Samsung Galaxy S3 remote data-wipe vulnerability

Adunaphel

KLAUWD
STAFF MEMBER
Joined
Jan 18, 2006
Messages
11,568
Location
Fermany
Car(s)
'18 Clio; '13 Cube Hyde
http://www.slashgear.com/samsung-galaxy-s-iii-remote-data-wipe-hack-discovered-25249061/

Article says it all basically. A simple bit of javascript code will irrecoverably wipe a Galaxy S3 handset when the page is loaded. Apparently it is based upon using javascript to let the dialer enter a factory reset code. When telling it to dial a number it will ask you if you really want to dial it, but somehow the dialer goes straight to wipe mode as soon as the last digit of the code is entered, and behaves likewise when that code is fed to it via javascript.
 

Dr_Grip

Made from concentrate
Joined
Jul 8, 2008
Messages
14,294
Location
Germany
Car(s)
1979 Opel Kadett | 1972 Ford Country Sedan
Fuck Touchwiz. I can only recommend everyone to use an aftermarket ROM.
 

prizrak

Forum Addict
Joined
Apr 2, 2007
Messages
21,601
Location
No, sleep, till, BROOKLYN
Car(s)
11 Xterra Pro-4x, 12 'stang GT
From my experience with Androids there is never a reason NOT to use an aftermarket ROM, aside from maybe the Nexus devices.
 

Dr_Grip

Made from concentrate
Joined
Jul 8, 2008
Messages
14,294
Location
Germany
Car(s)
1979 Opel Kadett | 1972 Ford Country Sedan
From my experience with Androids there is never a reason NOT to use an aftermarket ROM, aside from maybe the Nexus devices.
Stock Android comes without unicorns.
 

Redliner

Y'all got any lamps?
Joined
May 19, 2005
Messages
23,072
Location
Lamp
Car(s)
I don't drive, I fly.
I believe this unicorn discussion will only make sense to hardcore Android fans. :lol:
 

rickhamilton620

has a fetish for terrible cars
Joined
Nov 28, 2009
Messages
16,814
Location
Yoe, PA
Car(s)
2012 Kia Forte EX
Re: Samsung Galaxy S3 remote data-wipe vulnerability

This is a surprising fuckup. Granted AT&T branded s3's and a few others are protected already but still....unacceptable. Honestly i'm kinda shocked Verizon's S3 isn't protected given their notoriously lengthy testing process...

If you dont want to give up TW, you can use a third party dialer according to Android Central.

Things like device reset should never be able to be accomplished through the secret codes available via the dialer. that was just a bad idea period. I wonder who else does this?

Personally I like and prefer UI skins (sense 4 and TouchWiz UX being my favorites) for the small enhancements they add to Android...that and they tend to eradicate the (imo shitty) "inspired from Tron" looks that permeate ICS, and to a admittedly far lesser extent, JB.
 

prizrak

Forum Addict
Joined
Apr 2, 2007
Messages
21,601
Location
No, sleep, till, BROOKLYN
Car(s)
11 Xterra Pro-4x, 12 'stang GT
Dude even iOS has security holes and it runs on very limited hardware and both it and the 3rd party apps are tested up the wazoo. Shit happens you know what I mean?
 

rickhamilton620

has a fetish for terrible cars
Joined
Nov 28, 2009
Messages
16,814
Location
Yoe, PA
Car(s)
2012 Kia Forte EX
Dude even iOS has security holes and it runs on very limited hardware and both it and the 3rd party apps are tested up the wazoo. Shit happens you know what I mean?

Never said that security holes don't happen, they indeed do. I still think this is bad though, especially because of how easy it can be exploited.
 

prizrak

Forum Addict
Joined
Apr 2, 2007
Messages
21,601
Location
No, sleep, till, BROOKLYN
Car(s)
11 Xterra Pro-4x, 12 'stang GT
Well... you gotta keep in mind the difference between relative ease of exploiting and actual probability of it happening in the wild. From the former standpoint this is a big issue and a silly one at that but from the latter it's relatively easy to avoid.
 

