FORUMS
Remove All Ads from XDA

[VULNERABILITY] Remote wipe via iframe USSD trigger

64 posts
Thanks Meter: 25
 
By chrisfu, Member on 25th September 2012, 12:22 PM
Post Reply Email Thread
UPDATE2: Lennyuk has confirmed that you shouldn't be affected by this so long as you're using the latest S3 rom.

Quote:
Originally Posted by Lennyuk

Ok so confirmed, if you are on the latest S3 rom (and maybe other samsung phones) your phone should no longer auto-launch the USSD code to do a factory reset.

UPDATE: Here is a video of this vulnerability being performed at Ekoparty 2012 over the weekend: http://www.youtube.com/watch?v=Q2-0B04HPhs

I'll keep this quick in order to make sure everyone is aware of this exploit that has been published. I found it here: http://www.exquisitetweets.com/collection/tomscott/1762

Apparently the USSD code to wipe a S3 can be trigged in a browser iframe. Obviously this is bad bad BAD. Until there is a fix for this please keep your wits about you and avoid any hyperlinks to pages from untrusted sources.

Code:
the USSD code to factory data reset a Galaxy S3 is *2767*3855# can be triggered from browser like this: <frame src="tel:*2767*3855%23" />
MOD EDIT: workaround here
The Following 8 Users Say Thank You to chrisfu For This Useful Post: [ View ] Gift chrisfu Ad-Free
 
 
25th September 2012, 12:32 PM |#2  
kofiaa's Avatar
Senior Member
Flag Accra
Thanks Meter: 269
 
More
Quote:
Originally Posted by chrisfu

I'll keep this quick in order to make sure everyone is aware of this exploit that has been published. I found it here: http://www.exquisitetweets.com/collection/tomscott/1762

Apparently the USSD code to wipe a S3 can be trigged in a browser iframe. Obviously this is bad bad BAD. Until there is a fix for this please keep your wits about you and avoid any hyperlinks to pages from untrusted sources.

Code:
the USSD code to factory data reset a Galaxy S3 is *2767*3855# can be triggered from browser like this:

What the... why should this even work?! They need to fix this asap. Does it mean the frames can trigger other s3 codes? And is this only for s3, Samsung phone, or android in general?

Sent from my GT-I9300 using xda app-developers app
25th September 2012, 12:35 PM |#3  
chrisfu's Avatar
OP Member
Flag Manchester
Thanks Meter: 25
 
More
Quote:
Originally Posted by kofiaa

What the... why should this even work?! They need to fix this asap. Does it mean the frames can trigger other s3 codes? And is this only for s3, Samsung phone, or android in general?

Sent from my GT-I9300 using xda app-developers app

Yep, you can trigger other USSD codes too. It's just that one that is the game-changer and will make Samsung sit up and take notice. Looking at the simplicity of it it's a wonder it's not been discovered before. Unconfirmed, but I'd imagine this would affect all Samsung Android devices.

Update: Just to let you know, I'm investigating a way of removing the "tel:" URL handler now on my S3. If others can also investigate, we should have a short-term fix for this soon within the community.
The Following User Says Thank You to chrisfu For This Useful Post: [ View ] Gift chrisfu Ad-Free
25th September 2012, 12:49 PM |#4  
port76's Avatar
Senior Member
Thanks Meter: 162
 
Donate to Me
More
does Samsung know about this has anyone informed them ? this is serious guys

Sent from my GT-I9300 using xda premium
25th September 2012, 12:53 PM |#5  
chrisfu's Avatar
OP Member
Flag Manchester
Thanks Meter: 25
 
More
Quote:
Originally Posted by port76

does Samsung know about this has anyone informed them ? this is serious guys

Sent from my GT-I9300 using xda premium

I've tweeted @SamsungUK. They're as good as any other place to start. I'd suggest as many people bombard them as possible, just to get their attention. They can then let their primary Android devs know about this.

I've also tweeted @ChainfireXDA too, as he'd probably be quicker to react than Samsung. @supercurio is usually really good at helping out in such circumstances as well.
25th September 2012, 12:55 PM |#6  
sts_fin's Avatar
Member
Thanks Meter: 7
 
More
Easiest way to save yourself from this attack: set Chrome as your default browser, the TEL uri is not handled by chrome.

Just tested it on a SGS3 and Note... So just use chrome, and you are safe.

We have also contacted Samsung Finland about this.
The Following 4 Users Say Thank You to sts_fin For This Useful Post: [ View ] Gift sts_fin Ad-Free
25th September 2012, 01:00 PM |#7  
Senior Member
Thanks Meter: 35
 
More
Quote:
Originally Posted by sts_fin

Easiest way to save yourself from this attack: set Chrome as your default browser, the TEL uri is not handled by chrome.

Just tested it on a SGS3 and Note... So just use chrome, and you are safe.

We have also contacted Samsung Finland about this.

Chrome is my default browser.

I normallly root, remove apps I won't use like the default browser, then unroot.
25th September 2012, 01:02 PM |#8  
chrisfu's Avatar
OP Member
Flag Manchester
Thanks Meter: 25
 
More
Quote:
Originally Posted by sts_fin

Easiest way to save yourself from this attack: set Chrome as your default browser, the TEL uri is not handled by chrome.

Just tested it on a SGS3 and Note... So just use chrome, and you are safe.

We have also contacted Samsung Finland about this.

Yep, I can confirm that with Chrome on ICS.

Just to add, there is some information here regarding intents within Android. Revoking CALL_PHONE permissions would serve to block this attack within any HTML-rendering app.

http://developer.android.com/guide/a...p-intents.html

If they don't affect normal calling or text messaging, the CALL and DIAL intents could be temporarily revoked, and this would fix the issue. It should just mean that "tel:" URI's within iframes and "a" tags wouldn't work within any app that renders HTML.
25th September 2012, 01:07 PM |#9  
Junior Member
Thanks Meter: 0
 
More
hmmm... sorry but I dont understand what you are talking about..

whats the problem?
25th September 2012, 01:08 PM |#10  
chrisfu's Avatar
OP Member
Flag Manchester
Thanks Meter: 25
 
More
Quote:
Originally Posted by Ninfosho

hmmm... sorry but I dont understand what you are talking about..

whats the problem?

If you click a link which contains within it a line of malicious code, it can cause your SGS3 reset to factory defaults. Yep, a full wipe.
25th September 2012, 01:12 PM |#11  
sts_fin's Avatar
Member
Thanks Meter: 7
 
More
Quote:
Originally Posted by sts_fin

Easiest way to save yourself from this attack: set Chrome as your default browser, the TEL uri is not handled by chrome.

Just tested it on a SGS3 and Note... So just use chrome, and you are safe.

We have also contacted Samsung Finland about this.

Update: it works also with chrome... So no helping there.

Update to update: chrome parses the TEL: link but does not run the USSD.
Post Reply Subscribe to Thread

Tags
galaxy s3, iframe, samsung, ussd, wipe

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes