Android vulnerability explained

[jes]

Android vulnerability explained

It isn’t clear whether South African users of Samsung Android devices are vulnerable to a remote wipe exploit

 

[memyselfandi]

Mmmm... Let me take a bite of an Apple while I feel sorry for the other people in the Galaxy.

 

[LCBXX]

Just test it and then it will be clear...

 

[etphonehome]

to late this story was on engadget days ago

 

[Deckert]

Not really USSD

Hi,

Technically, the original article is incorrect to refer to the star/hash-codes as USSD (eg. *#06# to get your IMEI). USSD makes use of a signalling channel between the phone and the network and is initiated by dialing a service code such as *100# (on Vodacom, for example). The exploits do not use USSD, but they do use locally enabled star/hash-codes on the phone.

As Jan Vermeulen correctly points out, real USSD still requires you to hit the dial button and does not immediately execute when the code is entered.

I've confirmed that the exploit also does not work on the Motorola DROID3 and a few other Moto devices are also immune. But it's still a nasty hole indeed for unpatched S3's.

--deckert

 

[Jan]

to late this story was on engadget days ago

We've been waiting for comment from Samsung and trying to test on local devices. The Androids in the US and UK are not necessarily the same as SA.

 

[Sn00zE]

Upgrade to JellyBean! FIXED!

 

[Jan]

As Jan Vermeulen correctly points out, real USSD still requires you to hit the dial button and does not immediately execute when the code is entered.

What's interesting is that the Samsung wipe code has the form of a USSD code (*2767*3855# - don't type this into your Samsung phone; the XDA guys say it factory _formats_ the device - you'll lose all the data on the device and not just the installed apps and settings) and there are reports of it running anyway.

I've confirmed that the exploit also does not work on the Motorola DROID3 and a few other Moto devices are also immune. But it's still a nasty hole indeed for unpatched S3's.

Thanks for the feedback.

Various guys have written various tests for this, and I've set up a few pages on my own webserver to run tests, but it seems to me that these tests aren't too reliable unless you're testing the actual factory format code.

Unfortunately I don't have a non-Nexus Samsung device to test with, but if anyone wants to run the tests anyway I'll publish links to the pages I've written. They basically test for remote execution of the *#*#nnnn#*#* type codes, and then I've also written one that tests for remote execution of a MTN contract USSD code (*162#).

 

[alternate]

It's to do with the TouchWizz launcher.
I think the only people it will affect is Vodacom branded handsets as they still only have the May 4.0.4 firmware without the brightness slider on the notification shade.

Vodacom leading the pack once again!

 

[Jan]

It's to do with the TouchWizz launcher.
I think the only people it will affect is Vodacom branded handsets as they still only have the May 4.0.4 firmware without the brightness slider on the notification shade.

Vodacom leading the pack once again!

Not everyone is convinced that it's to do with the TouchWiz launcher, which is why I did this article. Based on the Android patch linked to in the article, it looks like the vulnerability was only fixed in the stock dialler in July.

However, other device manufacturers don't seem to support the factory format code I posted above (not going to post it again for fear of someone trying it out and blaming me).

So the vulnerability in the diallers is there, but there's no secret code for a script kiddie to use to wipe your phone with unless you're on a Samsung.

 

[mercurial]

The hard-reset Galaxy S III exploit is already fixed, says Samsung

 

[Jan]

The hard-reset Galaxy S III exploit is already fixed, says Samsung

Also mentioned in the article, and The Verge reported they could still remote wipe an AT&T SGS3. One assumes that SA's less carrier-customised devices would already have received the update, but Samsung haven't responded to my queries and I don't have an SGS3 to test with.

I have the exploit code hosted on my webserver, so if anyone wants to volunteer their Samsung device, I'm willing to volunteer a link. By PM, to protect the less savvy, of course.

Samsung also doesn't mention any other Galaxy device, a number of which were reported as vulnerable in the original demonstration: http://www.youtube.com/watch?v=Q2-0B04HPhs

 

[Boris Becker]

"Samsung haven't responded" Typical, but not as bad as LG.

I don't understand, is my Galaxy S II (running ICS 4.0.3) and my Galaxy Tab P1000 (2.3.?) affected?

 

[B.I.G.]

At least google maps is working..

 

[Jan]

I don't understand, is my Galaxy S II (running ICS 4.0.3) and my Galaxy Tab P1000 (2.3.?) affected?

Probably, and most likely respectively. Would you like to submit your devices for testing?

I have non-destructive tests we can run as a first-order check if you want...

 

[AlphaJohn]

Well I can say one thing.

For one I have this urge to print a whole load of sticker and sticking em all over the place. Esp over at Vodaworld.

Do not know why.... http://i.imgur.com/ZVVPC.png

Oh and I posted about this some time ago... http://mybroadband.co.za/vb/showthr...rity-flaw-(Phones-can-be-hard-reset-via-HTML) with links to XDA thread re the bug.

 

[Rocket-Boy]

Meh I tried it manually on my S3 and via the html code on a quick site I made and it doesnt do anything.

 

[Boris Becker]

Probably, and most likely respectively.

I have non-destructive tests we can run as a first-order check if you want...

S II was bought from 8ta and Galaxy Tab from MTN. Does that make a difference, since people are posting about Vodacom ...

Would you like to submit your devices for testing?

My head is spinning so much right now (flu), if you were in front of me I might agree to whatever, without knowing what you're talking about.

/ off to bed

 

[Exaelea]

So how does a samsung only exploit get classified as a general android vulnerability.