Adunaphel

KLAUWD
STAFF MEMBER
Joined
Jan 18, 2006
Messages
11,568
Location
Fermany
Car(s)
'18 Clio; '13 Cube Hyde
Dude even iOS has security holes and it runs on very limited hardware and both it and the 3rd party apps are tested up the wazoo. Shit happens you know what I mean?

As far as security holes go, this does kinda fall into the "in what universe was this ever a good idea?" category.
 

prizrak

Forum Addict
Joined
Apr 2, 2007
Messages
21,601
Location
No, sleep, till, BROOKLYN
Car(s)
11 Xterra Pro-4x, 12 'stang GT
As far as security holes go, this does kinda fall into the "in what universe was this ever a good idea?" category.

I kind of doubt it was put in there on purpose ;) Clearly its some strange bug that wasn't caught in testing. I see something like that quite a bit working application support and all :) It should be a relatively easy fix for Samsung to make tho.
 

Viper007Bond

Chicken Nugget Connoisseur
STAFF MEMBER
Joined
Sep 21, 2003
Messages
31,046
Location
Portland, Oregon
Car(s)
2008 Dodge Viper, 2006 MB CLS55 AMG
I kind of doubt it was put in there on purpose ;) Clearly its some strange bug that wasn't caught in testing. I see something like that quite a bit working application support and all :) It should be a relatively easy fix for Samsung to make tho.

Being able to type a reset code into the dialer is not something that happens accidentally.

Having it happen without confirmation was also probably intentional but it didn't occur to them that this could be done via a browser and that's what is being exploited.

In short, this isn't a bug per se rather a proper exploit.


As someone who spends his days writing code and even more time reading code to try and prevent this kind of stuff, that must suck for the developers.
 

brydie76

Viva Las Clarksonistas!
Joined
Oct 28, 2008
Messages
3,052
Location
Australia
Car(s)
2012 Suzuki Swift Sport/Aprilia Sportcity 200
Sent the exploit test code to 5 people I knew who have android phones without saying what it is, all of them opened it. Android may have an issue on their hands with the vast majority of non-tech savvy people, especially since those people are the type that don't regularly update their software.

(Note- code I sent was to show imei no, not wipe. Wouldn't wipe people's phones on purpose, and hopefully 5 less technophobes will not be exploited by this)
 

Dr_Grip

Made from concentrate
Joined
Jul 8, 2008
Messages
14,294
Location
Germany
Car(s)
1979 Opel Kadett | 1972 Ford Country Sedan
Sent the exploit test code to 5 people I knew who have android phones without saying what it is, all of them opened it. Android may have an issue on their hands with the vast majority of non-tech savvy people, especially since those people are the type that don't regularly update their software.
The problem is TouchWiz-specific. Helluva difference.
 

Hartkor

Member
Joined
Jan 5, 2007
Messages
46
Location
Open road
Car(s)
Peugeot 405 Mi16, Alfa 156 SW
I`ll just leave this here:
 

rickhamilton620

has a fetish for terrible cars
Joined
Nov 28, 2009
Messages
16,814
Location
Yoe, PA
Car(s)
2012 Kia Forte EX
Re: Samsung Galaxy S3 remote data-wipe vulnerability

I`ll just leave this here:

:lmao: +rep


but seriously, this is the kind of shit that makes people beeline straight to the Apple store for a iPhone...to a lot of the masses it IS the reliable smartphone.
 

prizrak

Forum Addict
Joined
Apr 2, 2007
Messages
21,601
Location
No, sleep, till, BROOKLYN
Car(s)
11 Xterra Pro-4x, 12 'stang GT
Being able to type a reset code into the dialer is not something that happens accidentally.

Having it happen without confirmation was also probably intentional but it didn't occur to them that this could be done via a browser and that's what is being exploited.

In short, this isn't a bug per se rather a proper exploit.


As someone who spends his days writing code and even more time reading code to try and prevent this kind of stuff, that must suck for the developers.
Fair point, it is strange they left it in there I would think this was something set up for testing.

- - - Updated - - -

Tested on my review S3 with newest update. Doesn't work.

As per Samsung they fixed it in a patch.
 
Top