Tuesday 25 September 2012

Staggering security flaw on Samsung Galaxy range

A hacker has found a way to seriously damage your Samsung phone - including the Galaxy S2 and S3. The hacker can:

  • Reformat your phone (destroying all data on it)
  • Destroy your SIM, requiring you to buy a new one from your telco
  • Change your PIN code
  • And a whole lot more.
How can this occur:
  • You visit a web page or view an email message and click a malicious link
  • S/he texts you a malicious link via WAP (and you don't even have to be present and click a link - the damage happens automatically and immediately) 
  • You scan a QR barcode
The common feature is that the link URI - it starts "tel". This is picked up by Samsung and passed to the Messaging client, which interprets the URI as a command, typically by running a device management feature. Samsung in its infinite madness has a whole lot of commands, and no prompts. 

This is frightening.

Luckily you can block this switching off the 'feature' that runs these commands automatically - it's called 'Service Loading'. Follow these instructions:
  1. Open the Messaging client
  2. Bring up the menu
  3. Click on the Settings menu item
  4. In the menu screen that appears, scroll down into the "Push message settings". You will see "Push Messages" and "Service Loading"
  5. Tap the "Service Loading" menu item, a list of options appears: Always, Prompt, Never
  6. Choose Never or Prompt
My advice to Samsung device owners: Do this right now. Very soon people will start placing these links on web sites, spam and even messaging these commands to your phone.

Message to Samsung: I understand why you would want such device management features on a phone. It allows you to optimise your manufacturing and support, decreasing your costs. But allowing these to be run automatically and remotely? What on earth were you thinking? Please place competent security professionals in your OS customization teams and conduct a full review.

UPDATE 27th Sept

Samsung have released an over-the-air patch for the Galaxy SIII with more devices to follow. For those on other devices, Collin Mulliner has released TelStop into the Google Play app store. Download, install, and TelStop will catch those nasty URIs.

No comments:

Post a Comment