Some Android phones possible to be wiped by a link

[air2004]

A full list of phones is presently being generated but it appears as though most things with Galaxy in the name need to be careful. The exploit itself appears to be quite simple and the result of a mismatch between different security systems (web browser being able to interact with the far reaching USSD codes system) rather than a more elaborate hack although it is still just as potent to that capable of being hit by it.
It is still very early days so there will be more information coming out over the coming hours and days.

Staff edit-
Suffice it to say any sharing of potentially damaging urls will be dealt with severely. If you are curious the source below links to a test page that will see your IMEI number displayed if you are vulnerable, you can visit the test site at http://dylanreeve.com/phone.php


techcrunch.com source

 

[emigre]

What an original title.

 

[Zetta_x]

Would you mind explaining a bit?

 

[Fear Zoa]

Sucks for samsung touchwiz users.
Thread title shouldn't be a link and if your going to post news you actually have to summarize the article and say somethight about it.

 

[Hop2089]

That needs to be fixed soon and although I read the article explain the link induced wipe issue in simple detail.

 

[chris888222]

He is talking about this:

http://m.techcrunch.com/2012/09/25/got-touchwiz-some-samsung-smartphones-can-be-totally-wiped-by-clicking-a-link/?icid=tc_home_art&

Here’s the exploit in a nutshell: a simple line of HTML (which we won’t be reproducing for obvious reasons) goads a vulnerable device into dialing a specific USSD code that triggers a full wipe/reset. According to SlashGear and The Next Web, vulnerable devices include the popular Galaxy S II and S III series, as well as the Galaxy S Advance, Galaxy Beam, and Galaxy Ace.

 

[SifJar]

Fairly poor OP. Anyway, this thread is about a recently publicised "exploit" in Samsung phones using the TouchWiz interface. There is a flaw in the browser of such devices which means that a malicious individual can easily craft a website that will dial any USSD code automatically (these are special codes you enter into your phone, usually followed by a #; one example is *#06# which will display your phone's IMEI code). The code in question here is a factory reset code, which will completely wipe your device.

It is also ridiculously easy to implement in a website. Including the following anywhere in the body of an HTML document will do the trick:

Yes, it's really that easy to completely wipe a Samsung phone. (Also note that this information is easily discoverable online; I happened across it in mere seconds when researching this.)

Anyone with a Samsung Android phone should follow this link (which is completely safe) to check if their phone is vulnerable: http://dylanreeve.com/phone.php If your phone displays the IMEI, it's vulnerable to this "exploit". If it doesn't, you are safe.

Details on prevention are here: http://dylanreeve.po...ote-ussd-attack (basically, install an unofficial dialer app such as Dialer One, but there are more details on that post).

 

[Just Another Gamer]

Interesting, oddly it doesn't affect me that much since I can't access the internet on my phone without access to a free WiFi hotspot.

 

[FAST6191]

I tweaked the opening post and title a bit although there is more to read on the source and eleswhere. An interesting hack, I had wondered if skype's browser phone number autoparser might have had something similar to this (before I nuked it for being annoying) as a potential hack and one I might not have thought to combine the two technologies to produce something like this.

 

[air2004]

Sorry for the fucked up post , was try to post from my phone and I messed up

 

[SifJar]

I just tested it on my phone (an HTC Sense device using the Dolphin browser) and it is also vulnerable. This problem is not exclusive to Samsung phones. I advise everyone tries the http://dylanreeve.com/phone.php test website and check if your IMEI is displayed, regardless of your phone. If your IMEI is displayed, installer Dialer One from the Play Store immediately (it's free). Even if you don't want to use it, having a second dialer installed will cause a prompt to appear when your phone tries to run a USSD code, asking which dialer to use. Either hit "back" at this point if you didn't click a link to dial a number (in which case it's probably malicious) or else set Dialer One to be the default (this will mean that in future, Dialer One will open in these situations, and this app will display the number, but not dial it until you tell it to).

 

[Hyro-Sama]

My phone is vulnerable. I have a Samsung Galaxy SII. Downloading the Dialer One app as I type this.

 

[Deleted-236924]

Define "displays your IMEI"?

When I follow the link, it opens the dialler on *#06#
Then nothing else.

Was it supposed to show my IMEI number in that white box in the page?

In which case I seem to be safe.

 

[Jamstruth]

Your phone is safe.
An unsafe phone would have automatically dialled that *#06# which is a code to display the IMEI on your phone. At least for most Samsung ones. Didn't work on my Galaxy Nexus when I dialled it.

 

[Deleted member 194275]

Someone please explain (in a way that even a dumb like me can understand) why it is dangerous for the user?

 

[SifJar]

Define "displays your IMEI"?

When I follow the link, it opens the dialler on *#06#
Then nothing else.

Was it supposed to show my IMEI number in that white box in the page?

In which case I seem to be safe.

A popup would appear with a longish number in it. What you described means your phone is safe. (If you're curious as to the "vulnerable" result, manually dial *#06# into your phone's dialer; this is perfectly safe and will display the popup, so you can see what a "positive" result looks like) EDIT: For reference on my phone it looks like this:

Someone please explain (in a way that even a dumb like me can understand) why it is dangerous for the user?

It allows someone to (extremely easily) create a website that will completely wipe your phone. Obviously they have to get you to visit the site, but once they do that, they can wipe everything.

 

[Minox]

So it seems I may have made the right choice when I opted not to go for a Samsung phone with Touchwiz.

I still wonder why a website can automatically insert a phone number into the phone number field without any user interaction whatsoever though.

 

[Deleted member 194275]

Someone please explain (in a way that even a dumb like me can understand) why it is dangerous for the user?

It allows someone to (extremely easily) create a website that will completely wipe your phone. Obviously they have to get you to visit the site, but once they do that, they can wipe everything.

One more dumb question. It is easy to make an app launch a website right?

So, it is easy to someone hack a paid app, for example, plants of zombies, and change a link from the popcap site to a hacked site. Then put this hacked app for free on internet. It is easy to do with this security problem?

 

[hatredg0d]

ouch, its seems to be bigger then Samsung. I was able to modify the html a bit and host a page that can launch the hidden menus on my HTC evo 3d without telling me it was going to dial a number. I can't confirm you can launch a feature of the menu's automatically though.

Here are the 3 secret htc menu codes i know about; *#*#4636#*#* *#*#3424#*#* *#*#8255#*#*

 

[Deleted-236924]

Maybe whether or not it works depends on the Android version?

Anyone who is vulnerable right now, what Android version are you on?