back to article A single web link will WIPE Samsung Android smartphones

An enterprising hacker has demonstrated how a simple web page can reset various Samsung phones back to the state they left the factory - enabling a click, bump or text to take out a victim's mobe entirely. The devastating flaw lies in Samsung's dialling software, triggered by the tel protocol in a URL. It isn't applicable to …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Magic

    Just did to a very deserving git at work. Ha ha ha he's mad now!

    Thanks el Reg.

    1. James O'Brien
      Unhappy

      Re: Magic

      Heh....wish I could do this to someone where I work but seeing as I'm on HTC and everyone here is jesusPhone or dumb phone useers I'm out of luck.

      1. hplasm
        Devil

        Re: Magic

        It MUST work on iPhones- Samsungs are a direct copy, aren't they?

        1. Reading Your E-mail
          Facepalm

          Re: Magic

          Looks like it's not just Samsungs, reports on XDA include HTC sets too. Only Jelly Bean can save us as this problem is on ICS and Gingerbread. The Apple congregation are going to lap this up :)

  2. Anonymous Coward
    Anonymous Coward

    Not funny enough. Embed it onto every reg page please ;)

  3. Anonymous Coward
    Anonymous Coward

    This is why your open source phone should be fully open source, not have some proprietary OEM layer over the top of it.

  4. Interested Party

    Tried it (using a safe code instead of the wipe code) and it just opens the dailer with no number entered. That's on an SGS3, Android 4.0.4, using Chrome.

    1. David Webb

      Chrome isn't affected as it doesn't handle the tel.

    2. Anonymous Coward
      Anonymous Coward

      I've tried and it also doesn't give any problem on the stock browser, it was patched on the S3 some time ago. Seems to affect the S2, though.

    3. Displacement Activity

      It's hard to see who *is* affected. No problem on my stock Nexus, nearly a year old.

      @ElReg:

      and it seems that some operators have tweaked their handsets to prevent that - although probably not deliberately, it's just a side effect of other changes.

      No tweaking here - stock ICS 4.1.1, no operator.

      It's not a browser issue, despite what others are saying in the comments here - it's the dialler, possibly in conjunction with TouchWiz. Unaffected diallers just display the USSD, and don't execute it anyway if you connect.

      1. Anonymous Coward
        Anonymous Coward

        Well

        It isn't hard to see who is affected, it's very easy, you just test on various phones.

        This link on my HTC One X displays my IMEI number, with no input from me

        http://ninpo.qap.la/test/index.html

        HTML code is simply;

        <!DOCTYPE html>

        <html>

        <frameset>

        <frame src="tel:*%2306%23">

        </frameset>

        </html>

        If that was the factory wipe code for a One X (yes, one exists), my phone reboots and wipes itself.

        Stock dialer that ships with the One X, stock browser that ships with the One X.

        It has nothing to do with Touch Wiz, which isn't on this phone.

  5. Octoberon

    Catch me if you can

    IPhone users have to resort to remotely aggravating Samsung Android users. They sure as hell can't find out where we live any more.

    1. BarryUK

      Re: Catch me if you can

      I'm sure iPhone users would love to reset our S3s with the NFC method except, oh no, no NFC.

      1. sabroni Silver badge
        Facepalm

        Re: Catch me if you can

        Yeah Great! My phone can be remotely wiped by a link as well! Still at least it's not an low spec iPhone! Ha Ha iPhone users, even if your phone was wiped by a link you'd still have all your contacts in that stupid iCloud thing! Losers!

        Android 4 life!

  6. Nate Amsden

    *#06# didn't work on my GSM phone

    just tried *#06# on my GSM HP Pre3, did nothing without hitting the dial button. I guess there's some value in using a platform nobody else uses!

  7. Anonymous Coward
    Anonymous Coward

    "fandroid"

    As a journalist, the use of pejorative terms to refer to users of specific devices implies a bias.

    1. flying_walrus

      Re: "fandroid"

      ...unless the journalist uses perjoratives to describe everyone

      1. Anonymous Coward
        Mushroom

        Re: "fandroid"

        Yes, el Reg hates all of us equally!

        Long may it continue....

  8. Anonymous Coward
    Anonymous Coward

    Not Android.

    Doesn't affect non-TouchWiz Samsung devices (ie. Pure Android, like the Galaxy Nexus), so it's purely down to Samsungs launcher and hooks they install with TouchWiz.

    1. OldBiddie

      Re: Not Android.

      Not the case - it affects my original HTC Desire and that's running VillainROM, not a Samsung and no TouchWiz in sight.

      1. Anonymous Coward
        Anonymous Coward

        Re: Not Android.

        "Not the case - it affects my original HTC Desire and that's running VillainROM, not a Samsung and no TouchWiz in sight."

        By "affects", you mean it opens the dialler with the number/tries to call it and fails (as it should) - because your phone is not affected - it's not setup to see those numbers and go "ooh, that means wipe everything". If you lost all your data, then I'll believe you.

        I imagine Samsung have put this in to make support easier (resetting pins/devices) but it's still a pretty stupid move.

