While doing a presentation at a security conference in Argentina, a German researcher showed how only Samsung smartphones running Google Android could be forced to perform a factory reset, wiping the handsets’ contents, just by visiting a malicious site. This is more than a smartphone security issue, though: it’s a story that shows how BYOD security can come to a screeching halt by slow-moving parties.
Samsung Touchwiz at Heart of Problem
It should be noted that the hack only affects Samsung smart phones, but not all Samsung smart phones. At the core of the problem is Samsung’s Touchwiz user interface. Apparently, it’s been setup so that they automatically run a USSD code for a factory reset. As far as I can tell, pcmag.com has the best description of what’s going on:
On Tuesday, researcher Ravi Borgaonkar demonstrated how he wiped out a Samsung Galaxy SIII simply by opening a website containing an HTML tag for a call function, and replacing the telephone number with the USSD [Unstructured Supplementary Service Data] code for a factory reset. USSD codes are commands that are executed by entering them in your keypad—for instance if you dial #*#INFO”*” you can access certain menu settings. For every Samsung phone running Touchwiz, there’s a unique set of USSD codes that performs various commands.
The problem appears to lie within both the Samsung dialer and Touchwiz’s stock Android browser. Unlike most dialers, Samsung’s automatically makes the call while others still require the user to hit “send.”
The Fix: Already Here
A quick “fix,” according to a comment I’ve read is to have two dialers in the phone. This way, Android will always prompt which one to use, interfering with the autodial aspect. However, a hack to the hack should not be necessary because the vulnerability was disclosed “to manufacturers and carriers in June, and a patch for the firmware was quickly released,” according to pcmag.com.
So, technically, the screw up is not with Samsung. In fact, it was confirmed by TeamAndIRC via Twitter that “the USSD code issue in the SGS3 is patched, and has been for some time. Current i747 and i9300 firmware are not vulnerable.” This means that the Galaxy S III on AT&T and the European Galaxy S III are not vulnerable at the time the news is making its way via the internet, and confirms the presence of a fix.
What’s keeping the other carriers? It might be Samsung’s vulnerability, but it feels like the carriers’ screw-up.
I don’t get it. BYOD promises to be the next big trend in business, which means that it will push more people towards adopting smartphones. Hardware manufacturers are obviously salivating over the possibilities, but so, too, must be the carriers. Why are they working arduously to hamstring themselves by letting easily fixable thing like these fester?
Related Articles and Sites: