Security Flaw Leaves Samsung Galaxy S III Vulnerable To Remote Wiping

A potential flaw in Samsung’s TouchWiz user interface has left a number of the Korean manufacturer’s smartphones, including the massively popular Samsung Galaxy S III, vulnerable to remote wiping.

The flaw relates to the way the phone reads specially-crafted USSD (Unstructured Supplementary Service Data) code that could cause the phone to perform a factory reset, lock the SIM card so that the device cannot be used or a variety of other malicious acts.

The vulnerability was discovered by Ravi Borgaonkar, who successfully wiped a Samsung Galaxy S III at the Ekoparty security conference.

Samsung Galaxy S III

Exploiting the flaw is as easy as pasting a simple piece of code with the correct dialler instructions onto a website and getting a user to click through to it. The exploit could even be loaded through Near Field Communication (NFC) or a QR code.

The devices affected are the Samsung Galaxy S Advance, Galaxy S II, Galaxy S III, Galaxy Ace and Galaxy Beam.  The Samsung Galaxy Nexus is not affected.

The Next Web was unable to wipe a Samsung Galaxy S running the latest version of Android, 4.1 Jelly Bean, but noted the device wiped by Borgaonkar appeared to be running Ice Cream Sandwich.

This has raised the possibility that it could only affect smartphones running Ice Cream Sandwich, while it has also been suggested that Chrome doesn’t allow the code to be executed, meaning it is only an issue for other browsers.

At the time of publication, Samsung had not responded to TechWeekEurope’s requests for comment.

Are you a security expert? Try our quiz and find out!