Sometimes a word or sentence is enough to destroy friendships and relationships. In computing, pressing Y instead of N can create a nightmare for even the most experienced IT Pro. So it would be very frustrating if Samsung allowed a single line of code to be remotely executed, wiping your near full Galaxy S III, wouldn’t it?
Security researchers have discovered that one line of code is all it takes to start an unstoppable factory-reset of the S III, opening the possibilities for malicious websites to completely wipe the handset, restoring it to it’s out of the box experience.
Ravi Borgaonkar showed the hack at the Ekoparty security conference with a simple USSD code. He said that the code could be sent from a website, pushed to the handset by NFC or triggered by a QR code. And it’s not just the Galaxy S III that’s affected; other Samsung handsets are affected too!
The user will see the process taking place, but hitting back won’t stop the reset. The same applies to the QR codes and NFC tags; no warning and no hope of stopping it. And in a double whammy attack, a simple USSD code could be used to kill the SIM, leaving the user with a very expensive PDA.
Samsung devices running TouchWiz devices are all affected; vanilla Android OS installs will not automatically dial the code, leaving the user to intervene at the last moment. But guess what? Samsung’s default setting is to dial the code automatically.
The code has been tested on the Galaxy Beam, S Advance, Galaxy Ace, and Galaxy S II. The Samsung-made Galaxy Nexus, which runs stock Android, has dodged a bullet as is not vulnerable.