

USSD code to factory data reset a Galaxy S3 can be trigged from a HTML page - EwanToo
http://www.exquisitetweets.com/collection/tomscott/1762

======
tomscott
Hello. I'm the guy who put this collection together. I've since tried to
update it, and to hit 'delete' on it to avoid spreading misinformation, but
Exquisite Tweets is still caching the original version. Mea culpa: I didn't do
the research before passing it on.

There's been a lot of back-and-forth over whether it's true or not (check
@pof's timeline for such), and a hell of a lot of people sending it on without
double-checking. Myself included.

There is clearly a big security bug here (see the video linked), but it's
extremely questionable as to whether it can be activated from a web page or
whether it requires a bit of social engineering too!

[Edited to add: and just as I write this, @jwheare has cleared the cache and
fixed the bug in Exquisite Tweets. Hopefully that should nip this in the bud.]

~~~
forgotusername
I tried reproducing it using a "USSD" that works on my venerable Nexus One
(radio debug - * # * # 4636 # * # *), but on entering dialler app the input
box is empty. This might simply mean the debug activity was started and got
focus before the dialler app had its focus set, so if another such code
triggered factory reset, might definitely still work.

------
GICodeWarrior
I created an Android app to intercept these requests and prevent them.
[https://dl.dropbox.com/s/28lk6rn09x84qqg/AutoResetBlocker.ap...](https://dl.dropbox.com/s/28lk6rn09x84qqg/AutoResetBlocker.apk?dl=1)

Please test it and make sure it works for you.

    
    
      1. Open the above link on your phone
      2. Install the application (it requires no special permissions)
      3. Try this IMEI test: http://jsfiddle.net/kKFn8/
      4. Check the box to make "Auto-Reset Blocker" the default action
      5. Auto-Reset Blocker will show you the malicious number
      6. Open this safe telephone number test: http://jsfiddle.net/tLHpw/
      7. Auto-Reset Blocker will show the safe number and you will be asked which dialer to use
      8. Select your normal dialer
      9. Your normal dialer will open with the safe number
    

Again, please give it a try. If people like it, I will see about setting up an
Android Market account to distribute it.

~~~
nl
This seems to work, but I couldn't get the JSFiddles to make it trigger.

May I suggest pointing people to a simple webpage (like
<http://kristofferr.com/samsung.html>) maybe more user-friendly?

~~~
GICodeWarrior
Yeah, I am not sure why the JSFiddle would work on one phone and not another,
but it is definitely an issue.

I might try putting tel: links (for people to tap on) directly into the
marketplace description.

------
forgotusername
Page text was:

    
    
        the USSD code to factory data reset a Galaxy S3 is *2767*3855# can be
        triggered from browser like this: <frame src="tel:*2767*3855%23" />

~~~
andrewcooke
does that mean premium rate numbers can also be triggered?

~~~
forgotusername
The special feature of these "pseudo USSD" codes on Android is that you don't
have to press the call button. Simply typing the digits is enough. Note I have
no idea if this particular attack actually works.

~~~
ajross
This predates Android by years. Special "phone number" codes have been used to
control firmware since the very first compute went into a phone. The reason is
fairly clear: in the early devices, dialing a number was the only UI metaphor
available. USSD itself is actually a standard, such as it is:
[http://en.wikipedia.org/wiki/Unstructured_Supplementary_Serv...](http://en.wikipedia.org/wiki/Unstructured_Supplementary_Service_Data)

Now, of course, it's just a bit of legacy nonsense that gets left enabled
simply because it's part of an existing workflow and serves mostly as a hidden
gotcha for people doing security analysis.

~~~
spauka
In this case, the USSD is not the bug. The fact that it can be triggered from
HTML and cause a factory reset without user interaction is the bug. At least
with older phones, after entry, it was necessary to hit dial before any effect
was taken.

