In association with heise online

27 September 2012, 16:43

Android smartphones: USSD calls can kill SIM cards

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

PUK lock screenshot
Zoom heise Security's SIM card was locked after they opened the page. The dialog reads "Your SIM card has been locked with a PUK code. To unlock it enter the PUK code."
The fact that Android smartphones automatically use injected USSD codes is becoming a bigger problem. Samsung devices are not the only ones affected, with attackers also being able to disable SIM cards in certain HTC mobile phones.

The H's associates at heise Security managed to set up a test page that sends a particular USSD command, along with an incorrect PIN, to a smartphone's telephone module multiple times. The SIM card in an HTC One XL was locked immediately after the test page had been opened. To unlock it, a user is supposed to enter the PUK code – theoretically, though, they could have taken it even further and prepared the page in such a way that it also entered an incorrect PUK ten times, which would have locked the card completely. They were also able to replicate the problem with a Motorola RAZR XT910; the SIM card was locked immediately after opening the test page.

Most users ending up on this kind of page would no longer be reachable on their current SIM card and would have to order a new one, usually for a fee, from their mobile provider. So far, Android smartphones appear to be the only victims of this problem – iPhones seem to not pass the codes on to the system, even if the user presses "Call" on the dialog window that pops up.

You can find out whether your device is affected without compromising it by using our USSD check at If your phone automatically displays its 15-digit IMEI number when it opens the page, it's most likely vulnerable.

QR Code
This QR Code leads to The H's USSD Check
The malicious code can hide in QR codes as well as web sites, and there are even rumours – so far unconfirmed – that attackers can target certain victims by sending them a WAP push message or an HTML email. Users can protect themselves by installing TelStop or NoTelURL from Google Play. These are apps that prevent devices from calling up the TEL: URLs, which are used to inject the USSD codes.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit