricks with warranty coverage is nothing new. The same things phone manufacturers try to do today, American automakers did to our parents and grandparents openly and proudly, with a dash of extra salt to rub into consumer wounds ~30 years ago.

          Magnuson-Moss is a rare gem of consumer-protection law passed by an angry congress fed up with the increasingly-bold abuses of the 3 most powerful companies in America at the time. Apple, Samsung, HTC, and Motorola might be powerful... but they're *nothing* compared to the "Big Three" American automakers circa 1975, and they know it.

          Unfortunately, it's NOT against the law for a company to blatantly lie about its legal responsibilities, so companies can say anything and put all the restrictive text they want to put in their warranty descriptions. You just have to know that when push comes to shove, all you have to do is whisper the magic phrase "Magnuson-Moss" to get your complaint *instantly* escalated to the most senior manager on site and get total white-glove treatment and profuse apologies for the "misunderstanding" (inevitably blamed on the tier-1 support staff, who were just doing what the script told them to do).

    • I disagree that, at least in samsung's case, touchwiz runs like crap.

      I rooted it and replaced it with non-touchwiz ICS after a few months. It was not really that different to me.

      Seems to me that slashdotters and mobile enthusiasts get upset about touchwiz at least on principle, not on any real disadvantages on it. Well... aside from the current vulnerability, so maybe they have a point. Anyway, yes, it comes with Need for speed and some other crap you didn't ask for, and yes some of it can't be
      • by pmontra (738736)
        I also quite like Touchwiz. A friend of mine has a Nexus with ICS and I don't see any gain or loss of functionality and speed. The look and feel is different, but that's a matter of personal tastes. Touchwiz on the SG2 is fast, don't know on older phones. Furthermore what I'm using most are the apps (browser, email, ebook reader, etc) and they are exactly the same whatever Android "skin" one is using.
        This bug is nasty, I installed exDialer as a workaround as explained in the XDA thread about the bug. I hope
    • The second thing I do is install Cyanogenmod. The first thing I do is make sure the device works (sucks having a new cellphone that doesn't work).

    • by Samalie (1016193) on Tuesday September 25, 2012 @01:18PM (#41451755)

      Because this is what the average person does when they buy a driod?

      You have to realize...the greatest strength of Andriod is also its greatest failing. Sure, you CAN load a custom firmware...but outside of the tech circles, who the fuck actually DOES it?

      • by Cinder6 (894572)

        I wish there was a more streamlined process for loading custom firmware on an Android phone. I know this is pretty unrealistic, given the number of models out there, but I can still dream, right? I loaded CM on my niece's Galaxy S, and the amount of work it took surprised me (won't list it all here, as I'm sure most people know the process better than I). Once I had it "primed", loading different firmwares was a snap, but getting it to that point was less than fun, and that's probably what stops most peo

        • by morcego (260031)

          I wish there was a more streamlined process for loading custom firmware on an Android phone. I know this is pretty unrealistic, given the number of models out there, but I can still dream, right?

          Wasn't Ericsson doing something like this ? I remember some talks about them opening a support line and all that to make it easy for people to replace their firmware.

      • by ceoyoyo (59147)

        You mean not everyone likes buying a product and then having to spend time fixing it before they can use it? Say it isn't so!

    • by fearlezz (594718)

      Yes, they do. About 95% of people out there would answer "yes" when internet explorer asks "Are you sure you want to install this virus?". And you expect those people to install custom firmware?

    • by wonkey_monkey (2592601) on Tuesday September 25, 2012 @01:25PM (#41451877) Homepage

      People still use the manufacturer's version of Android ? The first thing I do on any new android phone that lands in my hands is to replace the firmware with something less full of )(@#*)(#$.

      I hate to break it to you, but you are not representative of "people" when it comes to this sort of thing. Most people a) are perfectly happy with everything their phone does when it comes out of the box, b) don't even know they can reflash their phone and c) wouldn't have the first clue how to go about it if they did.

      • by morcego (260031)

        People still use the manufacturer's version of Android ? The first thing I do on any new android phone that lands in my hands is to replace the firmware with something less full of )(@#*)(#$.

        I hate to break it to you, but you are not representative of "people" when it comes to this sort of thing. Most people a) are perfectly happy with everything their phone does when it comes out of the box, b) don't even know they can reflash their phone and c) wouldn't have the first clue how to go about it if they did.

        Then they should be buying an iPhone.

        Seriously. I'm not an apple fan boy or anything but, out-of-the-box, I find the iPhone to be better(*). The reason I own 3 Android phones and not a single iPhone is because, after I tweak it, they become faster, better and exactly how I want them to be.

