Android Dialer Flaw Extends Beyond Samsung Phones
|Image manipulation by SecurityNewsDaily|
A security flaw uncovered last week, initially thought to affect only some Samsung Android phones, actually affects Android devices made by other companies as well.
The problem is caused by an oversight in a smartphone's dialer software that makes it execute an automatically loaded code, including the code that triggers a factory reset, without getting the user's go-ahead.
QR codes, text messages, websites and NFC communications sometimes contain Unstructured Supplementary Service Data (USSD) code that causes many phones to load special number sequences into the dialer. Instead of connecting to outside lines, USSD codes access a smartphone's software to program phones or look up internal information. Carriers use them to help remotely diagnose and fix problems.
If a user types a USSD code into the keypad directly, the code will execute. But if the code is loaded via another method, such as by a Web page or text message, the dialer is supposed to wait until the user presses the "send" button.
In a demonstration last week at the Ekoparty security conference in Buenos Aires, a reseacher forced a Samsung Galaxy S III running Android 4.0. Ice Cream Sandwich to go to a Web page containing a USSD code — in this case, the code to force a "hard" factory reset, erasing all user data.
On the Galaxy S III, the code loaded from the Webpage, the phone "dialed" the code and the phone performed a factory reset, all in one fluid motion. It didn't wait for the user to hit "send."
The problem affects all Samsung phones running the proprietary TouchWiz user interface up through the Ice Cream Sandwich version of Android — and, it now turns out, some Motorola and HTC phones as well. (Phones running Google's latest OS, Android 4.1 Jelly Bean, do not appear to be affected.)
Samsung told several tech sites that Galaxy S III phones running the latest firmware update were already protected against the flaw, and that any Galaxy S III user who hadn't installed the firmware should do so.
As for older models using TouchWiz, such as the Galaxy S II or the Galaxy Advance, Samsung told AndroidCentral it was "currently in the process of conducting an internal review." A Dutch-language tweet from Samsung's Belgian Twitter account, cited by some tech blogs as news of a patch for older phones, instead said that a firmware update was in the process of being tested.
For unpatched phones, security researcher Collin Mulliner has created an app called TelStop that forces the user to respond to a prompt before loading a USSD code into the dialer. Alternatively, all Android users have the option of going to Google Play to download third-party dialers, which will also prompt the user before loading a USSD code.
On his website, Dylan Reeve, a New Zealander who describes himself as "not a security expert," has posted a page for Android users to see if they're at risk. If a visit to his page from an Android device causes the dialer to display "*#06#," or nothing at all, the device is safe from the flaw.
If, however, a trigger-happy dialer executes the code and displays the phone's IMEI or MEID — the handset's unique ID number — then the phone may be at risk.
On his blog, Reeve said he'd verified that the exploit worked on the HTC One X and Motorola Defy.
"It is very poor design to allow a passed value to execute as if it were keyed in interactively," he concluded.
Follow Ben on Twitter @benkwx.