X

Samsung smartphones vulnerable to remote data wipe

Code that's making the rounds on the Internet could trigger a factory reset on the handsets without warning, a security researcher discovers.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
See full bio
Steven Musil
2 min read
Samsung's Galaxy S3.
Samsung's Galaxy S3. Samsung

Owners of the Samsung Galaxy S2 and S3 may be vulnerable to a flaw that could allow their personal data to be deleted from their device, a security researcher has discovered.

The malicious code, which is now circulating on the Internet, could trigger a factory reset of the popular handsets, according to Ravi Borgaonkar, a researcher in the Security in Communications department at Technical University Berlin, who demonstrated the vulnerability at the Ekoparty security conference in Argentina last week (see video below).

The flaw lies in the way Samsung's TouchWiz UI interacts with unstructured supplementary service data (USSD) codes, which execute commands on the handset's keypad. While most dialers require the user to hit the "send" button to complete the code, Samsung's does not, Borgaonkar said.

He showed how the flaw could be exploited on a Samsung Galaxy S3 via a single code embedded in a Web link, QR code, NFC connection, or SMS, supplying the correct factory reset code to wipe the device without warning the owner or asking for permission.

Borgaonkar also said it was possible to lock the SIM card, preventing owners from using many of the device's features. However, attacks can be prevented by turning off "service loading" in settings and disabling QR code and NFC apps, he said.

Samsung appears to be the only Android smartphone maker affected by the flaw, Borgaonkar said.

"It's possible to exploit this attack only on Samsung devices," he said.

Samsung said it has issued a software update to address the issue on the Galaxy S3 and is evaluating whether other models were affected.

"We believe this issue was isolated to early production devices, and devices currently available are not affected by this issue," the company said in a statement. "To ensure customers are fully protected, Samsung advises checking for software updates through the 'Settings: About device: Software update' menu. We are in the process of evaluating other Galaxy models."

Updated 9/26 at 9:35 a.m. PT with Samsung comment.