~~~
ajross
That's true, but sort of missing my point. Security bugs are very rarely
"security bugs" in isolation. They're far more often unexpected interactions
between subsystems. Here, the expectation of the browser is that it can fire a
"phone number" Intent securely, because the dialer app will handle it. But the
phone number intent also happens to hook to the USSD layer. It's not USSD's
"fault", as the check needs to be in the browser according to the
architecture. But USSD remains a booby trap because it's an unexpected legacy
feature with surprising security behavior.

------
aw3c2
If I was really bored and feeling malicious, printing QR codes to point to
this "exploit" and then pasting them over QR codes on random advertisements in
the streets seems like a terrible idea.

~~~
asmithmd1
It wouldn't affect anyone because no one has ever scanned a QR code in an ad

~~~
klausa
<http://picturesofpeoplescanningqrcodes.tumblr.com/>

~~~
rootedbox
This needs a QR code sticker.
[http://qr.kaywa.com/?s=8&d=http%3A%2F%2Fpicturesofpeople...](http://qr.kaywa.com/?s=8&d=http%3A%2F%2Fpicturesofpeoplescanningqrcodes.tumblr.com%2F)

------
kristofferR
Here's a safe version of the exploit that displays your IMEI:
<http://kristofferR.com/samsung.html>

Check the html in your desktop browser first, for all you know I might as well
be a malicious douchebag.

The exploit seems to require a stock Samsung Galaxy dialer, works fine on my
cheap Samsung Galaxy Y but not on my friend's modded S3 with a vanilla Android
dialer.

~~~
JoeCortopassi
Can anyone confirm that this is not only a safe USSD, but that it triggers the
exploit? I am not an owner of a S3, but would love to be able to help show
some of my non-tech friends whether they are vulnerable to this or not

~~~
julianz
It is safe, and on my stock international S3 with Chrome as the browser it
opens the dialer and displays my IMEI number, as advertised.

It seems to me that there's no reason at all to allow URI's beginning with
tel: as the source of a frame. Surely that's a fair limitation?

~~~
adr_
The approach of prompting the user "Do you want to call this number?" is far
simpler and safer. After all, you could probably use tel: links or tel:
redirects or something if the frame didn't work.

------
nicholassmith
That's a pretty big flaw, there's plenty of companies with QR Codes printed on
posters etc, only takes one malicious reprint or sticker overlay. I imagine
Samsung will probably take fast action on it. Well, hopefully fast action.

~~~
antidoh
And then the Telcos will take a year or more to roll it out incrementally
around the world as they argue with Samsung over who pays for it.

------
jitbit
Correct link: <https://twitter.com/pof/status/250540790491787264>

------
hpaavola
[http://m.youtube.com/#/watch?feature=youtu.be&v=Q2-0B04H...](http://m.youtube.com/#/watch?feature=youtu.be&v=Q2-0B04HPhs&desktop_uri=%2Fwatch%3Fv%3DQ2-0B04HPhs%26feature%3Dyoutu.be)

demo on the issue

~~~
estel
A clearer video showing the lack of prompt:
[http://tweakers.net/video/6292/html-code-laat-galaxy-s-ii-
re...](http://tweakers.net/video/6292/html-code-laat-galaxy-s-ii-
resetten.html)

~~~
molmalo
I have an S2, And I'm reading this from it. I was like "woow", then clicked
the link that says "the code" instinctively and a sec later realized the
stupid thing I just did (not smart reading that code from a vulnerable
device). luckily, I pressed the back button before the page loaded.

That was close

~~~
jcitme
It's a .png file of the code...

------
lwhi
As far as I can tell, the problem is with the Samsung Dialler application
that's part of TouchWiz.

If you install a second dialler application via the Play Store, you'll
initially be asked which dialler app you want to use _before_ the code is
executed - which can prevent execution.

