Yesterday, Ravi Bogaonkar (@raviborgaonkar) released to the world an issue that could be one of the most serious to hit the mobile industry in a very long time.
Ravi who is based at the Technical University of Berlin’s SecT lab (who has previously been in the news for his research around hacking femtocells) had discovered that there were proprietary codes for wiping devices entirely (this is not a USSD code as per spec which has incorrectly been reported). Ironically for the mobile industry, SecT is sponsored by Deutsche Telekom.
These commands can be entered via the user interface, but can also be sent remotely, via visiting a rigged webpage which calls the dialler function. Normally, the user would have to physically confirm the number to dial by pressing the green receiver button, but not in this case.
Currently, reports are coming in saying that a number of Android devices may be affected, including not only Samsung devices (the Galaxy SIII being amongst them) but also the HTC One X. It seems that devices in the UK may not be affected as they’re not using Samsung’s TouchWiz user interface, but details are still emerging.
Ravi apparently made a responsible disclosure to a number of affected manufacturers and operators but after apparently getting frustrated with months of delays from certain operators decided to go public. My take on this is that there appears to have been a failing on both sides here. Without knowing all the details it is difficult to make a judgement, however I feel that making this public when the vulnerability is so easy to reproduce and has such massive destructive implications for users is bordering on criminal. Equally, if an operator has been sat on this fix for months for no good reason (and I don’t know if that is the case), then that is just as bad.
Just imagine how you would feel if you lost all of your pictures on your phone just because you visited a website.
How to test if you’re vulnerable and how to fix it temporarily
German mobile security researcher Collin Mulliner has released a temporary fix to Google Play called ‘telstop‘, which people can download if they’re concerned.
A test page setup by Ravi is available which will send the user interface command to display the IMEI number (*#06#). Just navigate with your phone to this link: http://www.isk.kth.se/~rbbo/testussd.html – if you see your IMEI number displayed instead, then you are vulnerable.
17:00 26/09/12 Update: Ravi’s test page was using Google Analytics to track who is testing. I have setup a separate test page that does not use analytics. Just point your mobile browser at: http://mobilephonesecurity.org/tel
More detail can be found in this article and a video of Ravi’s presentation is below: