Samsung fixed reset flaw in Galaxy S3, other updates pending

Share this article:

Last updated on September 26, 2012 5:11 PM

Samsung is working to address a flaw that could allow a number of Galaxy Android models to be reset – and has started by pushing a fix for its Galaxy S3 model.

The vulnerability was discovered by Ravi Borgaonkar, a researcher at Technical University (TU) Berlin, who demonstrated the flaw at the Ekoparty security conference last week in Buenos Aires. He found that an unstructured supplementary service data (USSD) code embedded on a malicious web page could be used to reset, or remotely wipe, Galaxy S3 devices.

On Wednesday, the blog Android Central posted a statement from Samsung on the matter. The company told users a fix for Galaxy S3 was available through a software update.

“We would like to assure our customers that the recent security issue concerning the Galaxy S3 has already been resolved through a software update,” the statement said. “We recommend all Galaxy S3 customers to download the latest software update, which can be done quickly and easily via the over-the-air (OTA) service.”

In the blog post, Android Central also said the vulnerability affected other Galaxy models, including Galaxy S2 and Galaxy Note devices.

On Tuesday, TU's Borgaonkar tweeted a link for users to check to see if their device is was vulnerable.

Samsung did not immediately respond to a request for comment, and has yet to release a statement on the status of patches for its other affected Galaxy devices.

Dylan Reeve, a New Zealand tech blogger, told SCMagazine.com in an email Wednesday that the underlying security issue may be the use of the standard Android dialer.

“Unfortunately, the issue here is that the dialer is taking that [USSD code] and treating it as if it was actually typed in," Reeve said. "This isn't how it should behave and it isn't how other phones behave.” 

He detailed the findings in a blog post Tuesday, saying that the USSD vulnerability also affected other smartphone brands, including the HTC One X and Motorola Defy running Android operating systems – meaning the flaw is “not just a Samsung problem,” but one affecting Android users.

 
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Reported breaches involving zero-day bug at JPMorgan Chase, other banks

Reported breaches involving zero-day bug at JPMorgan Chase, ...

Hackers exploited a zero-day vulnerability and gained access to sensitive information from JPMorgan Chase and at least four other financial institutions, reports indicate.

Data on 97K Bugzilla users posted online for about three months

During a migration of the testing server for test builds of Bugzilla software, data on about 97,000 Bugzilla users was inadvertently posted publicly online.

Chinese national had access to data on 5M Arizona drivers, possible breach ...

Although Lizhong Fan left the U.S. in 2007, the agencies responsible for giving him access to Americans' personal information have yet to disclose the details of the case to the public.