Android USSD code Vulnerability discovered

Forums › Android › Android USSD code Vulnerability discovered

wellygary

8328 posts

Uber Geek

#109782 26-Sep-2012 16:12

Looks like something peps should know about...

How the hack works

Manufacturers like Samsung use special USSD codes that can be typed into the dial pad by end-users to make it easy for handset makers and telcos to do support over the phone with their customers. One such code - *#06# - is used to display a phone's IMEI number on the screen. Another code resets the phone.

What Borgaonkar discovered was that a person could craft a website with the reset code embedded - in Samsung's case *2767*3855# (do not type this into your phone!) - and get the code to automatically run when a user visited it.

A hacker could also exploit an affected phone by getting a user to scan a malicious QR code or by sending them a malicious SMS or NFC transmission.

http://www.stuff.co.nz/technology/gadgets/7732438/Security-risk-for-millions-of-Android-users

1 | 2 | 3

84 posts

Master Geek

#691788 26-Sep-2012 16:32

I happens on my Nexus One with 2.3.6.

https://dylanreeve.posterous.com/remote-ussd-attack has a link to http://dylanreeve.com/phone.php which will utilise the same security flaw but show you the IMEI number instead of wiping your phone. This will indicate if you are at risk when you visit that URL on your phone.

Current mitigation is to install an alternate dial e.g. https://play.google.com/store/apps/details?id=kz.mek.DialerOne is suggested in link above and is what I currently have in place as a mitigation strategy.

Now just waiting for the QR codes and dodgy links to be placed around the place and start wiping phones. Hopefully this is exploited heavily and in the media so the Cellcos and Google start doing updates. Even minor patches e.g. 2.3.7 for instance. From what I read they fix/patch was written three months ago.............

ubergeeknz

3344 posts

Uber Geek

Trusted

Vocus

#691795 26-Sep-2012 16:38

Jelly Bean doesn't have the vulnerability from what I can gather; eg. GN with 4.1.1

karit

84 posts

Master Geek

#691803 26-Sep-2012 16:46

ubergeeknz: Jelly Bean doesn't have the vulnerability from what I can gather; eg. GN with 4.1.1

From what I have read 4.1.1 no 4.1.0 yes. Though the test link about is a way to test better to be safe than sorry as just opening a web page that has a dodgy ad could trigger it with no user intervention.

DoggNZ

437 posts

Ultimate Geek
Inactive user

#692014 27-Sep-2012 08:50

Roll on 2 Degrees 4.1.1!

karit

84 posts

Master Geek

#692022 27-Sep-2012 08:59

DoggNZ: Roll on 2 Degrees 4.1.1!

Unfortunately the risk of the fix damaging the Cellcos network will be greater than having having phones wipe themselves so given experience I will guess you will have to buy a new in six months or so when some models will have the update.

Though would be incredibly happy for a Cellco to prove me wrong. Hell they even may pick up new customers for actually showing due care around security seeing none currently take the security of their customers seriously.

MurrayM

2456 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#692042 27-Sep-2012 09:35

Samsung offers up patch for Galaxy S3 remote wipe vulnerability

karit

84 posts

Master Geek

#692045 27-Sep-2012 09:40

MurrayM: Samsung offers up patch for Galaxy S3 remote wipe vulnerability

Vodafone, 2D and Telecom are you going to offer it though?

SIII update is all great but what about all the other phones that are at risk?

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

MurrayM

2456 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#692051 27-Sep-2012 09:50

Does anyone know if the telcos need to approve every little update, like this security patch, or if it's just the big updates?

I've just tried a "Check for updates" on my phone and nothing was found.

karit

84 posts

Master Geek

#692061 27-Sep-2012 09:57

MurrayM: Does anyone know if the telcos need to approve every little update, like this security patch, or if it's just the big updates?

I've just tried a "Check for updates" on my phone and nothing was found.

The Cellcos have to approve every update be it minor or major and individually for each phone.

freitasm

BDFL - Memuneh
79294 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#692063 27-Sep-2012 09:59

"The company says that device owners can download an over-the-air update to fix the flaw."

We know this is available from Samsung, but for it to be applied telcos need to approve those. And for each model they sell. Not a quick process - and not guaranteed it will even happen.

And therein lies the whole problem. Your mobile is not your mobile. You have no control of patches and security updates like we have on a personal computer.

gzt

17140 posts

Uber Geek

Lifetime subscriber

#692067 27-Sep-2012 10:02

I would guess every little update. The problem is they don't know if any given update will negatively affect some badly thought out kludge included in the distribution a particular phone is using and/or in some cases affect borkware the telco included in the phone when it was sold.

Android phone architecture is nothing like PC architecture where os and bios/hardware functions are neatly divided and segregated. That day will come but cheap is the order of the day and many competitors keeping a patch.

juha

1317 posts

Uber Geek

Trusted

#692083 27-Sep-2012 10:19

I've got to say given the number of affected devices - and we don't yet know what a creative attacker can do with USSD codes that vary from device to device - the industry response has been remarkably casual. Good on Samsung for stepping up and issuing patches, but what about the rest?

Cutting millions of customers adrift in this manner is really bad.

Juha

MurrayM

2456 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#692084 27-Sep-2012 10:20

So if I switched to the international ROM then I'd get updates as soon as Samsung made them available and I wouldn't have to wait for my telco to approve it? Makes a good argument for switching, so far I've resisted switching to a custom ROM because I wanted to keep TouchWiz and all of the other Samsung stuff.

karit

84 posts

Master Geek

#692093 27-Sep-2012 10:34

MurrayM: So if I switched to the international ROM then I'd get updates as soon as Samsung made them available and I wouldn't have to wait for my telco to approve it? Makes a good argument for switching, so far I've resisted switching to a custom ROM because I wanted to keep TouchWiz and all of the other Samsung stuff.

I doubt you will find the Samsung ROM (with Nexus One you could find the Google ROM which was nice as only Google had to approve it) though you could get a different carrier's version that was updated sooner, but then get their bloatware and default language. Plus say if using 2D and Snapper's touch 2 pay you mightn't get the additional drivers needed for that in the firmware (currently only 2D versions of the firmware have the additional drivers in the NZ market).

Then there are the third party ROM and that is a different kettle of fish.

DoggNZ

437 posts

Ultimate Geek
Inactive user

#692126 27-Sep-2012 11:23

karit:
MurrayM: So if I switched to the international ROM then I'd get updates as soon as Samsung made them available and I wouldn't have to wait for my telco to approve it? Makes a good argument for switching, so far I've resisted switching to a custom ROM because I wanted to keep TouchWiz and all of the other Samsung stuff.

I doubt you will find the Samsung ROM (with Nexus One you could find the Google ROM which was nice as only Google had to approve it) though you could get a different carrier's version that was updated sooner, but then get their bloatware and default language. Plus say if using 2D and Snapper's touch 2 pay you mightn't get the additional drivers needed for that in the firmware (currently only 2D versions of the firmware have the additional drivers in the NZ market).

Then there are the third party ROM and that is a different kettle of fish.

That's the boat I'm in (2D and Touch2Pay)

Installed TelStop in the meantime and it appears to do the trick

1 | 2 | 3