If you own a Samsung smartphone from a U.S. cell phone operator, you may want to avoid using the Internet until your carrier patches a pretty simple flaw that would let an attacker reset your phone.
On Tuesday, researcher Ravi Borgaonkar demonstrated how he wiped out a Samsung Galaxy SIII simply by opening a website containing an HTML tag for a call function, and replacing the telephone number with the USSD code for a factory reset. USSD codes are commands that are executed by entering them in your keypad—for instance if you dial #*#INFO"*" you can access certain menu settings. For every Samsung phone running Touchwiz, there's a unique set of USSD codes that performs various commands.
The problem appears to lie within both the Samsung dialer and Touchwiz's stock Android browser. Unlike most dialers, Samsung's automatically makes the call while others still require the user to hit "send." Borgaonkar noted that the code can be sent from a website or pushed to the handset by a Charlie Miller-like NFC attack, or through a malicious QR code, in which case absolutely no user interaction is necessary.
But here's the kicker.
Shankar told Security Watch that he'd disclosed the vulnerability to manufacturers and carriers in June, and a patch for the firmware was quickly released. But to date, only Google and certain European carriers have sent an over-the-air update to device owners. Hardware manufacturers, including Samsung, have applied the update to their phones as well. So if you buy an unlocked Samsung Galaxy S III from a Samsung store today, you're safe.
"I decided to go public because everyone has the patch now, they've just been sitting on it for months," Shankar said. "It's the duty of carriers to make sure everyone's devices are safe."
There's no mitigation strategy yet for most carrier-tied Samsung owners, though TeamANDIRC says AT&T Galaxy S III devices were patched last week.
Check If Your Phone's Safe
We've reached out to all the U.S. carriers and will update the article once they respond. Meanwhile, Shankar also created a test that lets you check if your Android device is vulnerable. Click here from your phone. If you can see your IMEI (like on the Verizon GSIII pictured above), Borgaonkar advises, tongue in cheek, to disconnect from the Internet.
For more from Sara, follow her on Twitter @sarapyin.
No hay comentarios:
Publicar un comentario