hrm
I didn't notice an OTA popping on my stock carrier-free S3, yet it seems not to be vulnerable.. some sort of ninja patch?
Samsung has whipped out a fix for an embarrassing flaw in its smartphones that allows miscreants to wipe victims' phones with a simple web link. The South Korean electronics giant is pushing out the patch right now. The Galaxy S III has a firmware update available that closes the security hole, and it can be picked up from an …
"none of the others have Factory Reset USSD codes. hopefully."
You can hope, but in all likelihood this facility exists in all handsets.
Don't know why the reporters keep saying it is down to TouchWiz when the basic vuln has been shown to work on other phones. The only thing missing for other phones is the reset USSD code, security through obscurity is not security.
Because it is TouchWiz, and possibly Sense that is doing this. Stock behaviour is to show the number before calling it. Which is exactly what is documented in the developer API for the DIAL intent which the browser and other applications use to dial a number.
Why Samsung, HTC and possibly CyanogenMod have decided to go against what is documented and call the number without user confirmation is beyond me. Especially when there is a separate intent for that which *requires* a permission which will warn the user that the application can cost them money.
They are not dialling the number, they don't need to dial the number to run these codes, that is why they are vulnerable. If you type this number into your handset it will display the IMEI without pressing Dial.
Even some old Nokias and other dumbphones would do it.
"Also other phones may need you to click call, as my Xperia Arc S on the *#06# example did."
This is the stock behaviour that everyone is confusing. The problems with HTC/Samsung etc. is two-fold:
1. Their dialler application is auto-calling the supplied number instead of waiting for user confirmation
2. They have added magic USSD codes that can factory reset the device
Neither of these problems exist on stock Android because:
1. The dialler will want user confirmation when an application supplies a number to dial (not if you enter it yourself in the case of *#06#)
2. Stock Android doesn't have magic USSD codes to factory reset the device or it's pin numbers
It's not just an HTC/Samsung add-on issue. I just tested on CyanogenMod 7.2, and it brought up my IMEI without me having to press dial.
I'm on the verge of going back to 7.1 anyway (7.2 seems to eat all the memory and bring the phone to a grinding halt within an hour or two of being turned on). This might be just the push I need to revert to my previously saved CM7.1 nandroid image.
So you're also at the mercy of the CyanogenMod Developers et al, hope they didn't plant a back door, or contacts / web / email snatching malware or anything like that in CyanogenMod!
I know so many ppl use it, but I wouldn't be so trusting of 3rd party Android images at all.
I've actually been stung before with an XDA Developers provided image for an old Windows Mobile 6 phone. The phone kept chucking up really weird errors suggesting attempts at dialing numbers! With Android apparently this can be done 'more' silently nowadays, so no, wouldn't touch 3rd party firmware with a barge pole.
Just a suggestion, stop putting these shitty skins on Android phones. It's why I only buy the Nexus range - so I don't get all these stupid skins and un-removable apps.
I've seen HTC Sense regularly crash on a colleagues Desire HD, it's never happened to me on stock firmware.
I agree 100%, this is exactly why I do the same and just go for Nexus Devices.
I've never looked at a skin and found it more attractive than Android in the post ICS world.
@ukgnome - I don't think the average user wants to root their phone and as a technical user, I don't fancy running unsigned software not tested by the manufacturer. I have tried Cyanogenmod, but after running into problems with an issue patched in the Galaxy Nexus' official firmware, I switched back to the official stuff.
It's funny how Android is seen as open source yet OEMs then go and throw this closed source crap over the top of it.
Why don't they all contribute to Android and make it better for everyone?
Can you imagine the state Linux would be in if it wasn't developed by Microsoft, IBM, Oracle and others? they all contribute to Linux.
Facts are all wrong in this story - Samsung fixed this vulnerability ages ago, and in fact most people walking around now with one of these in their pockets are almost certainly already running insusceptible firmware.
So no, Samsung hasn't just "has whipped out a fix" in response to this. Most incorrect article I've seen on El Reg for years...
After falling from 2ft up. I had spent the previous two weeks fixing all of the problems Samsung had created with their awful overlay, such as their awful keyboard, terrible animations and godawful software. I can confidently state that Samsung have the worst overlay I've ever used and I actually miss HTC's Sense.
Just tried the test on my HTC Wildfire and found that, without any other user interaction, it dialled the IMIE number and showed me the results.
Now I don't know what range of "special" number the HTC phone will respond to, but given its donkey gonad-sucking behaviour elsewhere I am willing to bet it is vulnerable to something
Did nobody learn the lessons of MS Outlooks "lets run whatever is attached" lesson in stupidity? I mean, how hard would it have been to make sure you are always prompted to dial a number?
1) These aren't USSD codes. Displaying your IMEI number has nothing to do with USSD.
2) Link says this only affects Touchwiz dialers, and only Samsung phones. This is not true, tested on HTC One X, stock dialer, same issue.
3) Someone said HTC aren't affected because there is no HTC factory reset code. Yes there is. Use Google.
I say weirdly, as the firmware they're punting is about six iterations behind Samsung's latest. And because it identifies itself as being from Vodafone, I can't download any other version using the official methods.
I'm more concerned by my phone being singularly unable to see 2.4Ghz wi-fi connections meaning that if I'm in a building that doesn't get 3G reception but doesn't have a 5Ghz wi-fi, I have a phone that can't really be described as "smart" as its only use is for taking phone calls. This is due to the firmware I'm being forced to use by Vodafone no longer giving me the option to turn 2.4Ghz back on, and me being stupid enough to have set mine up to use the 5Ghz channel I have in my house when I still had the wi-fi option available to me.
Apparently, as short term fix, you can install a third party dialler from Google Play, such as Dialer One.
If a dial string is detected on a web page, you will be asked to select which dialler app you wish to use, allowing you to intercept the rogue command.
Haven't tested this myself, but worth a try..