Critical Vulnerability Allows Malicious Links to Wipe Samsung Phones
Ruh roh, Raggy; researcher Ravi Borgaonkar has discovered a serious security flaw in certain Samsung phones that allows baddies to factory reset a handset using a simple Unstructured Supplementary Service Data (USSD) command passed along from a website, QR code or even an NFC connection. Factory resets wipe all the data off your phone -- and there's no way to stop this wipe once it's begun.
Borgaonkar first demoed the flaw at the Ekoparty security conference, SlashGear reports, and follow-up testing by numerous people confirm that the Galaxy S III, Galaxy S II, Galaxy Beam, Galaxy Ace and Galaxy S Advance can all fall prey to the command. Dev Pau Oliva reports that the USSD code won't work on the Galaxy Nexus, however; it runs stock Android rather than Samsung's TouchWiz and phone dialer. You also have to be using the default web browser to activate the kill command.
Engadget had trouble reproducing the wipe on a U.K-based Galaxy S III that had been rooted in the past, though The Verge was able to wipe an AT&T Galaxy S III with the code. Samsung told both publications that it's already looking into the vulnerability.
You can see Borgaonkar displaying the "Dirty Use" USSD command at the Ekoparty conference in the Youtube video below. Not scary enough? The researcher also demoed how another code could be used to maliciously wipe your SIM card.
Suddenly, iOS 6's questionable Maps app doesn't seem so critical any more.
- Top 10 Smartphones
- Mobile Security: The Risks and How to Protect Your Smartphone
- Five Signs Your PC is Infected