back to article Samsung slaps swift patch over phone-wiping Galaxy S III vuln

Samsung has whipped out a fix for an embarrassing flaw in its smartphones that allows miscreants to wipe victims' phones with a simple web link. The South Korean electronics giant is pushing out the patch right now. The Galaxy S III has a firmware update available that closes the security hole, and it can be picked up from an …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    hrm

    I didn't notice an OTA popping on my stock carrier-free S3, yet it seems not to be vulnerable.. some sort of ninja patch?

  2. Captain Hogwash Silver badge

    Not a (just) Touchwiz problem

    I have a Galaxy S i9000 running Cyanogenmod 7.2 and it's definitely vulnerable to this.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not a (just) Touchwiz problem

      Interesting... Best I check my CM7.2 running HTC then! (eeek).

      1. aj87

        Re: Not a (just) Touchwiz problem

        I've tested a HTC One X, an S2, and a Sony Xperia.

        The exploit for running the IMEI code *#06# works on all of them, currently only the Samsung is in danger as none of the others have Factory Reset USSD codes. hopefully.

        1. Badvok

          Re: Not a (just) Touchwiz problem

          "none of the others have Factory Reset USSD codes. hopefully."

          You can hope, but in all likelihood this facility exists in all handsets.

          Don't know why the reporters keep saying it is down to TouchWiz when the basic vuln has been shown to work on other phones. The only thing missing for other phones is the reset USSD code, security through obscurity is not security.

          1. Anonymous Coward
            Anonymous Coward

            Re: Not a (just) Touchwiz problem

            Because it is TouchWiz, and possibly Sense that is doing this. Stock behaviour is to show the number before calling it. Which is exactly what is documented in the developer API for the DIAL intent which the browser and other applications use to dial a number.

            Why Samsung, HTC and possibly CyanogenMod have decided to go against what is documented and call the number without user confirmation is beyond me. Especially when there is a separate intent for that which *requires* a permission which will warn the user that the application can cost them money.

            1. Anonymous Coward
              Anonymous Coward

              @AC 15:23 Re: Not a (just) Touchwiz problem

              They are not dialling the number, they don't need to dial the number to run these codes, that is why they are vulnerable. If you type this number into your handset it will display the IMEI without pressing Dial.

              Even some old Nokias and other dumbphones would do it.

          2. Soruk

            Re: Not a (just) Touchwiz problem

            >Don't know why the reporters keep saying it is down to TouchWiz when the basic vuln has been shown to work on other phones

            It's TouchWiz that shortcuts special USSD codes into other phone functions like Factory Reset.

            1. aj87

              Re: Not a (just) Touchwiz problem

              Its not just TouchWiz that shortcuts the codes, HTC and Sony phones do too, many people have come to the conclusion it must be an Android problem.

          3. aj87
            Thumb Up

            Re: Not a (just) Touchwiz problem

            Indeed, What people aren't grasping is that Samsung, HTC, Sony and Motorola, didn't all make the same screw up, stock android must have done this.

        2. Richard 45
          Facepalm

          Re: Not a (just) Touchwiz problem

          The exploit for running the IMEI code *#06#

          Ditto for HTC Desire HD. Reading the XDA Dev Forum thread, it's widespread. Samsung GS2 as well.

        3. Jamie Kitson

          Re: Not a (just) Touchwiz problem

          Also other phones may need you to click call, as my Xperia Arc S on the *#06# example did.

          1. Anonymous Coward
            Anonymous Coward

            Re: Not a (just) Touchwiz problem

            "Also other phones may need you to click call, as my Xperia Arc S on the *#06# example did."

            This is the stock behaviour that everyone is confusing. The problems with HTC/Samsung etc. is two-fold:

            1. Their dialler application is auto-calling the supplied number instead of waiting for user confirmation

            2. They have added magic USSD codes that can factory reset the device

            Neither of these problems exist on stock Android because:

            1. The dialler will want user confirmation when an application supplies a number to dial (not if you enter it yourself in the case of *#06#)

            2. Stock Android doesn't have magic USSD codes to factory reset the device or it's pin numbers

            1. Steve Evans

              Re: Not a (just) Touchwiz problem

              It's not just an HTC/Samsung add-on issue. I just tested on CyanogenMod 7.2, and it brought up my IMEI without me having to press dial.

