Samsung fixed reset flaw in Galaxy S3, other updates pending

Share this article:

Last updated on September 26, 2012 5:11 PM

Samsung is working to address a flaw that could allow a number of Galaxy Android models to be reset – and has started by pushing a fix for its Galaxy S3 model.

The vulnerability was discovered by Ravi Borgaonkar, a researcher at Technical University (TU) Berlin, who demonstrated the flaw at the Ekoparty security conference last week in Buenos Aires. He found that an unstructured supplementary service data (USSD) code embedded on a malicious web page could be used to reset, or remotely wipe, Galaxy S3 devices.

On Wednesday, the blog Android Central posted a statement from Samsung on the matter. The company told users a fix for Galaxy S3 was available through a software update.

“We would like to assure our customers that the recent security issue concerning the Galaxy S3 has already been resolved through a software update,” the statement said. “We recommend all Galaxy S3 customers to download the latest software update, which can be done quickly and easily via the over-the-air (OTA) service.”

In the blog post, Android Central also said the vulnerability affected other Galaxy models, including Galaxy S2 and Galaxy Note devices.

On Tuesday, TU's Borgaonkar tweeted a link for users to check to see if their device is was vulnerable.

Samsung did not immediately respond to a request for comment, and has yet to release a statement on the status of patches for its other affected Galaxy devices.

Dylan Reeve, a New Zealand tech blogger, told in an email Wednesday that the underlying security issue may be the use of the standard Android dialer.

“Unfortunately, the issue here is that the dialer is taking that [USSD code] and treating it as if it was actually typed in," Reeve said. "This isn't how it should behave and it isn't how other phones behave.” 

He detailed the findings in a blog post Tuesday, saying that the USSD vulnerability also affected other smartphone brands, including the HTC One X and Motorola Defy running Android operating systems – meaning the flaw is “not just a Samsung problem,” but one affecting Android users.

Share this article:

Sign up to our newsletters

More in News

Instagram iOS and Android apps vulnerable to session hijacking

Two researchers wrote about the Instagram app for iOS and Android is vulnerable to session hijacking because both send unsecured information through HTTP.

Report: Hackers stole data from Israeli defense firms

A report by Brian Krebs detailed the intrusions, which occurred between Oct. 2011 and Aug. 2012.

Neverquest trojan targets regional banks in Japan

Symantec researchers found a new variant of the banking trojan.