The problem - and a solution
The issue has nothing to do with the browser. I've tested on ICS with Chrome, default browser and Dolphin - all behave the same way.
Test here: dylanreeve DOT com/phone.php (uses IMEI display USSD - it's totally safe).
The issue is with the stock dialer. If you can prevent that dialer from handling the tel: URL then you can either prevent or at least intervene in attack attempts. So the solution is... Install another dialer (probably any other dialer).
dylanreeve.posterous DOT com/remote-ussd-attack
(I can't post URLs yet)
The issue has nothing to do with the browser. I've tested on ICS with Chrome, default browser and Dolphin - all behave the same way.
Test here: dylanreeve DOT com/phone.php (uses IMEI display USSD - it's totally safe).
The issue is with the stock dialer. If you can prevent that dialer from handling the tel: URL then you can either prevent or at least intervene in attack attempts. So the solution is... Install another dialer (probably any other dialer).
dylanreeve.posterous DOT com/remote-ussd-attack
(I can't post URLs yet)
Looks like other phones including HTC might be vulnerable too, they have a dialer code for a factory format that is similar to the samsung wipe one.
I can verify that my dialer was launched with the code in it (*#06#) from FF and Chrome on my HTC Rezound (4.0.3 latest update from Verizon) but it was not auto dialed.
I tried with the HTC code "*#*#4636#*#*" (this used to bring up a hidden radio selection menu) and I was taken to the dialer but the code was not there (FF/Chrome), which is what happens now in ICS when I try the code (making me think it may have been executed).
Some other phones (including Windows Phone) will open the dialer, but don't handle the number as if you'd keyed it in. In the case of Samsung's dialer it treats the linked number exactly the same as if you'd keyed it in. So for a USSD that means as soon as it see that's last # it executes it.
Putting the tel: URL in the SRC of an iframe will cause the browser to load it, and it will in turn push whatever content is in there directly to the dialer. Any USSD will work.
it is not safe. The link has now been changed to have the wipe code, do not press it unless you are sure
HTC's dialer acts the same as Samsung's
Not sure on other (stock android is safe I think?, at least it is safer as it has no code to do a full wipe)
Not sure on other (stock android is safe I think?, at least it is safer as it has no code to do a full wipe)
NO.
Samsung Galaxy S III - ICS 4.0.4
Does NOT work. Any code put it ONLY displays in the dialer, but does NOT dial as it requires pressing the Call key.
Chrome, Firefox, Opera, StockBrowser ("Internet") - neither work. Opera stops even before, requiring a special permission click.
Code in the upper link is: *2767*44927#, not the wipe one.
Samsung Galaxy S III - ICS 4.0.4
Does NOT work. Any code put it ONLY displays in the dialer, but does NOT dial as it requires pressing the Call key.
Chrome, Firefox, Opera, StockBrowser ("Internet") - neither work. Opera stops even before, requiring a special permission click.
Code in the upper link is: *2767*44927#, not the wipe one.
Last edited:
Ben Woods at ZD Net said:
I don't know how to do this but Ben Woods said that turning off the Service Loading feature will prevent the exploit.
Titanium Backup Pro is a welcome app on my phone. I think it's time to make an "update.zip".
I don't know how to do this but Ben Woods said that turning off the Service Loading feature will prevent the exploit.
Titanium Backup Pro is a welcome app on my phone. I think it's time to make an "update.zip".
It seems that there is something different.
My SGS 3 4.0.4 uses this default dialer ("Phone" app):
SSLHTTP dl.dropbox .com/u/2188108/Screenshot_2012-09-25-15-33-29.png
But, someone here posted this article:
dylanreeve.posterous .com/remote-ussd-attack
... where Phone app looks quite a bit differen. Huh?
That may explain why it does not work on my device.
My SGS 3 4.0.4 uses this default dialer ("Phone" app):
SSLHTTP dl.dropbox .com/u/2188108/Screenshot_2012-09-25-15-33-29.png
But, someone here posted this article:
dylanreeve.posterous .com/remote-ussd-attack
... where Phone app looks quite a bit differen. Huh?
