Many mobile phones recognise URLs with the prefix
tel: as representing a phone number which should be called upon opening. Some of them also recognise URLs with the Unstructured Supplementary Service Data (USSD) codes embedded in them which call control functions on the phone and which could set up a call diversion or even initiate a hardware reset. In the worst case, this action can be triggered automatically when opening a maliciously crafted web page or when viewing a WAP Push message. This is the case with certain Samsung smartphones.
This demo page contains the USSD
*%2306# which merely asks to display the serial number (the IMEI, a number unique to every phone), specifically with the URL
embedded as an IFrame.
If your device displays your IMEI number without asking you, then you may have a problem and, at worst, a malicious web page or crafted message sent to you could manipulate your cell phone into doing things at the behest of an unknown attacker. Specifically at risk are Samsung models for which a USSD code for factory resetting the device is now well known. Whether HTC or other manufacturers are vulnerable to dangerous USSD sequences being executed automatically is currently unclear.
If nothing happens on this demo page, or nothing appears but the phone application where you can decide what to do with the displayed number, then you need not worry. If you are vulnerable though, the only way to protect yourself is with the installation of a special application which intercepts URLs and always asks the user what they would like to do with them.
- Remote resetting a Samsung phone made easy, a report from The H.