[VULNERABILITY] Remote wipe via iframe USSD trigger

chrisfu · 03:19 PM

[VULNERABILITY] Remote wipe via iframe USSD trigger

UPDATE2: Lennyuk has confirmed that you shouldn't be affected by this so long as you're using the latest S3 rom.

Quote:

Originally Posted by Lennyuk

Ok so confirmed, if you are on the latest S3 rom (and maybe other samsung phones) your phone should no longer auto-launch the USSD code to do a factory reset.

UPDATE: Here is a video of this vulnerability being performed at Ekoparty 2012 over the weekend: http://www.youtube.com/watch?v=Q2-0B04HPhs

I'll keep this quick in order to make sure everyone is aware of this exploit that has been published. I found it here: http://www.exquisitetweets.com/collection/tomscott/1762

Apparently the USSD code to wipe a S3 can be trigged in a browser iframe. Obviously this is bad bad BAD. Until there is a fix for this please keep your wits about you and avoid any hyperlinks to pages from untrusted sources.

Code:

the USSD code to factory data reset a Galaxy S3 is *2767*3855# can be triggered from browser like this: <frame src="tel:*2767*3855%23" />

MOD EDIT: workaround here

kofiaa · 25th September 2012, 12:32 PM

Quote:

Originally Posted by chrisfu

I'll keep this quick in order to make sure everyone is aware of this exploit that has been published. I found it here: http://www.exquisitetweets.com/collection/tomscott/1762

Apparently the USSD code to wipe a S3 can be trigged in a browser iframe. Obviously this is bad bad BAD. Until there is a fix for this please keep your wits about you and avoid any hyperlinks to pages from untrusted sources.

Code:

the USSD code to factory data reset a Galaxy S3 is *2767*3855# can be triggered from browser like this:

What the... why should this even work?! They need to fix this asap. Does it mean the frames can trigger other s3 codes? And is this only for s3, Samsung phone, or android in general?

Sent from my GT-I9300 using xda app-developers app

chrisfu · 12:39 PM

Quote:

Originally Posted by kofiaa

What the... why should this even work?! They need to fix this asap. Does it mean the frames can trigger other s3 codes? And is this only for s3, Samsung phone, or android in general?

Sent from my GT-I9300 using xda app-developers app

Yep, you can trigger other USSD codes too. It's just that one that is the game-changer and will make Samsung sit up and take notice. Looking at the simplicity of it it's a wonder it's not been discovered before. Unconfirmed, but I'd imagine this would affect all Samsung Android devices.

Update: Just to let you know, I'm investigating a way of removing the "tel:" URL handler now on my S3. If others can also investigate, we should have a short-term fix for this soon within the community.

port76 · 25th September 2012, 12:49 PM

does Samsung know about this has anyone informed them ? this is serious guys

Sent from my GT-I9300 using xda premium

chrisfu · 25th September 2012, 12:53 PM

Quote:

Originally Posted by port76

does Samsung know about this has anyone informed them ? this is serious guys

Sent from my GT-I9300 using xda premium

I've tweeted @SamsungUK. They're as good as any other place to start. I'd suggest as many people bombard them as possible, just to get their attention. They can then let their primary Android devs know about this.

I've also tweeted @ChainfireXDA too, as he'd probably be quicker to react than Samsung.

@supercurio is usually really good at helping out in such circumstances as well.

sts_fin · 12:57 PM

Easiest way to save yourself from this attack: set Chrome as your default browser, the TEL uri is not handled by chrome.

Just tested it on a SGS3 and Note... So just use chrome, and you are safe.

We have also contacted Samsung Finland about this.

projectsome · 25th September 2012, 01:00 PM

Quote:

Originally Posted by sts_fin

Easiest way to save yourself from this attack: set Chrome as your default browser, the TEL uri is not handled by chrome.

Just tested it on a SGS3 and Note... So just use chrome, and you are safe.

We have also contacted Samsung Finland about this.

Chrome is my default browser.

I normallly root, remove apps I won't use like the default browser, then unroot.

chrisfu · 25th September 2012, 01:02 PM

Quote:

Originally Posted by sts_fin

Easiest way to save yourself from this attack: set Chrome as your default browser, the TEL uri is not handled by chrome.

Just tested it on a SGS3 and Note... So just use chrome, and you are safe.

We have also contacted Samsung Finland about this.

Yep, I can confirm that with Chrome on ICS.

Just to add, there is some information here regarding intents within Android. Revoking CALL_PHONE permissions would serve to block this attack within any HTML-rendering app.

http://developer.android.com/guide/a...p-intents.html

If they don't affect normal calling or text messaging, the CALL and DIAL intents could be temporarily revoked, and this would fix the issue. It should just mean that "tel:" URI's within iframes and "a" tags wouldn't work within any app that renders HTML.

Ninfosho · 25th September 2012, 01:07 PM

hmmm... sorry but I dont understand what you are talking about..

whats the problem?

chrisfu · 25th September 2012, 01:08 PM

Quote:

Originally Posted by Ninfosho

hmmm... sorry but I dont understand what you are talking about..

whats the problem?

If you click a link which contains within it a line of malicious code, it can cause your SGS3 reset to factory defaults. Yep, a full wipe.

[VULNERABILITY] Remote wipe via iframe USSD trigger

Most Thanked In This Thread

XDA PORTAL POSTS

Avoid Framework Bootloops on Xperias Running Jelly Bean

Forum Added for the Samsung Galaxy Mega

Voice Control Your Phone with Tasker and AutoVoice – XDA Developer TV

Guide to Take Better Control of Your Volume Levels