Print 73 comment(s) - last by geddarkstorm.. on Sep 26 at 12:18 PM

"Feature" was meant to make phone techs' lives easier, but turns out to be gaping security hole

One of the biggest Android vulnerabilities to date was discovered this week, but not in Google Inc.'s (GOOG) Android OS itself.  The vulnerability was found in Samsung Electronics Comp., Ltd.'s (KSC:005930) TouchWiz UI and allows malicious users to direct unwitting Samsung Android owners to webpages with frames that contain a reset code to wipe their device clean.

Google has long grunted and grumbled about OEMs desire to "skin" Android with custom UI experiences.  It originally was looking to kill off the practice, but it has since relented, allowing TouchWiz UI and other custom Android UIs to persist.

The vulnerability in TouchWiz reportedly affects multiple devices including the best-selling Galaxy S II, plus many lesser-known Samsung handsets like the Galaxy Beam.  The vulnerability involves sending the code *2767*3855# to the phone's dialer, which triggers a factory reset.

Samsung's Android build allows websites to contain the code <frame src="tel:..."> which auto-launches a call to a phone number when you click on the pertinent object.  Using this vulnerability, the clickable wiping item could be hidden in all manner of website images or links.

Galaxy S II
The vulnerability was first discovered by Android enthusiast Pau Oliva (Note: contrary to his comment, the Galaxy S3 does not autocall the number, though this is the case on the S II). 

Fortunately some newer Galaxy phones (such as the Galaxy S III) have a slightly toned down version of TouchWiz, which will only bring up the number in the dialer app, not automatically initiate the call.  Hence while the reset code indeed works, the danger to the owners of certain Samsung phones is minimal given that they would have to accidentally hit the call button after the reset code came up to complete the wipe on those devices.

For owners of older devices the call reportedly auto-initiates leaving the user with no escape.

According to The Verge Samsung says it's "looking into" these reports.  Pau Oliva, a telecom engineer and Android enthusiast, was first reported on the vulnerability via Twitter.

Sources: Pau Oliva [Twitter], The Verge

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By Nortel on 9/25/2012 11:38:21 AM , Rating: 2
Lets see how long Samsung takes to fix this one now that the ever critical eye is on them.

RE: subjunk
By anactoraaron on 9/25/2012 11:46:31 AM , Rating: 2
Here's the fix.

Go to Play Store. Download holo or zeam launcher. Set default launcher. Uninstall TW - It sucks anyway.


RE: subjunk
By Jeffk464 on 9/25/2012 4:43:06 PM , Rating: 2
Better yet wipe and install cm10

RE: subjunk
By Mint on 9/25/2012 12:37:20 PM , Rating: 3
This is brutal, and could slaughter the company's reputation (and with good cause).

My Samsung is rooted with a different launcher, but I could see a lot of people get screwed by this. Lets see if Samsung has any sort of urgent update system.

RE: subjunk
By dark matter on 9/25/2012 12:46:09 PM , Rating: 2
Indeed it is. A well placed facebook malware attack could see a heck of lot of wiped phones.

RE: subjunk
By geddarkstorm on 9/25/12, Rating: 0
RE: subjunk
By Reclaimer77 on 9/25/12, Rating: 0
RE: subjunk
By Mint on 9/25/2012 10:42:28 PM , Rating: 2
Yeah, but not like this. Wiping out a phone simply from visiting a web link? Ouch.

Obviously the impact will depend on how many people get affected.

RE: subjunk
By ritualm on 9/25/12, Rating: 0
RE: subjunk
By Tony Swash on 9/25/12, Rating: 0
RE: subjunk
By ritualm on 9/25/2012 1:03:30 PM , Rating: 3

This is Gaping - but don't quote me - that's what you get from Apple's security policy.

RE: subjunk
By ShaolinSoccer on 9/25/2012 1:30:57 PM , Rating: 2
And yet, my SG3 is better. Smartphones are supposed to be PC's that allow you to do things. Not hinder you the way Apple does...

RE: subjunk
By Jeffk464 on 9/25/2012 4:46:06 PM , Rating: 2
Yup, its kind of like windows its more flexible but having the more open platform sometimes bites you in the butt.

RE: subjunk
By momorere on 9/25/2012 2:02:25 PM , Rating: 1
Here is some food for thought. Just these 2 things alone will bring crApple to a halt or even completely down. Let us see exactly what they can "innovate & invent" once these 2 tools are fully implemented.

First is the PRIOR ART FINDER (as we all know crApple has been using designs from Braun products from the 1950-60s)

Second is the USPO is seeking help to find BOGUS PATENTS (which we all know crApple should never receive to begin with)

RE: subjunk
By nafhan on 9/25/2012 4:13:07 PM , Rating: 2
Android isn't just open - it's gaping - hey don't shout at me - that's Jason talking.
Actually, that's your opinion. You don't seem to understand that when you replace words from someone else's statements with your own words... it's no longer them "talking". Also: Touchwiz is not Android.

Not trying to minimize the situation as this is kind of bad, though, and one more reason to go with a Nexus (or something else easily rootable).

And your other points:
--Drop test: that video has the guy dropping two phones several times each. While I would expect the iPhone to do better (mostly because it's smaller and lighter), that's not anything approaching conclusive or scientific.
--Speed: it's funny how Apple fans are all about minor speed advantages when they have them, but speed's not important when they don't. The iPhone has a slightly faster CPU and it's probably a better game machine.
--Screen: both extremely good. Most people aren't going to notice a difference. My personal preference is for the slightly larger screen with more pixels.

RE: subjunk
By Jeffk464 on 9/25/2012 4:49:27 PM , Rating: 2
I'm pretty sure the snapdragon S4 is the only processor with LTE built in on the 28nm process. Which is a big deal for battery life, so your iphone 5 is not better in this department.

RE: subjunk
By cruisin3style on 9/25/2012 4:59:46 PM , Rating: 2
the thing i keep thinking about the new iphone is "great, have fun running state of the art games on a 4" display lol"

according to display wars, the galaxy nexus' 4.65" display has 35% larger area than the iphone 5's 4" display and the S3 has 44% larger area

i'd take my galaxy nexus, that came out like a year ago, over this brand-spanking new "state of the art" (giggle) iphone 5 any day

RE: subjunk
By ShaolinSoccer on 9/25/2012 1:18:32 PM , Rating: 2
I woke up. Read this article. Went straight to update my SG3 from settings and sure enough, there was an update. Not sure if it fixes this exploit, though...

RE: subjunk
By Cheesew1z69 on 9/25/2012 1:23:16 PM , Rating: 2
Nothing on mine, just checked. I know there was an update a week or 2 ago that I had installed.

RE: subjunk
By Jeffk464 on 9/25/2012 4:47:54 PM , Rating: 2
This is the advantage of nexus branded android phones. You only have to rely on google, not google and then samsung, and then your carrier.

Egregiously broken
By Sivar on 9/25/2012 12:17:19 PM , Rating: 5
The egregiously, blatantly, shockingly broken Samsung Galaxy S which Samsung refused to fix,upgrade, or refund was enough to cross them off my list for good. This adds fuel to the fire.

RE: Egregiously broken
By dark matter on 9/25/2012 12:42:51 PM , Rating: 2
Lucky for you there is plenty of choice.

Well, unless Apple gets their own way.

RE: Egregiously broken
By tayb on 9/25/2012 4:48:15 PM , Rating: 3
I already had Samsung crossed off my list but my fiance wanted to give Android a go and bought a Samsung Captivate. It's hard to say whether her phone is worse than my Droid X but everything about her phone, the OS, and the accessories (charger, charging cable) is crap crap and crap.

RE: Egregiously broken
By Jeffk464 on 9/25/12, Rating: 0
By NellyFromMA on 9/25/2012 12:42:53 PM , Rating: 4
My god, its getting rowdy in here! This is a stupid exploit, yes. It is definitely worth Android fanatics coming off their perch just a tad, not imploding on themselves in a fit of fan rage.

With that said, its gonna happen. It's gonna happen in Windows, OS X, iOS, WP X, and yes, EVEN ANDROID

So what? Get out there, fix it, now you're more secure.

Anyone who is a fan of TECHNOLOGY realizes this regardless of device of preference. Ok, resume fan rage fighting now.

RE: lol
By Jeffk464 on 9/25/2012 4:53:39 PM , Rating: 2
Most of us android fans aren't bragging that its the most secure OS in the world.

