Here’s the scary version of the above headline: “One line of HTML code could remotely wipe your Samsung phone, and it could be hidden in the very next link you click.” Eeek! The idea that a small piece of code embedded in a website, QR code or even in an NFC transfer could cause that much damage is unsettling, and worse still, it’s absolutely true.
The all-powerful code was demonstrated at the Ekoparty security conference earlier this week, and was shown to affect many Samsung phones using the company’s TouchWiz user interface including the Galaxy S3. For those interested in seeing the so-called “dirty code” in action, this is the video you need to watch.
It works by forcing the phone to auto-dial a specific Unstructured Supplementary Service Data, or USSD, code to start the remote wipe process and in some cases, permanently disable the SIM card too. You may have used USSD codes before, for example to find your phone number or to add credit to some pay-as-you-go phones. Ravi Borganokar, the researcher who demonstrated the kill code, said the whole process could be over and done in just three seconds.
However, before you fearfully disable the data connection on your phone, Samsung has issued a statement to put your mind at rest: “We would like to assure our customers that the recent security issue concerning the Galaxy S3 has already been resolved through a software update. We recommend all Galaxy S3 customers to download the latest software update, which can be done quickly and easily via the over-the-air service.”
Is your Samsung phone vulnerable?
This is good news, and even better is that many S3 owners have found the patch has already been applied, and that European i9300 Galaxy S3s haven’t been as widely affected, and neither have all i747 AT&T S3s.
While Samsung only mentions the Galaxy S3, Slashgear.com reports that the exploit has been shown to work on the Galaxy S2, the Galaxy Beam, the Galaxy Ace and the S Advance.
If you’re wondering whether your S3, or any TouchWiz Samsung device, is vulnerable to the attack, here’s a way to find out. Visit this safe website, created by Dylan Reeve, on your phone and if your device’s IMEI number is displayed, then your phone hasn’t been patched. If it doesn’t, then you’re safe.
Additionally, a poster on XDA-developers.com’s forums pointed to the Auto-reset Blocker app available through Google Play as an alternative fix while you’re waiting for the official one. Otherwise, it’s best to exercise good sense and not click on links to or from sources you don’t trust.
Ultimately though, it looks like the disaster has been — or at least, can be — averted, so make sure you check for any OTA updates as soon as possible. You never know, Android 4.1 Jelly Bean could be waiting too.