At the recent Ekoparty security conference, it was revealed that several Samsung devices are vulnerable to a malicious exploit where the phone can be wiped and reset back to factory defaults. The devices that are vulnerable are the ones that run Touchwiz – popular handsets like the Galaxy S3, Galaxy S2 and Galaxy Ace for example are all susceptible to this attack. Devices running stock Android like the Nexus S and Galaxy Nexus are not vulnerable.
The exploit itself runs through a USSD (Unstructured Supplementary Service Data codes) that on certain Samsung phones will perform a factory reset and wipe the phone. USSD codes tend to be useful – checking your balance or allowing you to find your IMEI number easily.
The reason that phones running Touchwiz are vulnerable is because of the dialer app that they come with. The Samsung dialer does not need the user to press Dial or Send after entering a USSD code – it will simply run. This means that when the code is entered, it will execute and the phone will be wiped clean. But how does the code get onto the phone in the first place? There are a variety of ways.
- Manually entering the code (don’t do that).
- Visiting a malicious web page with an embedded iframe.
- Scanning a QR code which takes you to said malicious web page.
- Scanning an NFC tag which takes you to said malicious web page.
Of all of these, it’s the NFC option that’s potentially the most dangerous. All of the other ones require a somewhat deliberate sequence of actions by the user – perhaps unintentionally yet still deliberate. However, it is perfectly possible for your phone to be in your pocket, brush against a malicious NFC tag and then when you take it out of your pocket next – wiped. Everything. [For those of you who don’t know – NFC stands for Near Field Contact and if your phone has an NFC chip and comes into close proximity with a tag, it’ll run whatever the NFC tag tells it to, usually without a prompt.]
But is this actually possible? Definitely. Whilst we’ve not actually wiped a phone using an NFC tag, the theory is sound and we’ll now detail exactly how easily a hacker could create a malicious NFC tag to carry out this attack. Whilst we know the USSD code to wipe Samsung devices, we’re not going to tell you. If you’re here hoping to find out how to wipe your mates phone “fur teh lolz”, then go away.
- Create a web page containing an iframe like this:
iframe width="4" height ="4" src="tel://USSD CODE//">
- Use freely available apps to write the URL for this page onto an NFC tag.
- Stick the tag anywhere unsuspecting people are likely to scan it out of curiosity or brush against it.
That really is it. Obviously to be vulnerable to this attack your phone needs to have an NFC chip (not all that many do) but it’s still an example of why you should be careful when scanning QR codes or NFC enabled posters for example. On devices that don’t have NFC, stay safe by not scanning unfamiliar QR codes. Samsung has pushed an update to some phones that fixes this, and again this isn’t something Nexus users have to worry about. Even if you’re fully patched, you should still heed the advice about unfamiliar QR codes and NFC tags. Below is a handy table if you’re not too up to speed with what chips and technology your phone has.