Samsung Addresses Galaxy Exploit - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

11:21 AM
Connect Directly

Samsung Addresses Galaxy Exploit

Exploit that triggers certain Samsung Galaxy smartphones to reset poses fewer risks than initially reported.

Headlines were abuzz Tuesday morning with reports that some Samsung Galaxy smartphones are vulnerable to an exploit that could reset the devices to their factory settings. Initially an all-out alert, the news has since evolved into a wide-reaching but nonetheless modest concern--and with Samsung promising action, the threat should soon be downgraded even further.

Early reports cited Technical University Berlin researcher Ravi Borgaonkar's presentation at the Ekoparty security conference in Argentina. He demonstrated that a line of HTML code can dial USSD codes that trigger Samsung Galaxy SII and SIII smartphones to initiate full data wipes.

[ The number of malicious Android apps is increasing. Read more at Android Warning: 50% Of Devices Need Patching. ]

The exploit--which can be executed via an embedded link, a QR code, or an NFC connection--was initially blamed on Samsung's TouchWiz UI, which the manufacturer layers over the base Android OS. Testing by the blog Android Police revealed, however, that the flaw originates in older versions of Google's mobile OS, meaning that the vulnerability is not Samsung-specific. The site additionally found that the exploit is not new, and that recent patches should effectively disable the threat.

Samsung has since responded, with a tweet promising action and a statement to TechCrunch that confirmed Android Police's assertion that "the security issue … has already been resolved." The statement urged SIII users to update if they have not already done so, but the status of older devices, such as the SII, is not yet clear. Updates can be downloaded using Samsung's Over-The-Air service.

Borgaonkar offered a test site for users to assess whether their phones are vulnerable, and at least one other such tool has appeared online. In addition to the patches, suggested workarounds have included turning off the phone's Service Loading feature, uninstalling barcode scanners, disabling NFC connectivity, and using a third-party dialer app.

Chris Morales, 451 Research's senior security analyst for enterprise security practice, said in an interview that it is "very important" to understand that "the real problem is what permissions Android allows," pointing out that developer APIs don't adequately block such vulnerabilities from surfacing. Nonetheless, Morales said this particular exploit is a relatively minor threat, even to those with unpatched devices.

"Wiping a phone is not as bad as losing data," he said, since the factory reset is only a true risk to users who don't back up their content. He likened the exploit to a denial-of-service attack: "It's annoying and no one likes it, [but it] scares me less than when [attackers] get root access."

Alexandru Catalin Cosoi, chief security research for Bitdefender, said in an interview that the exploit's future will probably involve pranks, if anything, rather than legitimately sinister schemes. Calling the vulnerability a "proof of concept," he stated that once such flaws become public, "they aren't actually implemented by malware writers because everyone expects them."

"Most of the vulnerabilities that get exploited are ones that aren't public yet," he asserted, adding, "[This vulnerability] works in a lab but should be fixed on most devices."

Mobile employees' data and apps need protecting. Here are 10 ways to get the job done. Also in the new, all-digital 10 Steps To E-Commerce Security special issue of Dark Reading: Mobile technology is forcing businesses to rethink the fundamentals of how their networks work. (Free registration required.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Number 6
Number 6,
User Rank: Moderator
9/27/2012 | 7:22:18 PM
re: Samsung Addresses Galaxy Exploit
"'Wiping a phone is not as bad as losing data,' he said, since the factory reset is only a true risk to users who don't back up their content."

Huh? Last I heard, wiping a phone wipes out the data, so how can that not be as bad?

And does this pass the "Grandmom" test, as in does you grandmother routinely back up the photos and contacts on her phone? These are sold as consumer devices to average people, not as only as high-tech IT machines to computer geeks like us.
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll