Samsung Reset

Update, 09/26: Samsung has told us that the latest Galaxy S3 firmware fixes this exploit. Our own testing has shown other phones, particularly Galaxy S2 models, may still be at risk, however. If you're still concerned, you can check our USSD vulnerability test to see if your phone is vulnerable.

A major security vulnerability has been discovered in some TouchWiz-based Samsung smartphones, including the Galaxy S2 and certain Galaxy S3 models on older firmware. The bug was first demonstrated days ago by security researcher Ravi Borgaonkar at the Ekoparty security conference. It involves the use of a single line of code in a malicious web page to immediately trigger a factory reset without prompting the user, or allowing them to cancel the process. Even more serious is the possibility that this could be paired with a similar glitch to render the user's SIM card inoperable. And as the malicious code is in URI form, it can also be delivered via NFC or QR code.

Our Verizon Galaxy S3 was not reset by the malicious code embedded in a web page, though we were able to trigger a reset using similar code tied to a hyperlink. Mobile dev Justin Case tells us the issue is fixed in the latest AT&T and international Galaxy S3 firmwares, though devices that have not been updated may remain vulnerable. Others have reported that devices like the Galaxy Ace and Galaxy Beam are also affected. As far as we can tell, though, the bug does not affect Samsung phones running stock Android, like the Galaxy Nexus.

The vulnerability is the result of the way the native Samsung dialer app handles USSD codes and telephone links. USSD codes are special combinations of characters that can be entered in the keypad to perform certain functions, like enabling call forwarding, or accessing hidden menus on the device. On Samsung phones, there's also a USSD code for factory resetting the phone (and presumably another for nuking your SIM). This, combined with the fact that the dialer automatically runs telephone links that are passed to it by other apps, results in a particularly nasty issue for anyone unfortunate enough to run by a malicious web page.

There are, of course, other applications of this glitch -- for example, the ability to automatically run numbers through the dialer could be used to call premium-rate phone numbers. But the fact that just visiting a web site could factory reset your phone, wipe your internal storage and nuke your SIM is a very serious issue. So we'd advise you update your software if you're running an S3, and if you're not, we'd recommend using a third-party dialer like Dialer One until all this has blown over.

We've reached out to Samsung for comment on this issue, and we'll keep you updated with any information they provide.

Source: @Paul Olvia; via SlashGear, @backlon, @teamandirc

 

Reader comments

Major security vulnerability in some Samsung phones could trigger factory reset via web page

65 Comments

Relax people... let's just wait to hear from Samsung first. In any case, my Galaxy Nexus is not affected...

You can talk easily because your Nexus doesn't have this vulnerability. You don't fit in, so who are you to tell people to relax, when this could virtually erase our data, or screw up our sim cards.

Not to sound like an ass, but that's why I stick with stock Android. Not that it will never have issues, but that issues will be fixed faster and fixes will be pushed out faster.

You want a secure, reliable, consistent experience on Android? Get a Nexus device.

What does Chrome browser have to do with this? I saw a couple other comments that they use Chrome instead of stock, and therefore they are safe. The article says nothing about using Chrome to be safe. What am I missing?

Wow. The reaction to this will be the measure of Samsung and Android as a platform. How fast can they get a patch worked up and through the carriers to users to fix this?

Now come on why would Google campaign against the phone manufactures Just so they can use chrome instead. Makes no since our talk in ka ka

Apple would roll out an update at break-neck pace. So will Samsung. The difference is that the carriers, especially Verizon, will slow down the OTA update. That's why I harp so much on the problem of Android phones getting slow updates. It's more than just getting new features; It's a legitimate security problem. I hope we get this fixed.

The slow-OTA hype has been really over played. Google can (as they did before) roll out app specific updates swiftly and silently, to address security concerns like this. Full OS OTAs are slow and painful, but security concerns are given a far far far faster track. Don't eat the FUD the apple trolls are trying to spread around.

I was going to mention the same thing. The Internet app is not something you can disable on the Sprint S3 running stock.

Actually Google didn't fail, Samsung did. Since you can negate this vulnerability by switching to the Google Chrome browser, Google is actually the fix. Also, it plainly states that devices running stock Android are NOT affected...

You could not factory reset any iOS device by clicking a link in the browser. Not even the same. How do you think Android devices are rooted. Even WP7 devices were rooted first on Samsung devices with security holes in Samsung components installed on the phone.

The sooner they get this update out, the sooner they can fix the things they broke with their crappy ICS update on my phone :-P

I can't disable the app. Does the flaw bypass the option pop up as to which browser touse to complete the action?

So is this only an issue with the default browser? I'm using Chrome and/or Dolphin HD (depending on my mood).

Man, the tech blogs and Apple fans are going to have a field day today. I think I'll stay away from any further comments sections in articles related to this.

And…. waiting for the inevitable Phil or Jerry editorial on why this, like any potential security issue on android, isn't a big deal (despite the fact that most of the 20 million who bought the GSIII will likely just use the stock browser and never download an alternative).

I'm not going to argue that it's not a "big deal" because it's a pretty big flaw.

But in all honesty, you have to be a malicious web developer who purposely adds the code to the page, then somehow get people to come to your site on their GS3 (and I'm willing to bet there are legal ramifications for adding malicious code like this, so they'd have to be willing to take that chance too).

So yeah, it'll probably affect a few people. But it's not like major/popular sites will be doing this to you. There's always the possiblity some pro-Apple fanboy who happens to work at some popular website will put this in the code just to be a jerk though.

I'd be surprised if a fix isn't pushed out within 24-48 hours. This is going to spread like wildfire through the interwebz. Can't wait for all the gloating from fanboys.

