Samsung Galaxy S3 'vulnerable' to remote malicious reset

Summary:A single line of code embedded in a web page can be used to trigger a remote factory reset of some Samsung smartphones, including the Galaxy SIII and SII, a researcher has claimed.

Owners of Samsung Galaxy SII and SIII smartphones may want to take care when opening web links received via QR, NFC or push messages, after a security researcher showed that the handsets are potentially vulnerable to being remotely wiped.

Ravi Borgaonkar, a researcher in the Security in Communications department at Technical University Berlin, demonstrated the weakness at the Ekoparty security conference in Argentina last week.

According to Borgaonkar, the way the Galaxy SIII uses Unstructured Supplementary Service Data leaves it wide open to exploitation via a single line of malicious code embedded in a web page. Unstructured Supplementary Service Data, or USSD, is used to send messages between a phone and an application server.

The code can be used to trigger the reset for a Galaxy SIII, according to Twitter user @pof. Embedding it in a simple frame will automatically trigger a non-user initiated factory reset of the device, he added.

However, simply browsing a website with the code embedded will not trigger the reset, but opening a message via QR, NFC or WAP Push SMS will. When the website link opens, it starts the wipe.

In the demonstration video above, taken during the Ekoparty security conference, Borgaonkar said that the vulnerability can be mitigated by switching off Samsung's 'Service Loading' feature.

Samsung had not responded to a request for comment at the time of writing.

Topics: Security, Mobility, Samsung, Smartphones

About

With a psychology degree under his belt, Ben set off on a four-year sojourn as a professional online poker player, but as the draw of the gambling life began to wane his attentions turned to more wholesome employment.With several years' experience covering everything in the world of telecoms and mobility, Ben's your man if it involves a s... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.