Tuesday, September 25, 2012

Android dialer vulnerability could lead to your device being remotely wiped

Android phones are vulnerable being wiped without warning, due to a vulnerability in the way it handles USSD codes. Originally thought to be limited to Samsung phones with TouchWiz UI, Dylan Reeve notes that the issue exists on other handsets as well.

USSD codes are those codes that you type into your handset, and "dial" in order to display certain information (such as *#06# which is used to display a phone's IMEI number). A USSD code can also be used to wipe a device. That's where the issue on Android comes into play.

In Android's case, using a USSD with the tel: URL prefix can cause the phone's dialer to call that number. If the USSD is a harmful code, like to wipe the device ... well, you get the picture. It can be embedded in a web page or link.

According to Reeve, Samsung has known about the flaw for months and has corrected the issue in its latest 4.0.4 build. It's unclear what the exact build version for that would be. Since others say that Jelly Bean builds don't have the issue, and since the GS3 is starting to get that rolled to them, the vulnerability could be patched - at least on their handsets - soon.

Reeve also indicated that the issue is not isolated to Samsung phones.

There's another fix, too. Since Android allows alternative dialer to be installed, an end user could install a different one, without a vulnerability. Dialer One was cited as an app in Google Play that did not have the issue.

There are probably more, but at the very least users can rely on that one app.

The embedded video shows the vulnerability demonstrated, at about 9 and a half minutes into the video.

No comments: