Search This Blog

September 26, 2012

Hidden web code means hackers 'can wipe Samsung Galaxy S3'

Malicious hackers can hide a code in a web page that will trigger a full factory reset of Samsung’s best-selling Galaxy S3 smartphone, deleting contacts, photographs, music, apps and other valuable data, security researchers have discovered.


The code, now circulating freely online and comprising just 11 digits and symbols, was revealed at a computer security conference in Argentina.

Ravi Borgaonkar, a researcher based at the Technische Universität Berlin, demonstrated how the code can be embedded in the HTML code of a web page.

If an unsuspecting Samsung Galaxy S3 owner visits such a page, their smartphone will be restored to its factory settings without permission or any input from them.

The whole attack takes just two or three seconds and once launched there is nothing a Samsung owner can do to stop it, Mr Borgaonkar said.

Samsung faced calls to issue an immediate software update to address what experts described as a "major security vulnerability".

The Galaxy S3, introduced in May, is the main rival to Apple's iPhone and Samsung's flagship, with global sales of more than 20 million.

The demonstration drew gasps and applause from assembled security experts. It raises the threat that malicious hackers could trick Samsung smartphone owners into wiping gigabytes of data, simply by clicking a link.

The code can also be imbedded in a malicious text message, or called up in the web browser by a QR code or NFC tag, according to Mr Borgaonkar’s presentation.

As well as on the Galaxy S3, the code will also trigger a factory reset on the Galaxy S2 and other devices that use the Korean firm’s version of Google’s mobile operating system, Android. All use Samsung's "TouchWiz" interface.

Devices from other Android manufacturers appear to be unaffected, Mr Borgaonkar explained. “It’s possible to exploit this attack only on Samsung devices,” he said.

Galaxy S3 owners who tested the code confirmed on Twitter that it wiped their handset, though some who use Google's Chrome browser said it would not automatically run the code, unlike the browser packaged with the device.

Pau Oliva, a Spanish telecoms engineer and security blogger who tested the attack, demanded to know “what were Samsung engineers smoking when they set a code to do a factory reset?”

“This will hard reset the phone, no user confirmation needed,” he said.

"Yes, you can remotely wipe any friend's Galaxy S3 now." Mr Borgaonkar said he had uncovered more codes built into Samsung devices that could be used in other attacks but said he did not want to reveal them because they could be useful to criminals.

One code will “kill the SIM card”, he said, adding that the only way to guard against the attacks is to switch off "service loading" in settings, and disable QR code and NFC apps.

The codes conform to a protocol known as USSD, which is normally used by mobile phone operators to provide basic services such as pre-pay top-up.

Rik Ferguson, director of research at Trend Micro, a computer security firm, said the disclosure of the vulnerability would be "painful" for Samsung.

"If I were in Samsung's shoes, I would absolutely want my engineers looking at this and coming up with a patch as soon as possible," he said.

"At the very least it represents a a remote 'way in' to the device, and who's to say it couldn't lead to further code execution, at which point it becomes very criminally interesting.

"Most phones have vulnerabilities and are open to attack but criminal interest right now is focussed on the Android platform, as it offers criminals the majority market-share in terms of devices and crucially the avenue of least resistance when it comes to attacks." Samsung representatives did not respond to requests for comment.

telegraph.co.uk

No comments:

Post a Comment