That may explain why it does not work on my device.
All current S3 firmware should be patched, samsung were informed of this issue some months ago and actively fixed it.
HTC for that matter is still wide open and maybe other companies too.
HTC for that matter is still wide open and maybe other companies too.
This. The other SGS3 here (4.0.4) using the same dialer as you doesn't fall foul to this attack, by the looks of it.
Titanium Backup has my fixed Phone app at 4.0.4-I9300XXBLG8 on this device.
Brotuck
Senior Member
If i remember correctly the program responsible for these commands can easily be removed. But you will need an rooted phone.
Ill dig into which app it is, cannot remember...:silly:
Ill dig into which app it is, cannot remember...:silly:
I spoke with the guy who told samsung to patch it, he told them about 3 months ago.
he didn't tell anyone else.
Just so we can put this to bed, is anyone brave enough and in a position to root and restore a nandroid if the code works?
If so join IRC on freenode #villainrom and we will give you a link that is meant to wipe
We need to be 100% sure samsung have patched this - I am at work so cannot rebuild my phone if it wipes.
If so join IRC on freenode #villainrom and we will give you a link that is meant to wipe
We need to be 100% sure samsung have patched this - I am at work so cannot rebuild my phone if it wipes.
Fraaaaak! This is bad, really bad... I'm on a Samsung Galaxy Advance S.
Stock browser opens the USSD
Dolphin opens the USSD
Firefox opens the USSD
So then I thought: let's change the dialer. Changed the dialer to EX dialer and... same result! But having 2 dialers installed gives the dialer choice menu when opening the page and you have the ability then to back out of the page. Seems like a reasonable work around?
Stock browser opens the USSD
Dolphin opens the USSD
Firefox opens the USSD
So then I thought: let's change the dialer. Changed the dialer to EX dialer and... same result! But having 2 dialers installed gives the dialer choice menu when opening the page and you have the ability then to back out of the page. Seems like a reasonable work around?
Similar threads
- Locked
- Locked
Top Liked Posts
-
There are no posts matching your filters.
-
8UPDATE2: Lennyuk has confirmed that you shouldn't be affected by this so long as you're using the latest S3 rom.
UPDATE: Here is a video of this vulnerability being performed at Ekoparty 2012 over the weekend: http://www.youtube.com/watch?v=Q2-0B04HPhs
I'll keep this quick in order to make sure everyone is aware of this exploit that has been published. I found it here: http://www.exquisitetweets.com/collection/tomscott/1762
Apparently the USSD code to wipe a S3 can be trigged in a browser iframe. Obviously this is bad bad BAD. Until there is a fix for this please keep your wits about you and avoid any hyperlinks to pages from untrusted sources.
Code:the USSD code to factory data reset a Galaxy S3 is *2767*3855# can be triggered from browser like this: <frame src="tel:*2767*3855%23" />
MOD EDIT: workaround here6The problem - and a solution
The issue has nothing to do with the browser. I've tested on ICS with Chrome, default browser and Dolphin - all behave the same way.
Test here: dylanreeve DOT com/phone.php (uses IMEI display USSD - it's totally safe).
The issue is with the stock dialer. If you can prevent that dialer from handling the tel: URL then you can either prevent or at least intervene in attack attempts. So the solution is... Install another dialer (probably any other dialer).
dylanreeve.posterous DOT com/remote-ussd-attack
(I can't post URLs yet)2I can confirm this works on my G300 phone (and most likely others too) by using <meta http-equiv="REFRESH" content="0;url=tel:*%2306%23"></HEAD> instead.
You can test if your phone is vulnerable here : 198.100.157.97/test.html
edit : can a mod please turn this into a link? since I don't have enough posts to do so. thanks.2
I spoke with the guy who told samsung to patch it, he told them about 3 months ago.
he didn't tell anyone else.
