Remote resetting a Samsung phone made easy
Security expert Ravi Borgaonkar has demonstrated that one of the Android-based smartphones from Samsung, which runs Samsung's own customised version of Android, can be remotely reset to factory settings. The attack, demonstrated at Ekoparty, is shown to be possible due to a weak point in Samsung's proprietary dialler in the various smartphone models which acts on USSD (Unstructured Supplementary Service Data) codes without asking the user. These codes can be passed to a device through specially crafted links. The USSD code *2767*3855# will immediately start a range of Samsung phones factory-resetting.
Such a crafted link could be lurking on a web page, behind a QR code or in an NFC tag. According to the security expert, it could also be possible to remotely trigger the calling of the URL using WAP push messages. These could be sent, for example, through SMS gateways in the network.
In an initial test by heise Security, The H's associates in Germany, it was not possible to get the attack to run on a European Samsung Galaxy S3 running Android 4.0.4 when calling a supplied demonstration page. It only opened the Dialer and showed the short code for a brief time. According to other reports, (AndroidNext and SmartDroid), the hole is already closed with Android 4.1 (Jelly Bean).
But with a Galaxy S2 and Android 2.3.6, heise Security found that the hole was easily executed by the phone; the code was executed when calling the URL and triggered a reset. Other reports, for example from Tweakers.net), say they have replicated the problem on earlier Samsung Galaxy models such as the Galaxy Advance. According to a Nicola von Thadden, the attack also works on the Galaxy S2 with Android 4.0.3.
Manually typing in the code, of course, leads Samsung devices to start the factory-reset and deletion anyway, so it is recommended that users avoid doing so unless they have a complete backup of their phone.