              I'm on the verge of going back to 7.1 anyway (7.2 seems to eat all the memory and bring the phone to a grinding halt within an hour or two of being turned on). This might be just the push I need to revert to my previously saved CM7.1 nandroid image.

    2. Stu

      Re: Not a (just) Touchwiz problem

      So you're also at the mercy of the CyanogenMod Developers et al, hope they didn't plant a back door, or contacts / web / email snatching malware or anything like that in CyanogenMod!

      I know so many ppl use it, but I wouldn't be so trusting of 3rd party Android images at all.

      I've actually been stung before with an XDA Developers provided image for an old Windows Mobile 6 phone. The phone kept chucking up really weird errors suggesting attempts at dialing numbers! With Android apparently this can be done 'more' silently nowadays, so no, wouldn't touch 3rd party firmware with a barge pole.

  3. dotdavid
    FAIL

    Er, actually Samsung's patch was a while ago - hence why people aren't getting OTA notifications now.

    1. djack

      That seems to be so.

      I have a S3 from Three and have not received an update for a couple of weeks. The IMEI test did not work for me.

  4. Anonymous Coward
    Anonymous Coward

    What path?

    If they were doing OTA, it would be on www.sammobile.com/firmware/ - it isn't.

    It was already patched a while back. Though some carriers haven't pushed the patch, go figure.

    Not sure where the source is for this news article.

  5. Anonymous Coward
    Anonymous Coward

    1 day response is unheard of of.

    Microsoft 0 day exploits at best take 14 days, Apple take months.

    Congrats to Samsung for jumping on this so promptly. It might also stop the Apple brainwashed idiots that claim that Android doesn't get updated in a timely manner. But I somehow doubt it...

    1. Anonymous Coward
      Anonymous Coward

      Re: 1 day response is unheard of of.

      Samsung have known about this problem for some time (months?) - they didn't just produce this fix over night.

    2. RainForestGuppy

      Re: 1 day response is unheard of of.

      Apple don't have security flaws in their products. What you think is a vulnerabilities is actually a feature, which are will be disabled at the next feature enhancement release.

  6. My Alter Ego
    Stop

    Stop skinning Android

    Just a suggestion, stop putting these shitty skins on Android phones. It's why I only buy the Nexus range - so I don't get all these stupid skins and un-removable apps.

    I've seen HTC Sense regularly crash on a colleagues Desire HD, it's never happened to me on stock firmware.

    1. ukgnome
      Headmaster

      Re: Stop skinning Android

      the apps aren't unmoveable as such, as they sit in the system partition, All you need is root and they can be removed.

    2. HMB

      Re: Stop skinning Android

      I agree 100%, this is exactly why I do the same and just go for Nexus Devices.

      I've never looked at a skin and found it more attractive than Android in the post ICS world.

      @ukgnome - I don't think the average user wants to root their phone and as a technical user, I don't fancy running unsigned software not tested by the manufacturer. I have tried Cyanogenmod, but after running into problems with an issue patched in the Galaxy Nexus' official firmware, I switched back to the official stuff.

      1. Anonymous Coward
        Anonymous Coward

        Re: Stop skinning Android

        It's funny how Android is seen as open source yet OEMs then go and throw this closed source crap over the top of it.

        Why don't they all contribute to Android and make it better for everyone?

        Can you imagine the state Linux would be in if it wasn't developed by Microsoft, IBM, Oracle and others? they all contribute to Linux.

  7. Timmay
    FAIL

    Facts are all wrong in this story - Samsung fixed this vulnerability ages ago, and in fact most people walking around now with one of these in their pockets are almost certainly already running insusceptible firmware.

    So no, Samsung hasn't just "has whipped out a fix" in response to this. Most incorrect article I've seen on El Reg for years...

    1. Anonymous Coward
      Anonymous Coward

      They may well have patched it for the S3, but not other devices. My stock Samsung operator-crapware-free S2 running 4.0.4 suffers from this feature (based on the test using a non-reset code).

  8. Z3d
    Happy

    OK here

    S3 with Orange branded firmware 4.0.4 BVLG1

    interesting that the builtin browser brought up the dialer without the IMEI but Opera suppressed the frame and I had to then manually click on the link to bring the dialer up

  9. MattLoren
    Facepalm

    My galaxy just broke

    After falling from 2ft up. I had spent the previous two weeks fixing all of the problems Samsung had created with their awful overlay, such as their awful keyboard, terrible animations and godawful software. I can confidently state that Samsung have the worst overlay I've ever used and I actually miss HTC's Sense.

    1. Anonymous Coward
      Anonymous Coward

      Re: My galaxy just broke

      That's why you buy a case for a mobile phone.

    2. Anonymous Coward
      Anonymous Coward

      Re: fixing all of the problems

      If you're having phone problems

      I feel bad for you son

      I got 99 problems but the S3 ain't one

      // so sorry

  10. Wam

    Got Mine Through

    I got an update today - just an unsolicited pop-up message saying do I want to download Samsung Update. Took a few seconds. I'd already tested my S3 yesterday and it seemed ok then TBH

  11. Anonymous Coward
    Anonymous Coward

    HTC also shows IMEI

    Just tried the test on my HTC Wildfire and found that, without any other user interaction, it dialled the IMIE number and showed me the results.

    Now I don't know what range of "special" number the HTC phone will respond to, but given its donkey gonad-sucking behaviour elsewhere I am willing to bet it is vulnerable to something

    Did nobody learn the lessons of MS Outlooks "lets run whatever is attached" lesson in stupidity? I mean, how hard would it have been to make sure you are always prompted to dial a number?

  12. Anonymous Coward
    Anonymous Coward

    Lots of problems with info in those links

    1) These aren't USSD codes. Displaying your IMEI number has nothing to do with USSD.

    2) Link says this only affects Touchwiz dialers, and only Samsung phones. This is not true, tested on HTC One X, stock dialer, same issue.

    3) Someone said HTC aren't affected because there is no HTC factory reset code. Yes there is. Use Google.

  13. Anonymous Coward
    Thumb Up

    Great bug

    This bug reminds me of the good old days of sending +++ath0 to people on modems.

    Works even better too.

  14. Not_The_Droids
    Mushroom

    Count me in...

    My Sprint Galaxy S2 running ICS popped up with the IMEI number. So I s'pose I ought to surf carefully... though the Sprint network is so slow, surfing is nearly worthless anyway...

  15. Silas

    Weirdly, this seems patched on my Vodafone S3

    I say weirdly, as the firmware they're punting is about six iterations behind Samsung's latest. And because it identifies itself as being from Vodafone, I can't download any other version using the official methods.

    I'm more concerned by my phone being singularly unable to see 2.4Ghz wi-fi connections meaning that if I'm in a building that doesn't get 3G reception but doesn't have a 5Ghz wi-fi, I have a phone that can't really be described as "smart" as its only use is for taking phone calls. This is due to the firmware I'm being forced to use by Vodafone no longer giving me the option to turn 2.4Ghz back on, and me being stupid enough to have set mine up to use the 5Ghz channel I have in my house when I still had the wi-fi option available to me.

    1. Fryerman

      Re: Weirdly, this seems patched on my Vodafone S3

      Make sure you have NFC switched on. If it is disabled this test seems to show everyghing is ok.

  16. JaitcH
    Thumb Up

    Faster than a speeding bullet, more powerful than a locomotive ...

    How many companies respond that quickly with a patch? Well done, Samsung!

    The other alternative is the Ostrich technique where a company denies it has a problem, such as with Antennagate. Less effective, but cheaper.

  17. Steve 16
    Alert

    Short term solution

    Apparently, as short term fix, you can install a third party dialler from Google Play, such as Dialer One.

    If a dial string is detected on a web page, you will be asked to select which dialler app you wish to use, allowing you to intercept the rogue command.

    Haven't tested this myself, but worth a try..

    1. bailey86

      Re: Short term solution

      I can confirm it works.

      Orange branded HTC desire - the androidcentral test was bringing up the IEME number before - I've installed Dialler one and it now asks which dialler should be used.

      1. bailey86

        Re: Short term solution

        And as a further tweak - you can set the default for when you hit the main 'Phone' button - and this won't affect the fact that the web page with the 'tel' link will still ask for which dialler to use.

  18. bailey86

    hmmm...

    I wonder if Orange will release a fix for my two year old HTC Desire? Probably not.

    This is one of the reasons I'm switching to a sim-only deal and can then have any phone I want.

This topic is closed for new posts.

Other stories you might like