Samsung remote reset exploit fixed for the Galaxy S III

Yesterday we reported that the Samsung Galaxy S III, alongside a number of other TouchWiz devices, is vulnerable to an exploit that can remotely factory reset a user's smartphone through a USSD TEL code. This USSD TEL code could be triggered through malicious code in a website or WAP push SMS, wiping your phone without any prompts to intervene.

Today Samsung confirmed that the remote reset exploit has "already been resolved" in the latest software update, suggesting that if you currently have the latest software version you are safe from a malicious wipe. Here's the full statement:

We would like to assure our customers that the recent security issue concerning the GALAXY S III has already been resolved through a software update. We recommend all GALAXY S III customers to download the latest software update, which can be done quickly and easily via the Over-The-Air (OTA) service.

This statement doesn't mention the other devices affected such as the Galaxy S II, Galaxy Beam or Galaxy Ace, suggesting that the vulnerability is still active in the most up-to-date OS versions on these devices. Samsung Belgium has stated via Twitter that a firmware fix is in the works for the Galaxy S II, although there is no mention of a time frame other than it will be an OTA update. We assume something is in the works for the other affected devices as well.

If you do have an affected device that hasn't been patched yet through a software update, there is an app currently available on the Google Play Store that claims to solve the problem. TelStop adds a second option for the phone whenever a USSD TEL code is used, allowing you to select the application rather than the Phone app by default, meaning you can intervene before it's too late. If you have an unpatched TouchWiz device, it's probably best to install it as a precaution.

Source: Android Central | TelStop

Report a problem with article
Previous Story

IEEE data breach: 100K passwords leak in plain text [Update]

Next Story

Nook HD and Nook HD+ tablets announced

28 Comments

Commenting is disabled on this article.

lol i just tried it on my htc legend with cm 7.2 and boom up comes my imei, so the title is a bit missleading seeing it affects mroe than just samsung phones?

DKAngel said,
lol i just tried it on my htc legend with cm 7.2 and boom up comes my imei, so the title is a bit missleading seeing it affects mroe than just samsung phones?

Well the problem is the code that it's used, triggers a full Wipe, I don't know if HTC has one, but if the IMEI is shown, they could exploit it, if they find a remote code to wipe.

GatorV said,

Well the problem is the code that it's used, triggers a full Wipe, I don't know if HTC has one, but if the IMEI is shown, they could exploit it, if they find a remote code to wipe.

almost every cellphone has a USSD code, including Windows Phone and Iphone.

yeah the fact you had to press the call button shows its not expoitable

been confirmed on one Windows phone 7 that it tried to auto dial on Naked Security

also i dont think USSD is supported on WP7.5

Haggis said,
yeah the fact you had to press the call button shows its not expoitable

been confirmed on one Windows phone 7 that it tried to auto dial on Naked Security

also i dont think USSD is supported on WP7.5

I tried it on my GALAXY W (Firmware: DXLM3, which is the latest) and it immediately displayed the IMEI when I ran the link on the stock Android browser as well as on the Dolphin Browser.

Haggis said,
also uploaded a test page to my webspace as the one above is very slow

Does exactly the same thing will display the IMEI number if exploitable

http://haggistech.co.uk/USSDtest/


On Windows Phone 7.5, visiting that webpage would display a popup containing input field with pre-input value *#06#, user can click on the "call" button to show the IMEI, or "cancel" button to dismiss the message. Not sure if this mean that current WP deviced are affected...

edit:

I just tried again. If you press on the "call" button, an error message saying "please enter service code directly from phone's keypad" would appear (i.e. it is not possible to open the dial and show the IMEI directly by visiting the webapge).

Haggis said,
also uploaded a test page to my webspace as the one above is very slow

Does exactly the same thing will display the IMEI number if exploitable

http://haggistech.co.uk/USSDtest/

For those wondering the site is "clean" (eg dosn't attempt to wipe phone )

Also on my i9100 AOKP Preview 5.1 ROM is also "clean" and unaffected

tanjiajun_34 said,
It just open my dialer and nothing is keyed in.... So its safe?
Yes, you're safe. If you were open to this attack then the dialer would have keyed in the code and dialled it for you, presenting you with your phone's IMEI number.

Asrokhel said,
I have the Galaxy Nexus with JB, tried the site, and it pops up the dialer, with *#06#, so exactly what does that mean?

Its mean its not exploitable as it did not automatically dial the number, you would still have to press call for it to be actioned

Haggis said,
also uploaded a test page to my webspace as the one above is very slow

Does exactly the same thing will display the IMEI number if exploitable

http://haggistech.co.uk/USSDtest/

puts *#06# into my dialler but does not dial it.
BUT, if at that point I lock my phone and then unlock it it does run the code, as upon unlock it instantly shows a black screen with the IMEI in a toast message.

If I edit the number before pressing the power button to lock, it does not run anything at all when I unlock the phone (this is with pattern to unlock btw).

If it runs at the point of unlock, rather than lock
SGS3 with build IMM76D.I9300XXBLFB (latest on o2 uk) is vulnerable if the USSD was received while the phone was locked.

tanjiajun_34 said,
It just open my dialer and nothing is keyed in.... So its safe?

right! I checked my SGS3, and it's fine... it pops up the dialer but doesn't do any commands, so i guess that update a couple of weeks ago fixed it. (or it was fixed before that maybe)

Killer_Z said,
Thanks. My Galaxy S2 with the stock 4.0.4 I9100XWLPX (NEE Country) is vulnerable.

Galaxy S2 here with CM10 and it's not vulnerable :-), only shows *#06# in the dialer

Intrinsica said,
For those wondering if their device is affected or not, use your mobile browser and go to the following site: http://dylanreeve.com/phone.php

If your phone shows you your IMEI number then your phone is vulnerable to the attack. Haggis posted the article here: http://www.neowin.net/forum/to...mote-wipe-hacking-pandemic/


FYI, all Android handsets I've tested that use CM7 are vulnerable, as well.

Why am I on CM7, you ask? Because the hardware is two years old and just because CM9/10 is available doesn't mean I want to feel like I'm running Windows 98 on a 386.

GatorV said,

Galaxy S2 here with CM10 and it's not vulnerable :-), only shows *#06# in the dialer

I installed TelStop and I feel a little better now. :-)

not just Touchwiz thats affected

i have Custom sense rom and its affected

also some have reported on ios6 that the code will auto dial as well obviously same ussd wont do anything on them but still exploitable

Haggis said,
not just Touchwiz thats affected

i have Custom sense rom and its affected

also some have reported on ios6 that the code will auto dial as well obviously same ussd wont do anything on them but still exploitable

Are you talking about the web test? Yes, some custom sense and CM roms show the IMEI and MEID, but they don't do the
*remote wipe*. That is the difference in the exploit.