By mocyd on 9/25/2012 12:44:27 PM , Rating: 2
To my knowledge, Android itself doesn't have a keycode that you can punch into the dialer to reset devices.

This likely means that Samsung took the time to build this hook into TouchWiz (I have a hard time believing this was by accident) to reset devices.

This would mean that it's not really a "hole" per se, but a simple series of events that one can take advantage of. I don't agree with the wisdom of making such a function available from the dialer (for this reason), but some Samsung designer decided it was a good idea for a reason unknown to us.

As for practical application- I think we need to measure the likely impact. Given that someone can't take over the device to extract data or commit malicious activites (except resetting the device)- we'll likely not see this impacting very many users.

This is akin to putting a power button on the front of a server. If you can get a user to press the button (through a series of events), you'll take services down. It barely qualifies as an exploit.

RE: Perspective
By geddarkstorm on 9/25/2012 12:57:35 PM , Rating: 3
That's exactly how it seems. It was probably a remote wipe function for tech support, or something similar. However, the autoexecute nature is really the problem here. As with the new TouchWiz versions like on the Galaxy III, if you take out the autoexecute you basically stop this vulnerability unless someone hits the call button when it pops up.

Autoexecutes have been a thorn in the sides of so many security wise since the Windows XP days.

doesn't happen w/ latest Galaxy S3's
By kenyee on 9/25/2012 7:22:42 PM , Rating: 2
Android Central has a poll and test for this vulnerability.

The US Galaxy S3's apparently aren't vulnerable, including my T-mo version...

By Johnmcl7 on 9/25/2012 8:23:12 PM , Rating: 2
Tried it on my German Note running the most up to date Samsung firmware so it doesn't appear to be affected either.


By SkullOne on 9/25/2012 8:35:48 PM , Rating: 4

This has already been fixed. Tony and the rest of the haters can go bite Samsung's ass.

Bad bug
By theapparition on 9/25/2012 11:41:46 AM , Rating: 2
But I'm sure they'll issue a quick update on this. Just another reason to avoid TouchWiz, which I never cared for.

Some HTC phones might also be affected.

By BSquared on 9/25/2012 1:16:18 PM , Rating: 2
How hard would it be to send an OTA patch to just removes that functionality of auto-launching from a browser? I mean, it sounds like it was originally put in so that when a user accesses a Samsung link to say...customer service, it'd just dial it up and connect you. I was also under the impression service numbers were used to launched aliased apps that did the actual work, couldn't they just change the service number in the meantime, or issue a patch on that as well? Seems like a no brainer fix to me.

By kleinma on 9/25/2012 2:17:07 PM , Rating: 2
Does the number sequence need to simply be typed in? Or does one have to actually hit send after to push it through and make the reset happen? Is there no warning at all that it is about to do a factory reset without any sort of confirmation?

Exactly how bad this is (its bad no matter what, but how bad..) depends on some additional information.

DailyTech, update your article!
By Bateluer on 9/25/2012 4:37:10 PM , Rating: 2
This security hole was patched via OTA updates weeks ago. Its not an issue anymore, unless you failed to update your devices.

Good it's not on Apple
By VoodooChicken on 9/25/2012 12:15:41 PM , Rating: 1
...the danger to the owners of certain Samsung phones is minimal given that they would have to accidentally hit the call button after the reset code came up to complete the wipe on those devices

If such a thing happened on iPhones the damage would be catastrophic

By testerguy on 9/25/12, Rating: -1
Android is open!
By Tony Swash on 9/25/12, Rating: -1
RE: Android is open!
By ritualm on 9/25/2012 12:49:22 PM , Rating: 2
Gaping hole at Android is small fry compared to the Guatemala Sinkhole at iOS.

RE: Android is open!
By Cheesew1z69 on 9/25/2012 12:51:26 PM , Rating: 3
Or the gaping hole that is Tonys ass after Apple has it's way with him...

RE: Android is open!
By ritualm on 9/25/2012 1:08:00 PM , Rating: 2
Sure, after 24 hours of nonstop anal intercourse.

RE: Android is open!
By Cheesew1z69 on 9/25/2012 1:17:21 PM , Rating: 2
That's all it it is for him, 24/7...

RE: Android is open!
By Cheesew1z69 on 9/25/2012 1:18:43 PM , Rating: 2
it is*

can we PLEASE get an EDIT button FFS?