There's a strong possibility that other dialler applications aren't affected
(i.e. stock / 3rd party).

~~~
jrabone
Also works on my colleague's HTC & Huawei phones - it's not just TouchWiz.

------
lwhi
Looks like this thread may have been a source for the code initially [1]

[1] <http://forum.xda-developers.com/showthread.php?t=1687249>

~~~
kristofferR
Well, the number and similar ones like that has been known for years. The new
issue here is that they can be auto-called using a <frame>-tag in HTML.

------
FreshCode
Can anyone on HN confirm this exploit?

~~~
henriklied
I just tested it on a Samsung Galaxy S3, in several forms (as src in link,
script, img, video and object elements, as well as the href in an a element).
Nothing happened here.

~~~
camiller
Android Central reported that the (verizon) S3 was not vulnerable to this
attack.

[http://www.androidcentral.com/major-security-
vulnerability-s...](http://www.androidcentral.com/major-security-
vulnerability-samsung-phones-could-trigger-factory-reset-web-browser)

Edit: Found some postings on xda-dev that the GS3 is vulnerable. Could depend
on firmware version, I know a system update came out recently on Sprint.

------
semenko
I'm 95% sure this bug was fixed between ICS and Jelly Bean.

I'd been using the app Hidden Menus
([https://play.google.com/store/apps/details?id=com.lorenx.and...](https://play.google.com/store/apps/details?id=com.lorenx.android.hiddenmenus&hl=en))
which stopped working at the ICS -> JB transition. You now need to type
USSD/star codes manually.

Perhaps this puts a new face on the Android OS update/fragmentation problem.

~~~
jrabone
The only JB device I have to hand is a Nexus 7, which of course just prompts
to add the number as a contact...

------
sssparkkk
This is for real. Just confirmed the auto-execution of an USSD code on a
Samsung Galaxy Mini II. Try the link below to see whether your device is
vulnerable:

<http://www.tinyurl.com/samsungexploit>

It will show your firmware version by executing *#1234#.

------
EwanToo
Seems to require that the web page is trigged by an external source, e.g. a QR
code, NFC, etc, but still scary stuff.

------
oofabz
+++ATH0

~~~
gulbrandr
Can you explain this please?

~~~
mikezupan
That is the modem hangup string. You could send a icmp packet to a person
containing just that and their modem would drop the connection. So it was
common in IRC for people to ping a whole channel with that and have a bunch of
people quit right after.

~~~
quesera
IRC pings don't use ICMP, but that could work if IRC clients would repeat data
received without escaping first. Or if unaware users saw it come over the
channel and tried to type it themselves.

~~~
rachelbythebay
Considering a CTCP request is just a PRIVMSG with ^A wrapped around the
"command word", and a CTCP reply is just a NOTICE with the same ^A thing, you
can make them "say" just about anything. It's unclear why an IRC client would
need to worry about "escaping" +++, except if it's specifically been designed
for people with bad modems.

Those of us with good modems back in the dialup days just laughed at this
insanity. Hayes used to put "+++AT" in their press releases after a certain
point just to trip up any noncompliant systems which may have passed it along.

[http://en.wikipedia.org/wiki/Time_Independent_Escape_Sequenc...](http://en.wikipedia.org/wiki/Time_Independent_Escape_Sequence)

~~~
quesera
Sorry, I should have been more clear. The modem could also guard the sequence
by requiring interstitial pauses, but I believe this was patented by Hayes in
the 80s.

~~~
jasomill
Indeed it was, as the referenced Wikipedia article notes; Hayes charged
$1/unit for a patent license. As soon as the primary application of modems
became Internet access, IP encapsulation protocols like PPP _could have_
worked around the problem, but, AFAIK, never did.

------
martingordon
That explains this tweet from Stephen Elop:
[https://twitter.com/ceoStephenElop/statuses/2505601530138460...](https://twitter.com/ceoStephenElop/statuses/250560153013846017)

~~~
Geee
That's not real Stephen Elop, you know? :)

------
Geee
Original presentation of the vulnerability with demo:
<http://youtu.be/Q2-0B04HPhs>

------
potkor
Works with my HTC Desire if I use the info code, the dialog for showing
battery status etc pops up.