        1. Badvok

          Re: Not Android.

          @AC 19:28

          "- it's not setup to see those numbers and go "ooh, that means wipe everything" "

          I suspect that there are equivalent codes for most other phones, they'll be different codes but the same mechanism would work for activating them.

          1. Anonymous Coward
            Anonymous Coward

            Re: Not Android.

            There are equivalent codes for HTC phones. Try Google.

  9. Anonymous Coward
    Anonymous Coward

    I have an LG Optimus on Republic Wireless in the US and I just tested the non-destructive samples using Opera and the default Browser. The default browser displayed the IMEA as soon as the page loaded. This is not jsut a Samsung problem.

  10. Anonymous Coward
    Anonymous Coward

    Killer feature

    Fandroids were right about NFC being the Galaxy S III killer feature

    "but those that are vulnerable can have their PIN changed or be wiped completely just by visiting a web page or snapping a bad QR code, or even bonking up against the wrong wireless NFC tag."

    1. HMB

      Re: Killer feature

      Latest update for it fixes the issue. So unless the reporting is old it sounds like it's been fixed before it's got into the wild.

      1. An(other) Droid

        Re: Killer feature

        @HMB: Which fix, please?

        1. HMB

          Re: Killer feature

          Good question, I'm not entirely sure. XDA reports that 4.0.4 is ok, but then you could have multiple updates on that one version number. Only way to be sure would be to run the safe tests on your phone.

          http://forum.xda-developers.com/showthread.php?p=31994542

          "UPDATE2: Lennyuk has confirmed that you shouldn't be affected by this so long as you're using the latest S3 rom."

          "Lennyuk" - "All current S3 firmware should be patched, samsung were informed of this issue some months ago and actively fixed it."

          I could do more, but if you're interested, go read the thread! :P

          1. Anonymous Coward
            Anonymous Coward

            Re: Killer feature

            In other words, you've not tried this on a Samsung phone. Come back when you know what you're talking about.

            1. Anonymous Coward
              Anonymous Coward

              Re: Killer feature

              Update fixes it! Great! I'll just hold my breath while I wait for that....

      2. Armando 123
        Coat

        Re: Killer feature

        But will the owners be allowed to upgrade the fix? We are talking Android, afterall.

        Mine's the one with the rotary phone hooked to the Hayes modem in the pocket

  11. Ben Tasker

    Simple workaround

    At least until a proper fix comes out (as the workaround is annoying) is install a different dialer, but don't set the default (hell install Skype it'll have the same effect). System will then ask which one you want to use, giving you opportunity to go "ooo shit" before wiping.

    Someone did mention removing system/app/keystringxxx.apk files but they didn't exist when I ssh'd into my SG2 so couldn't try that.

    Bit of a major fuck up eh?

  12. cyberdemon Silver badge
    Coat

    Ouch.

    I feel sorry for Samsung, but seriously, WTF.

    TBH, this almost sounds like one of those deliberate backdoors requested by spooks/spies.

    I wonder how many more phones have them lurking as-yet undetected.

    Mine's the one with the N900 in the pocket.

    1. Khaptain Silver badge

      Re: Ouch.

      Most of the codes have already been published on XDA but this is the first time that I have of them being integrated into a URL.

      Must admit that it would piss me off. I suppose its an advantage that at least we know that it can be done.

  13. HMB

    Vanilla Android FTW

    My vanilla android Jelly Bean Galaxy Nexus isn't affected. I tried the reset code first because I was cocky.

    Phew!... lol.

  14. Anonymous Coward
    Anonymous Coward

    Wahoo, my first Facebook post has been decided!

  15. Anonymous Coward
    Anonymous Coward

    To make things worse, if you have FoxToPhone installed, it automatically forwards tel: links to your phone meaning your desktop Firefox could kill your phone.

    If this fits you, you may want to change Chrome to Phone's settings on your device to manually open links.

  16. J. Cook Silver badge
    Boffin

    Apparently, it's a bug in the stock Android dialer...

    One of the original reporting folks posted an update:

    http://dylanreeve.posterous.com/remote-ussd-attack-its-not-just-samsung

    He also states a good work around if you can't get a patched dialer is to install a different one to force the phone to prompt with an action. :)

  17. Goat Jam
    FAIL

    "the attacker gains nothing from destroying all the data on a phone"

    What? Other than the lulz you mean.

  18. JimPMM

    Confirmed not just Samsung

    Just tried the URL from a previous post on my HTC Desire HD bog-standard and yes, it shows the IMEI immediately on opening the page.

  19. Anonymous Coward
    Anonymous Coward

    Not USSD

    USSD is a protocol for communicating between the handset and the network. It's used for things like finding out your prepay balance, or what your phone number is - the SIM doesn't know the phone number. An example would be *#100# <dial> on Vodafone, which will give your phone number.

    What you're describing is not USSD - it's executed locally by the handset. Granted, it looks similar, but it's not the same thing at all.

This topic is closed for new posts.

Other stories you might like