        * - Of course, I'm disregarding price and different hardware functions, like a qwerty keyboard. Take this as a comparison between the iPhone and an equivalent android device.

      • by bensode (203634)

        I disagree. Watercooler talk at my office I often hear complaints about forced bloat. There are many luddites I work with that go out of their way to root their Android phones without asking the IT department to do it for them and then hold it high and proudly announce that they've done so without bricking. And these are the types of users that have a difficult time docking/undocking a laptop ...

    • by rickb928 (945187)

      If you stick to buying a phone that has an unlocked bootloader, or one that has been cracked, then you are golden. If not, you either wait or never get the option.

      And there are some phones that are never unlocked.

      Good advice that ya just can't always take.

      • by morcego (260031)

        If you stick to buying a phone that has an unlocked bootloader, or one that has been cracked, then you are golden. If not, you either wait or never get the option.

        And there are some phones that are never unlocked.

        Good advice that ya just can't always take.

        That is one of the things I check before buying. Turns out most phone are either unlocked or cracked. But you are correct, not all of them are, and people should be careful.

        • Almost, but not quite. There are plenty of Android phones with bootloaders that are unlocked (officially or otherwise), but are still stuck with old kernels because they depend upon binary loadable kernel modules that are not themselves open-source. Remember, Linux doesn't have a stable ABI, so loadable kernel modules ("drivers", in Windows parlance) are specific to a kernel version.

          This is probably the #1 source of recurring grief at xda-developers.com. Every new version of Android ships with a new kernel

      • I had to reflash my ancient V3i today. I just love the phone, and figured I might as well give it a go since the bootloader was crapped out already, there was little to lose. So I grabbed an image (took some finding), ran the flash update software, and I've gone from Vodafone-locked and branded to completely unlocked and no branding.

        If I'd thought to do that five years ago, I'd've been even happier with it than I already am.

    • by RMingin (985478)

      Good timing, I switched my T-Mo Galaxy S2 over from a customized version of their stock rom to Cyanogenmod this morning, since I have my VoIP/Wifi calling solution tested to my satisfaction. The integrated/zero setup Wifi calling that T-Mobile offers was the one compelling feature of Touchwiz for me.

      I seriously think that T-Mo should investigate moving Wifi calling back out into a standalone APK like it used to be. There are lots of folks like me who like the idea but prefer to have a non-T-Mo handset to us

      • by morcego (260031)

        Good timing, I switched my T-Mo Galaxy S2 over from a customized version of their stock rom to Cyanogenmod this morning, since I have my VoIP/Wifi calling solution tested to my satisfaction. The integrated/zero setup Wifi calling that T-Mobile offers was the one compelling feature of Touchwiz for me.

        I seriously think that T-Mo should investigate moving Wifi calling back out into a standalone APK like it used to be. There are lots of folks like me who like the idea but prefer to have a non-T-Mo handset to use it with, but still on T-Mobile's network, which AFAICT should be the primary product.

        If you are careful, you can migrate most of the native apps to the new firmware. I did it with Motorola's MotoID. Make a backup with Titanium Backup, and restore it after flashing.

    • But at least there is an offer of exclusive free content [imgur.com]! Yay!
    • Root your android! It will never truely be yours until you do! You can never trust it until you're certain it doesn't call home to your provider.

      I have a Samsung Galaxy S2. I'm running a modified ICS spin I downloaded from xda-developers.com with GO Launcher. Touchwiz sucks.

    • "People still use the manufacturer's version of Android ?"

      Of course not. One of the requirements for buying an android phone is proving that you have the ability to put a custom version of the OS on it. Are you even seriously asking that? Whomever modded you up should be brought into the corporate offices at Digg and promptly shot.

    • by Swampash (1131503)

      People still use the manufacturer's version of Android ? (Any manufacturer, not only Samsung)

      The exploit has been tested and shown to wipe a phone running Cyanogen Mod.

      https://dylanreeve.posterous.com/remote-ussd-attack-its-not-just-samsung [posterous.com]

    • People still use the manufacturer's version of Android ? (Any manufacturer, not only Samsung).
      It is bloated, slow, full of useless crap.

      So Android phones as shipped are not fit for purpose? Doesn't surprise me.

    • question is, do you visit the website and let them wipe it for you? Or do you do *everything* the hard way.?
      Seriously, How come nobody has come up with this for IOS. Do you realize how many apple droids spend money having somebody reset their phone?
  • Just initiate a faster local wipe before the remote wipe finishes.

    An strong, nearby EMP should do the trick. If that doesn't work, a nuclear explosion close enough to vaporize the phone will.

