Samsung Fixes Remote Wipe Flaw in Galaxy S III Smartphones

ID THREATPOST:D8CD11134AF65A33855EA816078F9167
Type threatpost
Reporter Chris Brook
Modified 2013-04-17T16:31:28


Smartphone developer Samsung has reportedly fixed a flaw in one of its newest phones, the Galaxy S III, that allows attackers to remotely wipe the phone’s contents.

The patch addresses a flaw presented at the Ekoparty Security Conference in Argentina late last week that showed how easy it was to remotely reset an S III phone and apparently kill the phone’s SIM card. Ravi Borgaonkar, a researcher in the Security in Telecommunications department at the Technical University Berlin, demonstrated an attack that exploited Unstructured Supplementary Service Data (USSD). USSD code is essentially a series of numbers used by mobile service providers to relay messages to GSM phones.

In his talk, which can be seen online here, Borgaonkar showed how a line of USSD code could be sent to a phone via NFC, QR code, SMS, or web link, that resets the device to its factory condition. According to reports, the problem lies in the way the phone’s TouchWiz touch interface handles the codes and may affect more phones than the Galaxy S III. Borgaonkar also claims a separate set of code can be sent to wipe out a phone’s SIM card. Both attacks take less than three seconds.

A post on Samsung’s Belgian Twitter yesterday purports the issue is being taken seriously and that concerned users can install a firmware update. Meanwhie, an official statement Samsung gave AOL’s Engadget claims the issue “has already been resolved.”