NEWS FROM THE LAB - Wednesday, September 26, 2012

Samsung TouchWiz Devices Vulnerable to Mischief Posted by Sean @ 11:58 GMT

Saw this tweet yesterday on Twitter:


The account is a parody… but the "tel:*2767*3855%23" is quite serious.

It's a reference to a "vulnerability" which exists on some versions of Samsung Android phones, those running Samsung's TouchWiz UI. (So, not Nexus.) And by vulnerability, we mean that some "genius" developed a feature to factory hard reset TouchWiz devices using an Unstructured Supplementary Service Data (USSD) code — without requiring a prompt from the user!

As such, there are numerous ways in which a device could be remotely targeted and prompted to run service commands.

The vulnerability was demonstrated by Ravi Borgaonkar last weekend at the Ekoparty security conference, which you can see here.

The good news is that Borgaonkar informed Samsung in June. Current versions of Galaxy S III firmware should not be vulnerable.

Remote wipe via iframe USSD trigger

Also good news: remote factory hard resets don't exactly have a profit motive. So this isn't something anybody will likely ever see in the wild. But still, if you have a Samsung running TouchWiz, make sure you update to the latest firmware.

Also, other vendor's phones could be subject to similar issues. One workaround to consider is a third-party dialer app.

Updated to add: The Verge reports that the remote wipe flaw is not limited to Samsung phones.

We have also found in our own tests that successful exploitation is browser dependent.

For example, our Mobile Security includes a Safe Browser which doesn't support the "tel:" method.

F-Secure Mobile Security, Safe Browser

So, a malicious tel: frame fails, rather than launching the phone's dialer.

Also, tel: appears to be unsupported by Chrome for Android.