UPDATED: 2012-09-26 Updated to clarify research, and add recommendation for users to protect against the vulnerability.
viaForensics analysts Jon Pisani and Tony Collins recently expanded upon a disclosure made by Ravi Borgaonkar at the security conference Ekoparty 2012 (video here). The original findings indicated that the factory reset for the Samsung Galaxy S3 can be triggered via an injected frame, QR code, Near Field Communications, or SMS text message.
Although the remote wipe issue is patched on many Samsung devices, the execution of USSD codes without user intervention could be found to have other exploits.
Many Samsung devices not vulnerable
As various outlets have pointed out, the issue has been patched on many Samsung devices running 4.0.x or later. However, it is also reported by Ravi to PCMag that carrier-tied Samsung devices may remain vulnerable to this issue if the user is unable to receive the latest update.
Ravi offers a page for users to test their device (without remote wipe) to see if it executes a USSD code without dialing.
Easy means to protect yourself
For Samsung users who are vulnerable or want to protect themselves just in case, viaForensics recommends the installation of an a third party add-on dialer app, free or inexpensive in the Google Play market. After installation, set the new dialer as the default in order to be protected.
Our testing on an otherwise-vulnerable Samsung device found that the third party dialer app prevented automatic dialing of USSD codes.
Other browsers are affected
Earlier today, a report was released by Engadget stating the vulnerability was only apparent in the stock Android Browser.
“The Unstructured Supplementary Service Data (USSD) code (which we won’t reproduce here) apparently only works on Samsung phones running Touchwiz, and only if you are directed to the dodgy destination while inside the stock browser (rather than Chrome, for example). “
Vulnerability of various devices
We tested the USSD auto-dial vulnerability on multiple devices, from varying manufacturers, including Samsung, HTC, Motorola, and Apple. The concept was tested on other devices by altering the USSD Code in our “malicious” page to “*#06#”, which is is a universal code that harmlessly displays the device’s IMEI number.
Our stock Samsung Galaxy Note running Android ICS (4.0.3) was confirmed to be vulnerable as it will automatically dial the USSD for retrieving the IMEI number without confirmation whereas the Galaxy Nexus running Jellybean (4.1) was confirmed to not automatically dial the code.
It should be noted that any USSD code could be pushed to any phone using this method, and other vendor-specific factory resets may be possible and exist on unpatched devices. The key is to check whether the dialing happens automatically or with user interaction. Vendors could filter specific codes from auto-dialing, but this would be less thorough and harder to confirm.
As stated above, users can protect themselves immediately from auto-dial USSD codes through installation of a third party dialer app and using as default.
iPhone prompts user before executing
The Apple iPhone we tested (iPhone 4 running iOS 5.1.1) is not directly vulnerable to the attack, in part because USSD codes are vendor-specific and also because no method currently exists to automatically dial the code from a webpage. While the iPhone’s Web Browser did execute the redirect, when the device attempted to load the webpage, a pop-up was displayed asking the user if they would like to dial the USSD. The end-user would have to the select “OK” in order for the USSD Code to be executed on the device.
Impact and further research
The full impact of this issue depends on the USSD codes available on a given device (i.e. what they do) and whether they execute automatically. These codes are not publicized by the carriers, although available in various forums online, and functions more damaging than factory reset might not exist. Regardless, the automatic execution of such codes is a vulnerability we will monitor and test further.