Mobile
News
9/26/2012
11:21 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Samsung Addresses Galaxy Exploit

Exploit that triggers certain Samsung Galaxy smartphones to reset poses fewer risks than initially reported.

Headlines were abuzz Tuesday morning with reports that some Samsung Galaxy smartphones are vulnerable to an exploit that could reset the devices to their factory settings. Initially an all-out alert, the news has since evolved into a wide-reaching but nonetheless modest concern--and with Samsung promising action, the threat should soon be downgraded even further.

Early reports cited Technical University Berlin researcher Ravi Borgaonkar's presentation at the Ekoparty security conference in Argentina. He demonstrated that a line of HTML code can dial USSD codes that trigger Samsung Galaxy SII and SIII smartphones to initiate full data wipes.

[ The number of malicious Android apps is increasing. Read more at Android Warning: 50% Of Devices Need Patching. ]

The exploit--which can be executed via an embedded link, a QR code, or an NFC connection--was initially blamed on Samsung's TouchWiz UI, which the manufacturer layers over the base Android OS. Testing by the blog Android Police revealed, however, that the flaw originates in older versions of Google's mobile OS, meaning that the vulnerability is not Samsung-specific. The site additionally found that the exploit is not new, and that recent patches should effectively disable the threat.

Samsung has since responded, with a tweet promising action and a statement to TechCrunch that confirmed Android Police's assertion that "the security issue … has already been resolved." The statement urged SIII users to update if they have not already done so, but the status of older devices, such as the SII, is not yet clear. Updates can be downloaded using Samsung's Over-The-Air service.

Borgaonkar offered a test site for users to assess whether their phones are vulnerable, and at least one other such tool has appeared online. In addition to the patches, suggested workarounds have included turning off the phone's Service Loading feature, uninstalling barcode scanners, disabling NFC connectivity, and using a third-party dialer app.

Chris Morales, 451 Research's senior security analyst for enterprise security practice, said in an interview that it is "very important" to understand that "the real problem is what permissions Android allows," pointing out that developer APIs don't adequately block such vulnerabilities from surfacing. Nonetheless, Morales said this particular exploit is a relatively minor threat, even to those with unpatched devices.

"Wiping a phone is not as bad as losing data," he said, since the factory reset is only a true risk to users who don't back up their content. He likened the exploit to a denial-of-service attack: "It's annoying and no one likes it, [but it] scares me less than when [attackers] get root access."

Alexandru Catalin Cosoi, chief security research for Bitdefender, said in an interview that the exploit's future will probably involve pranks, if anything, rather than legitimately sinister schemes. Calling the vulnerability a "proof of concept," he stated that once such flaws become public, "they aren't actually implemented by malware writers because everyone expects them."

"Most of the vulnerabilities that get exploited are ones that aren't public yet," he asserted, adding, "[This vulnerability] works in a lab but should be fixed on most devices."

Mobile employees' data and apps need protecting. Here are 10 ways to get the job done. Also in the new, all-digital 10 Steps To E-Commerce Security special issue of Dark Reading: Mobile technology is forcing businesses to rethink the fundamentals of how their networks work. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Number 6
50%
50%
Number 6,
User Rank: Moderator
9/27/2012 | 7:22:18 PM
re: Samsung Addresses Galaxy Exploit
"'Wiping a phone is not as bad as losing data,' he said, since the factory reset is only a true risk to users who don't back up their content."

Huh? Last I heard, wiping a phone wipes out the data, so how can that not be as bad?

And does this pass the "Grandmom" test, as in does you grandmother routinely back up the photos and contacts on her phone? These are sold as consumer devices to average people, not as only as high-tech IT machines to computer geeks like us.
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 24, 2014
Start improving branch office support by tapping public and private cloud resources to boost performance, increase worker productivity, and cut costs.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.