By hexxthalion on 9/25/12, Rating: -1
RE: LOL!!!!
By valkator on 9/25/12, Rating: 0
RE: LOL!!!!
By marvdmartian on 9/25/2012 12:15:19 PM , Rating: 1
Oh, I'm quite certain they've seen the light, and are standing in line for an iPhone 5 (snicker!). [/sarcasm]

RE: LOL!!!!
By dsumanik on 9/25/2012 9:17:07 PM , Rating: 2
Listen up noobs this is old news and has already been patched... please do your research before making clickbait apple vs samsung editorials.

I repeat its already been patched.

RE: LOL!!!!
By Rukkian on 9/25/2012 12:28:14 PM , Rating: 2
Yeah, because most "fandroids" use touchwiz! I have never used touchwiz (or any other skin) and go plain vanilla (or AOKP JB on my GNEX). Thank god for options!

RE: LOL!!!!
By Old_Fogie_Late_Bloomer on 9/25/2012 12:28:17 PM , Rating: 2
Apple can still suck it, but this is pretty bad. Seriously, Samsung, this is a Picard-facepalm moment.

RE: LOL!!!!
By bill.rookard on 9/25/2012 2:04:47 PM , Rating: 2
I will defend it, because it's (the vulnerability) not part of Android . If you'd taken the time to read the article, it's part of the Touchwiz UI. I have a CM9 (Android 4) system on my LG Optimus S and it runs flawlessly. As noted in the article (again, read it please) it said that Google didn't even want the skins/custom UI's, but couldn't really stop them from doing so. And they apparently had good reason, as evidenced by this particular exploit.

Am I a 'fandroid'? Nope. Just like I don't drink the apple-flavored kool-aid. I believe in using whatever device strikes your fancy - some are better than others, some worse, but if you're paying the phone bill then use whatever the hell you want.

RE: LOL!!!!
By Bateluer on 9/25/2012 4:38:44 PM , Rating: 1
Uh, since it was already fixed weeks ago and news outlets just jumped the gun without checking any facts . . .

RE: LOL!!!!
By espaghetti on 9/25/2012 8:53:26 PM , Rating: 1
Nerd Fight!!!!

RE: LOL!!!!
By aitwith on 9/25/2012 8:54:05 PM , Rating: 1
Well, at least the plastic doesn't come pre-scratched and scuffed up :) - or is that a feature?

And it's Samsung's fault, but TouchWiz is commonly regarded as garbage. Thankfully we don't have to jailbreak our phones to get a new launcher!

Nothing new
By daveinternets on 9/25/12, Rating: -1
RE: Nothing new
By Cheesew1z69 on 9/25/2012 12:25:37 PM , Rating: 3
Android has always been a cesspool of malware. It's almost as bad as a pre-SP1 Windows XP box. Seems like every month there is a new exploit on that P.O.S. OS.

RE: Nothing new
RE: Nothing new
By dark matter on 9/25/12, Rating: 0
RE: Nothing new
By Nortel on 9/25/2012 1:49:24 PM , Rating: 1
When cornered in an argument, either compare someone to Hitler, comment on their sexual preference or their sexual prowess.

RE: Nothing new
By kleinma on 9/25/2012 2:05:17 PM , Rating: 3
"Life is full of risk dude.

You'll never get laid otherwise."

Spoken like a man with herpes...

RE: Nothing new
By Mint on 9/25/2012 1:19:26 PM , Rating: 2
Did you even read any of those? Virtually all of them involving actively installing malware and giving it consent.

You think Windows became the dominant platform and driver of software development by having Microsoft examine every single executable that can be run on the OS and not allow anything else?

Relative to the other OSes, Android is about freedom. You gotta take the good with the bad.

This Samsung-specific issue is far more serious and unrelated to Android.

RE: Nothing new
By Old_Fogie_Late_Bloomer on 9/25/2012 2:15:53 PM , Rating: 2
You think Windows became the dominant platform and driver of software development by having Microsoft examine every single executable that can be run on the OS and not allow anything else?

No, but now that they have the market share, that's what they're gonna do... :-P

RE: Nothing new
By TakinYourPoints on 9/25/2012 10:30:11 PM , Rating: 2
Then there are all the independent studies:

"Android security and manageability are the lowest in the segment."