    • Or a strong physical shock also fixes the problem. If you notice it happening, you must immediately throw the phone against another surface hard enough to physically disconnect the CPU from memory, preventing the wipe from completing. Make sure you do it hard enough the first time, because the wipe will be completed before you can pick it up and throw it again.

  • by Anonymous Coward

    Until I read the description, I thought they had slavishly copied Apple again [wired.com].

    • by Cormacus (976625)
      Thats what I was thinking. But then I decided it would be impressive enough to risk it... since I was browsing on my desktop machine.
      • by Cinder6 (894572)

        If that's what the link did, it would probably be the most impressive troll I've personally seen.

  • by na1led (1030470) on Tuesday September 25, 2012 @12:44PM (#41451223)
    You're more likely to drop the phone in the toilet then getting hacked. Besides, I'm sure Samsung will release a patch soon, so no need to run to the Apple store!
    • by Mordaximus (566304) on Tuesday September 25, 2012 @01:04PM (#41451527)

      You're more likely to drop the phone in the toilet then getting hacked.

      I doubt you'll get hacked after having dropped it in the toilet, and if you do you have some rather unfortunate luck.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Release the patch soon!? Obviously, you've never tried updating an android phone :D

      • by ThatsMyNick (2004126) on Tuesday September 25, 2012 @01:18PM (#41451749)

        Mod Up! Carriers have no motivation to send ROM upgrades. Even if samsung makes them available, I am pretty sure the carriers would never find it worth the airtime to send you the upgrade.

        • by Anonymous Coward

          Guess what, you're exactly right. [pcmag.com]

          Shankar told Security Watch that he'd disclosed the vulnerability to manufacturers and carriers in June, and a patch for the firmware was quickly released. But to date, only Google and certain European carriers have sent an over-the-air update to device owners. Hardware manufacturers, including Samsung, have applied the update to their phones as well. So if you buy an unlocked Samsung Galaxy S III from a Samsung store today, you're safe.

          "I decided to go public because everyone has the patch now, they've just been sitting on it for months," Shankar said. "It's the duty of carriers to make sure everyone's devices are safe."

          • by Algae_94 (2017070)
            Why did the guy go public with it at all. If everyone has the patch, he's just harming people that can't or didn't update. The vulnerability was identified and patched because of him. No need to go public with it.
      • by dudpixel (1429789)

        Huh? Samsung have already released the patch for most galaxy S3s. It was several weeks ago in my case.

        http://www.androidpolice.com/2012/09/25/video-most-galaxy-s-iii-devices-are-not-vulnerable-to-ussd-wiping-exploit-it-was-already-fixed-in-an-update/ [androidpolice.com]

        The patch came over the air and installed with the touch of an on-screen button.

        Oh so difficult.

        It was a pretty nasty vulnerability, but I'm glad to see it is fixed (for me anyway).

    • You're more likely to drop the phone in the toilet then getting hacked. Besides, I'm sure Samsung will release a patch soon, so no need to run to the Apple store!

      If someone want's to subject themselves to apple's restrictions, I usually encourage them - it will likely be an educational experience. Moreover, they'll probably be on a long and expensive contract that they won't soon forget.

      • by Cinder6 (894572)

        Educational? I would imagine that the typical usage pattern of most Android users is the same as most Apple users. That is to say, they browse the web, check email, watch the occasional video, and download apps from their respective stores. Most people could use either platform interchangeably without issue. It's those folks who like to tweak and customize that are left in the cold on Apple's devices.

        I could be wrong, though. I'm not exactly researching the topic, just going by my personal observations

        • Educational? I would imagine that the typical usage pattern of most Android users is the same as most Apple users. That is to say, they browse the web, check email, watch the occasional video, and download apps from their respective stores. Most people could use either platform interchangeably without issue. It's those folks who like to tweak and customize that are left in the cold on Apple's devices.

          I could be wrong, though. I'm not exactly researching the topic, just going by my personal observations.

          Here's an example. I have a friend who doesn't know anything about computers.. She bought a "now that's what I call music" cd at walmart and wanted me to put it on her iphone 4s. Ripped it to mp3's and... discovered the iphone won't mount as a drive, AND if we were to install itunes on my pc and connect it, apparently it would erase all her other music from her phone. No SD card slot, so that's not an option either. It seems you have to do everything from one pc. There are more examples, but that was

          • by Cinder6 (894572)

            That's a good point. I ran into the same issue when I was helping my mom with putting an audiobook on her iPhone (she had been using a nano, but left it at a hotel). The iPhone had been synced with another computer, so iTunes wanted to erase the phone. There is a solution to the problem, but it's a bit involved. Basically, you have to use a 3rd-party program to transfer the phone's (or iPod's) library to the second iTunes install, and it will let you do it. It's definitely an area Apple ought to look i

