

Samsung Plugs Remote Wipe Flaw, Urges Galaxy SIII Owners To Update - EwanToo
http://techcrunch.com/2012/09/26/samsung-speedily-plugs-remote-wipe-flaw-urges-galaxy-siii-owners-to-update/

======
ryanmacg
The article is kind of misleading, the exploit was part of Android rather than
anything to do with Samsung and was patched in AOSP as of 4.1.1(?). This
meansn it was an issue on any phone that dialled automatically and doesn't run
a build with the patch applied. Also the patch from Samsung was part of an OTA
update from at least a week ago in the US, I know it pinged up just after I
booted the S3 I bought on Saturday in the UK.

~~~
estel
In what way was the exploit a part of Android? I thought it was a touchwiz
dialer issue that it automatically dialled USSD numbers without secondary
confirmation from the user?

~~~
jrabone
No, I've confirmed that a random sample of HTC & Huawei phones around my
office are also vulnerable. Nothing specific to TouchWiz. The thing that MIGHT
be specific to Samsung is the actual remote wipe code, but relying on that is
simply security-by-obscurity. I'd bet ALL phones have got some USSD code you'd
rather not be instantly triggerable by a web page.

~~~
andybak
From what I understand stock Android doesn't have the problem. Multiple
manufacturers seem to have introduced the flaw in the same way with their
customizations.

------
josephlord
Well done to Samsung for getting the update out quickly (although obviously
better not to ship with the vulnerability).

Is this something the carriers get to block or is it direct over the Internet
to everyone? One of my big concerns about Android is about the ability to get
security fixes. The slow major updates are very public but if security fixes
are better distributed much quicker that isn't so much of a worry.

In the absence of reassurance my advice to friends and family if asked would
be to avoid Android (except the Nexus models which I think can always be
updated).

~~~
antidoh
This (updates of any kind) is 25% of why my Galaxy is sitting in my sock
drawer (75% being the cost of the data plan and "being a hotspot" fee).

I discovered that I bought a computer that cannot be updated except by the
whim of an intermediary, the telco. I watched for a year while my phone
languished under its originally installed version of Android, while the update
rolled out around the world and my carrier (Sprint) said "no shit really,
soon, real soon now." That's too much bullshit for too much money.

~~~
mrich
What is your alternative?

~~~
josephlord
Phone OS has direct ability to query the manufacturer for updates and download
them if available/requested by the user.

Works for Apple. (Until iOS 5 download to PC and install with iTunes was
required but now phone can directly download.)

Works for Sony TVs (and probably many others too) that are connected to the
internet. Broadcast (with digital TV at least in Europe) can also be used to
update OTA but may need broadcaster approval. In this scenario using both
approaches makes sense as not every TV is connected to the internet or
broadcast signals.

A better question is how to make it happen. I would suggest that Samsung is
big enough and their phones high profile enough that they should be able to
insist and still have their phones offered by the operators. However they
would need to consider it an important point worth arguing for and may have to
trade something else whether it is price or customization support or something
else.

~~~
mrich
That solves your update problem. But you are still under control of a central
entity that has its own interests and tightly controls their ecosystem and the
apps you can install on the product you bought. You have replaced your carrier
with the hardware manufacturer. A better alternative would be to buy your
smartphone without contract to begin with, which comes down to the same price
very often.

~~~
josephlord
For most users it is the update problem that I'm concerned about, particularly
from a security point of view. The contract is completely irrelevant to this
issue isn't it? An iPhone on contract is completely updatable, I don't know if
it is relevant with Samsung's phones or not. Even if non-contract Samsung's
are updatable that makes advice to friends/family even more complicated.

The freedom problem is an issue with all the mainstream phones on the market
but isn't a problem for most users. The solutions with the current market
products are jailbreaking/rooting or joining developer programmes. In the
Apple case developer programme costs $99 and additional agreements (in
practice you need a Mac too). Or using a web app to get round the limitations.

There real solution will be when there is a real open source open platform on
the market. And personally I wouldn't sacrifice much performance/capability to
get it although the option would be nice.

------
millerm
Wow, that was quite fast. I'm an iPhone fanboy and I have to admit I'm a bit
jealous of that kind of turnaround. I'll be stuck with this for a while I bet:
[http://www.tuaw.com/2012/09/20/safari-exploit-used-to-
gain-c...](http://www.tuaw.com/2012/09/20/safari-exploit-used-to-gain-control-
of-iphone-at-pwn2own/)