This one's more than FUD. End of the world? Nah. But it's a big one. The ability to push a USSD and have it reset your phone without so much as a confirmation? That's bad.

OTOH, so is blindly clicking short links (and double that if it's from someone you don't know). Don't get me started on short links though. :)

^^ This. The people that get affected by this are the same people that open e-mail attachments from unknown senders. Or people that click "You just won!!" links.

Or perhaps people that visit some of the not-so-trustworthy sites "Android After Dark" has mentioned in the past :)

Unlike a PC it's not really all that possible to hover over a link and have a tooltip pop up to show you that it's a USSD code embedded under that element. You'd have to hold and press and copy the link out, then paste it somewhere else just to see. Do you seriously think people want to have to do this for every non-mainstream link they visit on their smartphone?

Well, considering Samsung rushed out an update to dumb down search on all the S3s, I imagine this will be the same way.

This is rich, particularly given that the story immediately before this one is titled, "Samsung reportedly developing its own mobile browser, just as it always has done."

I would think that most GS3 owners are actually tech educated unlike iSheep and thus probably don't use stock but instead use Chrome or Dolphin. Thus this isn't as big an issue as it seems.

Probably not. Most people that buy android phones just buy whatever the salesperson in the carrier store tells them to buy. They are no more tech educated than iPhone buyers. Remember, these are just phones to most people, they have more important things to care about in their lives.

you would definitely be wrong. The S III is a massive seller to 'normal' people, not people like you and me. This is a problem.

Most but not all. My wife wanted an GS3 and I got it for her even tho she doesn't know crap about phones lol.

I'm a little confused. It says touch-wiz based phones are affected but phones running stock android are not. Does this mean I could switch to stock android via Sprint ID on my E4GT and be safe or is that just the launcher? I see either way I could just use Chrome, but it sucks on the S2. NFC is not an issue and I haven't scanned a QR code in months so I'm sure I could avoid that too.

The Sprint ID stuff is just user interface themes. Regardless of what they happen to call one of the Sprint ID themes, it has nothing to do with actual Stock Android. So changing a Sprint ID won't save you. If your phone runs older firmware that is vulnerable to the exploit, then you're vulnerable. Newer phones with updated versions of Android are not affected.

Stock Android is the "straight from Google" version of Android before the manufacturers and carriers modify it. The only phones running stock Android out of the box are Nexus devices (like the Galaxy Nexus) purchased directly from Google. Even the Nexus devices purchased from Verizon or Sprint have carrier-based modifications on them, so they're technically not "stock" Android (although they're very close to it).

Great reason to avoid carrier-based bottlenecks when it comes to getting the latest versions of Android: bug & security fixes.

Androidpolice reports:

This issue is, unsurprisingly, a lot more nuanced than the video here lets on. The bug is based in the stock Android browser, is in fact quite old, and has been patched in more recent builds of Android - this is probably why Nexus devices running the most recent OTAs are unaffected. The fact is, this is not a Samsung problem, it's an old Android problem that has been known about for some time. More recent versions of Android avoid the wipe issue, but unpatched devices (like some Samsung phones) may still be vulnerable.

There are reports from users in other sites that phones from HTC and LG are also vulnerable. We are looking at an Android security issue, not a Samsung-exclusive issue.

As others have posted I checked my settings on my S3 on O2 and you can't disable Internet Explorer, and albeit that I am using Crime would be nice to be able to have a solution to the problem

Not really a new thing from Samsung they had this on their feature phones... just one more thing that should have never transfered over from the legacy devices. I think had Apple been in the game as long as Samsung they may have brought it over from their older phones. Its a great feature for legacy devices prior to selling it but really not that great for "smart devices".

I have a LG VM670 that I flashed a ported sIII CM7 based rom that has been "fully themed" has the touchwhizz u.i. I'm not using it now, (can't remember why I removed it). I'm ASSUMING that makes it "un-stock"...or has anybody here seen any updates about "hybrids"?

Yo guys take a chill man, some dude on a Danish forum posted a comment that contained the solution for this problem. Now I recently ordered my S3 but haven't received it yet but fixing the problem will be the first thing Imma do when I get it.
I tried translating his Danish comment into English.. Sooo, dude says:

1. Enter "Messages"
2. Click on the "Menu"-button and click "settings".
3. Scroll down to the "Push-messages settings/Settings for push-messages".
4. Click "Load Service", and choose "Never".

Gimme a reply if it works or doesn't....

My Galaxy S2 X on Telus was vulnerable via the stock browser. Installed Opera browser and it didn't bring up the pop up so it appears to be safe now. A little disappointed though since I really like the stock ICS browser. Hopefully Sammy rolls out an update for S2 owners soon.

When will this be fixed? I hope they can also work out the DRM issue so we can finally get 1080P netflix app. For those who don't have Netflix in your country, you can use UnoDNS to unlock geo-block contents and get US Netflix and Hulu and others.

I have a Galaxy Apollo and was affected. Thanks to a friend have downloaded Dialer One, so hopefully will be okay now :)

Like you said a phone dialer code can hard reset a Galaxy S2 & S3 and some other minor devices of Samsung TouchWiz but there are also other and easy ways to hard reset or hard format Samsung Galaxy S2 and S3 mobile. I found three ways for that at http://howmobile.net/samsung/2150-how-hard-reset-samsung-galaxy-s2.html when I was just frustrated with my phone & helpless to get any solution for my galaxy S2. It just helped me like charm. Hope Would also for you guys.
Thanks

AT&T i777 GS2 on most current ICS:

When I try the link from the mobile site (stock browser), nothing happens. But when I go to the full site and click the link, the dialer with IMEI is displayed.

So, I have conflicting results. What does that mean?