          • by berj (754323)

            She has itunes.. she's already copied music from her computer to her phone so she knows how to do that. Why would you not just tell her to rip the CD in itunes:

            insert CD
            select tracks
            click on "Import CD" button
            wait..
            Eject CD

            It's just about as simple a process as it can get. In fact I think all the modern versions of iTunes just ask you if you want to import the CD as soon as you put one in so the above becomes:

            insert CD
            click OK
            wait...
            Eject CD

            After that it's just copying the music to her phone which she alr

      • Wouldn't I be subjected to the same long and expensive contract if I bought an S3, or does Samsung provide free data plans? (You can purchase both the iPhone and the S3 no commitment)

        • Wouldn't I be subjected to the same long and expensive contract if I bought an S3, or does Samsung provide free data plans? (You can purchase both the iPhone and the S3 no commitment)

          Sure, but most people go with the contract and $200 out of pocket (and usually higher corresponding airtime rates for prepaid service if I remember right) rather than laying out $600 bucks up front.
          My point is that although Apple's got a reputation for being extremely easy to use, a good portion of that is not well earned. A lot of it is on account of the severe restrictions they place on paying customers. I've got several non techie friends who switched from android or blackberry to the iPhone 4s and m

  • by Smidge204 (605297) on Tuesday September 25, 2012 @12:50PM (#41451311) Journal

    You'd have thought Samsung would learn their lesson already. Don't they know that Apple patented remote data wipe technology years ago [macworld.com]?

    =Smidge=

  • Link Warning (Score:5, Informative)

    by microcars (708223) on Tuesday September 25, 2012 @12:57PM (#41451395) Homepage
    has dueling auto-play videos that have nothing to do with subject. so turn down yer volume.
    • by gnapster (1401889)
      I immediately opened the video in YouTube and closed the original tab. That is horrible, what they did to us.
    • by Joce640k (829181)

      Flashblock will fix that for you. Videos don't play until you click them.

  • by Lebrun (655496) on Tuesday September 25, 2012 @01:00PM (#41451441)
    Galaxy S2 w/ ICS 4.0.3 here. It doesn't work on my phone.
  • by fluor2 (242824) on Tuesday September 25, 2012 @01:13PM (#41451657)

    Luckily Android can be very customized and thus we can work around this.

    This can be blocked if you use an alternative Dialer App.
    E.g. Exdialer [google.com] (free).

    Read the XDA thread [xda-developers.com] where they investigate.

    "The best solution i see at the moment is to install another dialer - when you navigate to malicious page android will display "choose dialer" dialog before doing anything, and you can cancel the operation by pressing back button. Just don't check "default" checkbox." (Source [xda-developers.com]).

    Of course, a confirmation dialogue should have been shown for *any* USSD codes.

    To be honest, I still find it crazy that anybody can borrow a Samsung-phone and press *2767*3855# on the dialer and it would wipe it. This will probably not be fixed even if Samsung patches the dialer.

    • by Emetophobe (878584) on Tuesday September 25, 2012 @01:47PM (#41452281)

      I mentioned this in another post, but the exploit was already patched a few weeks ago. Source [androidpolice.com].

    • by Asic Eng (193332)
      Dialing *2767*3855# seems slightly more complicated than going through the menus and selecting factory reset, though. So in that sense I think it's not a problem. Apart from that, I recommend NoTelURL - then you can set that as default when the "choose dialer" dialog comes up, and it won't do anything with USSD codes in websites. (It's free, too.)
  • How long until Apple `innovates' this feature? :)
  • by wonkey_monkey (2592601) on Tuesday September 25, 2012 @01:29PM (#41451961) Homepage
    Two autoplaying video streams with audio? Yeah, that was a good idea.
  • //#reset-to-factory_s234!n
  • by Fuzzums (250400)

    The question is what Apple will say about this feature.

  • I am definitely going to back my S2 up now. *shudder*
  • You have no chance to survive make your time?
  • What, if I yank the battery and then put it back and start up, it will resume the process? Granted you'd probably have to be super fast for that to help, but still...

  • by Swampash (1131503) on Tuesday September 25, 2012 @06:54PM (#41457221)

    Exploit works on non-Samsung phones too.

    https://dylanreeve.posterous.com/remote-ussd-attack-its-not-just-samsung [posterous.com]

  • It's hard to watch a video on a page that continually loops a flash add (with sound), and with no way to stop it. For those of you who have trouble paying attention to people talking over each other, here is a link to the video on youtube [youtube.com].
  • take out the battery?

If a listener nods his head when you're explaining your program, wake him up.

Working...