There is no enforceable encryption of backups and no way of knowing about, responding to, and alerting people to security holes in all Android devices. On top of that, you can put two Samsung devices on the table that look identical, except one is a useless brick running 2.2 and other is semi-functional on 4.0/4.1.

There are very good reasons why enterprise deployment for mission critical personnel are either iOS (which unlike Android fully supports all ActiveSync protocols and vets apps for malware) or Blackberry. Android can't be considered as much more than a casual device given its numerous and fundamental security issues.

RE: Nothing new
By Rukkian on 9/25/2012 12:30:13 PM , Rating: 2
What does this have to do with Android? It is not part of android, it is closer to a flash vulnerabity in your analogy to WinXp. Just for the record, 3rd party apps can have vulnerabilites on any O/S on any platform.

RE: Nothing new
By cashkennedy on 9/25/2012 12:42:54 PM , Rating: 2
Except that Windows Phone doesnt allow any apps to have control over any other processes on the phone, All apps are run in a sandbox that are not allowed to run while the phone is off / not viewing that app.

So the vulnerabilities of 3rd party apps are inconsequential since they have no privledges.

RE: Nothing new
By dark matter on 9/25/2012 12:44:49 PM , Rating: 2
Is anyone even targeting malware for Windows phones?

Even developers writing apps are hard to come by.

RE: Nothing new
By geddarkstorm on 9/25/2012 12:47:36 PM , Rating: 2

Not true. Android sandboxes its applications just the same ( ); but sandboxing can't solve everything. We're not talking about an app that got privileges it shouldn't. As with the Windows Phone 7.5 vulnerability above, and this TouchWiz vulnerability, you have an app with the privileges it should simply misusing those privileges.

RE: Nothing new
By cashkennedy on 9/25/2012 2:41:13 PM , Rating: 2
What good is a sandbox if you allow certain apps to use commands that reset the whole phone. (Perhaps they only allow this to the phone makers apps, which you can make an arguement they should be trustable enough to not make mistakes like this.) But it would be much more secure if they didnt even trust the phone makers apps to have access to that command.

RE: Nothing new
By cashkennedy on 9/25/2012 2:49:35 PM , Rating: 2
That wp7.5 vulnerability is interesting, as the messaging app logically shouldnt have privledges to do anything that would crash itself. Perhaps they have some sort of way for carriers to transfer something to your phone through messaging, or it scans links / phone numbers or other data in messages and that is able to cause the crash. Either way the error there is the app crashing itself (and perhaps the lack of a method to handle live tiles for apps that have crashed) but not that the vulnerability it is affecting other apps on the phone or the OS on the phone.

As i got at in my previous post, the issue to me seems more to be why does any app have the privledge to reset the phone... and not an issue with it misusing its privledges.

RE: Nothing new
By geddarkstorm on 9/26/2012 12:18:23 PM , Rating: 2
I don't think you fully read the link. It didn't simply "crash" the messaging hub of the OS, it completely locked it. Permanently. So it could never be used unless you factory reset and wiped the phone.

Carriers have all sorts of backdoors to access the phone. This is for tech support and OTA purposes. Samsung put this in on purpose, it's just their backdoor here happened to be a little too easy to exploit.

RE: Nothing new
By sprockkets on 9/25/2012 1:05:33 PM , Rating: 2
Android does exactly what you said as well.

RE: Nothing new
By dark matter on 9/25/2012 12:44:01 PM , Rating: 1
Angry man is a blind man.

RE: Nothing new
By geddarkstorm on 9/25/2012 12:40:59 PM , Rating: 2
This is a touchwiz vulnerability, which is Samsung's third party skin. Android is performing exactly as it should. It gets a factory reset command, and it factory resets. Problem is how that command is being inputted -- through touchwiz's autoexecute via that dialer number.

It was probably put in with the best of intentions (tech support, remote wiping, etc); but unintended consequences are the bane of so many "good" ideas.

RE: Nothing new
By Ammohunt on 9/25/2012 1:41:34 PM , Rating: 2
Queue the ignorant incoherent rant!

“And I don't know why [Apple is] acting like it’s superior. I don't even get it. What are they trying to say?” -- Bill Gates on the Mac ads

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki