Android models to be reset – and has started by pushing a fix for its Galaxy S3 model.
The vulnerability was discovered by Ravi Borgaonkar, a researcher at Technical University (TU) Berlin, who demonstrated the flaw at the Ekoparty security conference last week in Buenos Aires. He found that an unstructured supplementary service data (USSD) code embedded on a malicious web page could be used to reset, or remotely wipe, Galaxy S3 devices.On Wednesday, the blog Android Central posted a statement from Samsung on the matter. The company told users a fix for Galaxy S3 was available through a software update.
“We would like to assure our customers that the recent security issue concerning the Galaxy S3 has already been resolved through a software update,” the statement said. “We recommend all Galaxy S3 customers to download the latest software update, which can be done quickly and easily via the over-the-air (OTA) service.”
In the blog post, Android Central also said the vulnerability affected other Galaxy models, including Galaxy S2 and Galaxy Note devices.
On Tuesday, TU’s Borgaonkar tweeted a link for users to check to see if their device is was vulnerable.
Samsung did not immediately respond to a request for comment, and has yet to release a statement on the status of patches for its other affected Galaxy devices.
Dylan Reeve, a New Zealand tech blogger, told SCMagazine.com in an email Wednesday that the underlying security issue may be the use of the standard Android dialer.
“Unfortunately, the issue here is that the dialer is taking that [USSD code] and treating it as if it was actually typed in,” Reeve said. “This isn’t how it should behave and it isn’t how other phones behave.”
He detailed the findings in a blog post Tuesday, saying that the USSD vulnerability also affected other smartphone brands, including the HTC One X and Motorola Defy running Android operating systems – meaning the flaw is “not just a Samsung problem,” but one affecting Android users.