Latest in Android

Image credit:

'Dirty USSD' code could automatically wipe your Samsung TouchWiz device (updated)

Mat Smith, @thatmatsmith
September 25, 2012
1 Shares
Share
Tweet
Share

Sponsored Links

The Factory Reset. One of those last ditch efforts that many of us have a fair bit of experience with. However, a malicious embed code could potentially do the exact same thing to your Galaxy S III. The Unstructured Supplementary Service Data (USSD) code (which we won't reproduce here) apparently only works on Samsung phones running Touchwiz, and only if you are directed to the dodgy destination while inside the stock browser (rather than Chrome, for example). This means the Galaxy Nexus is unaffected, but it can work the same dark magic on the likes of the Galaxy S II.

We've been trying to murder a (UK-based) GS III here at Engadget, but with no luck as yet -- we can cause the malicious digits to appear in the dialer, but we can't force the stock browser to visit them as a URL, even when trying a bit of URL forwarding and QR code trickery. However, this particular GS III has been rooted in the past, even though it's now running an official TouchWiz ROM, and that may be interfering with the process.

Aside from our own experiences, the evidence for the vulnerability is certainly strong. It was demonstrated at the Ekoparty security conference last weekend, during which time presenter Ravi Borgaonkar also showed how a different code could even wipe your SIM card. See the video after the break for the evidence.

Update: Tweakers.net has been able to replicate the security hole on a Galaxy S Advance, while The Verge has confirmed that it works on both the Galaxy S II and the AT&T Galaxy S III. Samsung has told us it's looking into the issue.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Share
1 Shares
Share
Tweet
Share

Popular on Engadget

How to watch Biden’s inaugural 'Parade Across America'

How to watch Biden’s inaugural 'Parade Across America'

View
Donald Trump pardons ex-Waymo, Uber engineer Anthony Levandowski

Donald Trump pardons ex-Waymo, Uber engineer Anthony Levandowski

View
Mercedes-Benz' EQA crossover is its first sub-$50,000 EV

Mercedes-Benz' EQA crossover is its first sub-$50,000 EV

View
EU fines Valve and major game publishers for geo-blocking titles

EU fines Valve and major game publishers for geo-blocking titles

View
YouTube extends Trump's suspension ahead of inauguration day

YouTube extends Trump's suspension ahead of inauguration day

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr