TouchWiz and browser vulnerability can wipe or reset your phone with a single click

September 25, 2012
45
159
88 50 21

Samsung smartphone users beware. It seems the custom TouchWiz skin found on most Samsung Galaxy smartphones is vulnerable to an attack that can wipe out the phone’s entire contents, including even the SIM data. And this can be done in only one click.

GigaOM reports how only a single line of HTML can do that much damage. In a vulnerability demonstrated by Ravi Borganokar at the Ekoparty security conference, the issue involves tapping a link that executes a data wipe command via the TouchWiz phone dialer.

The report is entitled Dirty use of USSD Codes in Cellular Network, and Borganokar discusses various other means of attacking smartphones and data using USSD commands.

If you’re a Samsung user, you may be familiar with how you can execute all sorts of commands and diagnostics through codes entered in the dialer. The exploit involves directly keying in those commands via a link, and no other user intervention is required other than tapping the link, since TouchWiz automatically dials these codes. Check out the video demonstration below for an example.

Borganokar says this code can even be executed through an NFC wireless transfer or through a QR code, which makes Sammy phone users vulnerable to social engineering attacks that involve tapping or otherwise loading a link.

As an update to the report, Android Police says the vulnerability is not with Samsung phones per se, but with the stock Android browser itself.

The fact is, this is not a Samsung problem, it’s an old Android problem that has been known about for some time. More recent versions of Android avoid the wipe issue, but unpatched devices (like some Samsung phones) may still be vulnerable.

This means the issue can also be replicated on non-Samsung phones, as long as these use unpatched versions of the Android browser.

So far, the issue can be reproduced on these Samsung phones: Galaxy S Advance, Galaxy S2, Galaxy Beam, and Galaxy Ace, among others. Android Police says smartphones that have already been patched, or those that don’t use TouchWiz, are not vulnerable. For instance, the hack does not work on the Galaxy Nexus, since it uses vanilla Android, and without custom skins.

Comments