Recently security researcher Ravi Borgaonkar discussed a vulnerability that caused a Samsung Galaxy SIII to return to a factory reset just by visiting a special website. Mobile phones have a number of useful codes (USSD/MMI) that can be typed on the dialer screen to bring up system information (IMEI, firmware version, etc.). Usually they are used by a phone technician to verify settings on your phone. In this case, a special code that you can type into your phone to wipe all the information off your device can also be entered by a malicious web site. Visit it with your Android phone and you end up with a factory reset.
There are really two parts to the remote wipe vulnerability: one is the existence of USSD codes that can erase all data on a phone; the other is the ability to enter those codes with a tel: URL, rather than typing them on the phone. This is not much more complicated than using the format command on Windows to erase the entire C: drive. We don’t normally call the existence of the format command a vulnerability. However, if a digital vandal comes along and remotely executes the same format command, it’s a different story.
Abusing the Protocol
Misuse of the tel: URL protocol isn’t new. An older variation of the attack–known as the DoCoMo 110 Dialer–appeared in the spring of 2000. When NTT DoCoMo customers visited an i-mode website, they were confronted with an image of a bomb and challenged to click it to prove their courage. Once they clicked, the phone immediately dialed the number 110. In Japan, the 110 number is the emergency number for the police. It was reported that due to this attack, real calls to the police were delayed by 3 seconds. Fortunately, most of these inadvertent callers immediately hung up. Eventually, a 20-year-old vocational school student was arrested in August of that year for setting up the malicious i-mode site.
There are a few other attacks possible with the USSD/Android Dialer vulnerability, some destructive and some just costly. Depending on the phone model, attackers can use a code that redirects all phone calls to a toll number or to themselves. On the destructive side, the factory reset will give your phone that fresh out-of-the-box feeling minus all your contacts, email, text messages, and apps. An attacker can also lock your SIM card by entering a wrong password 10 times. Borgaonkar demoed an attack that combines the locking of your SIM card with the factory reset–giving the victim two headaches for the price of one.
Is Your Phone Vulnerable?
Determining if you’re vulnerable isn’t always easy. You would not want to enter a factory reset code yourself just to see if it worked. Losing all your personal information is a rather high cost. On the other hand, because the vulnerability is really enabled by the Android dialer, McAfee offers a test page where you can try out a nonmalicious code. If the page tells you your phone is vulnerable, download and install McAfee’s Dialer Protection app from Google Play.