September 26, 2012

Samsung fixed reset flaw in Galaxy S3, other updates pending

Last updated on September 26, 2012 5:11 PM

Samsung is working to address a flaw that could allow a number of Galaxy Android models to be reset – and has started by pushing a fix for its Galaxy S3 model.

The vulnerability was discovered by Ravi Borgaonkar, a researcher at Technical University (TU) Berlin, who demonstrated the flaw at the Ekoparty security conference last week in Buenos Aires. He found that an unstructured supplementary service data (USSD) code embedded on a malicious web page could be used to reset, or remotely wipe, Galaxy S3 devices.

On Wednesday, the blog Android Central posted a statement from Samsung on the matter. The company told users a fix for Galaxy S3 was available through a software update.

“We would like to assure our customers that the recent security issue concerning the Galaxy S3 has already been resolved through a software update,” the statement said. “We recommend all Galaxy S3 customers to download the latest software update, which can be done quickly and easily via the over-the-air (OTA) service.”

In the blog post, Android Central also said the vulnerability affected other Galaxy models, including Galaxy S2 and Galaxy Note devices.

On Tuesday, TU's Borgaonkar tweeted a link for users to check to see if their device is was vulnerable.

Samsung did not immediately respond to a request for comment, and has yet to release a statement on the status of patches for its other affected Galaxy devices.

Dylan Reeve, a New Zealand tech blogger, told SCMagazine.com in an email Wednesday that the underlying security issue may be the use of the standard Android dialer.

“Unfortunately, the issue here is that the dialer is taking that [USSD code] and treating it as if it was actually typed in," Reeve said. "This isn't how it should behave and it isn't how other phones behave.” 

He detailed the findings in a blog post Tuesday, saying that the USSD vulnerability also affected other smartphone brands, including the HTC One X and Motorola Defy running Android operating systems – meaning the flaw is “not just a Samsung problem,” but one affecting Android users.

 
Related Articles
Related Topics

More in News

Privacy-bolstering "Apps Act" introduced in House

The bill would provide consumers nationwide with similar protections already enforced by a California law.

Microsoft readies permanent fix for Internet Explorer bug used in energy attacks

Microsoft is prepping a whopper of a security update that will close 33 vulnerabilities, likely including an Internet Explorer (IE) flaw that has been used in targeted website attacks against the U.S. government.

Weakness in Adobe ColdFusion allowed court hackers access to 160K SSNs

Up to 160,000 Social Security numbers and one million driver's license numbers may have been accessed by intruders.