Raises interesting consumer protection questions, this is a 2010 phone with no
updates recently. The law says the dealer has to fix or make up for
manufacturing defects that show up years later.

~~~
camiller
Are software defects considered manufacturing defects?

BTW, read elsewhere that if you are using the Chrome browser instead of the
Samsung browser this doesn't affect you. Haven't had the guts to test it
myself.

~~~
joeblau
Where did you see that? Someone else said the same thing.

------
timrogers
I've just implemented this as a Rack middleware, meaning it can be added to
every page in a Rails/Rack app with 3 lines of code. A bit of hacker fun,
albeit scary hacker fun.

<http://news.ycombinator.com/item?id=4573320>

~~~
esrauch
Isn't this just 1 line of code without middleware?

------
emehrkay
Classic case of a developer putting a backdoor in (for testing) and forgetting
to take it out. I'm curious as to how long it will take to patch it and if
there will be any fallout over this (they are the number 1 phone producer in
the world).

~~~
dubcanada
No their not lol... Apple & HTC sell more phones then they do.

~~~
emehrkay
Are you sure about that? A simple google search for "samsung sells most
phones" says otherwise.

~~~
corin_
Which company sells the most isn't really relevant (to this particular topic)
- check out what Wikipedia has to say on specifically S3 sales, with plenty of
citations:
[http://en.wikipedia.org/wiki/Samsung_Galaxy_S_III#Commercial...](http://en.wikipedia.org/wiki/Samsung_Galaxy_S_III#Commercial_reception)

------
lwhi
A pretty major bug; but I'm guessing you'd need to hit dial to actually run
this?

~~~
darkstalker
No, as soon as you enter the last digit the code activates.

~~~
lwhi
Is that the case if the code is entered via a URL handler?

EDIT: Can anyone confirm this?

~~~
estel
That would seem to be the case, yes.

------
siaukia
<http://manmeng.net/fun/androidreset/> Would be great if can compile a list of
affected phone (tested via safe version).

------
smcl
The page no longer works (I clicked it about 30 seconds ago, it loaded
successfully then I accidentally hit ctrl-w and then tried to reopen it: and
now I get "404 Page Not Found")

------
darkstalker
Does this trigger a confirmation dialog before typing the number? if not,
installing another app that hooks up the dialer intent should work as a
workaround.

------
level09
I deployed this code on this page :

<http://flasharabia.com>

however the code doesn't seem to work ..

~~~
lwhi
If you want to check the functionality - it would be far more responsible to
use a non-destructive USSD code.

e.g. *#06# displays the phone's IMEI number

~~~
preds
Testing this myself, any USSD code that begins with * # launches the device's
dialler with no characters dialled. Looking at the list of codes:
[http://umitem.blogspot.com.au/2010/10/samsung-galaxy-
s-i9000...](http://umitem.blogspot.com.au/2010/10/samsung-galaxy-s-i9000-ussd-
codes.html)

The factory reset appears to be the only USSD "auto dialled" code that doesn't
begin with *#. Which is rather unfortunate.

Edit: Actually, the IMEI code works on the Galaxy S2 running 2.3 (just tested)
but not the Galaxy S3 running 4.0. My above comment refers to the S3.

~~~
armis
You need to replace # with %23

~~~
preds
I did replace the # with %23 in my testing, it works on the S2 but not the S3.
You can view for yourself at: <http://kristofferr.com/samsung.html>

------
marksuman
You can point your S3 friends to this website if they want to try it out:
<http://wipemys3.com>

~~~
marksuman
Sounds like it works for S2 users as well.

------
verroq
So has anyone confirmed it working yet?

------
eloisant
Is there any way to protect a phone against that? (Other than installing
CM...)

------
k4rulez
how can i send a wap push?

