Samsung Addresses Galaxy Exploit - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

11:21 AM
Connect Directly

Samsung Addresses Galaxy Exploit

Exploit that triggers certain Samsung Galaxy smartphones to reset poses fewer risks than initially reported.

Headlines were abuzz Tuesday morning with reports that some Samsung Galaxy smartphones are vulnerable to an exploit that could reset the devices to their factory settings. Initially an all-out alert, the news has since evolved into a wide-reaching but nonetheless modest concern--and with Samsung promising action, the threat should soon be downgraded even further.

Early reports cited Technical University Berlin researcher Ravi Borgaonkar's presentation at the Ekoparty security conference in Argentina. He demonstrated that a line of HTML code can dial USSD codes that trigger Samsung Galaxy SII and SIII smartphones to initiate full data wipes.

[ The number of malicious Android apps is increasing. Read more at Android Warning: 50% Of Devices Need Patching. ]

The exploit--which can be executed via an embedded link, a QR code, or an NFC connection--was initially blamed on Samsung's TouchWiz UI, which the manufacturer layers over the base Android OS. Testing by the blog Android Police revealed, however, that the flaw originates in older versions of Google's mobile OS, meaning that the vulnerability is not Samsung-specific. The site additionally found that the exploit is not new, and that recent patches should effectively disable the threat.

Samsung has since responded, with a tweet promising action and a statement to TechCrunch that confirmed Android Police's assertion that "the security issue … has already been resolved." The statement urged SIII users to update if they have not already done so, but the status of older devices, such as the SII, is not yet clear. Updates can be downloaded using Samsung's Over-The-Air service.

Borgaonkar offered a test site for users to assess whether their phones are vulnerable, and at least one other such tool has appeared online. In addition to the patches, suggested workarounds have included turning off the phone's Service Loading feature, uninstalling barcode scanners, disabling NFC connectivity, and using a third-party dialer app.

Chris Morales, 451 Research's senior security analyst for enterprise security practice, said in an interview that it is "very important" to understand that "the real problem is what permissions Android allows," pointing out that developer APIs don't adequately block such vulnerabilities from surfacing. Nonetheless, Morales said this particular exploit is a relatively minor threat, even to those with unpatched devices.

"Wiping a phone is not as bad as losing data," he said, since the factory reset is only a true risk to users who don't back up their content. He likened the exploit to a denial-of-service attack: "It's annoying and no one likes it, [but it] scares me less than when [attackers] get root access."

Alexandru Catalin Cosoi, chief security research for Bitdefender, said in an interview that the exploit's future will probably involve pranks, if anything, rather than legitimately sinister schemes. Calling the vulnerability a "proof of concept," he stated that once such flaws become public, "they aren't actually implemented by malware writers because everyone expects them."

"Most of the vulnerabilities that get exploited are ones that aren't public yet," he asserted, adding, "[This vulnerability] works in a lab but should be fixed on most devices."

Mobile employees' data and apps need protecting. Here are 10 ways to get the job done. Also in the new, all-digital 10 Steps To E-Commerce Security special issue of Dark Reading: Mobile technology is forcing businesses to rethink the fundamentals of how their networks work. (Free registration required.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll