The Android ecosystem got a jolt yesterday with the revelation that simple links — something you might merely open online — could trigger a complete wipe of some Android devices. Researcher Ravi Borgaonkar revealed the exploit, and (of course) the device that got all the attention was the top-selling Samsung Galaxy S III. Samsung has already issued a patch for the vulnerability. But it turns out lots of other Android phones are apparently vulnerable to the same exploit. The root of the problem lies in the standard Android dialer; even though Google patched the problem months ago, that fix may not have made it out to current Android devices, and many will never will receive it.
There’s cause for concern, but not outright panic. Here’s how the exploit works, and some tips for how Android users can protect themselves.
What’s USSD?
The new Android exploit relies on a protocol built into most phones called USSD, or Unstructured Supplementary Service Data. Think of USSD a bit like a text-messaging protocol, but instead of being used to transmit short messages between phone users, it’s intended to let both device makers and mobile carriers build add-on services for their phones and network. Like text messages, USSD messages are short (up to 182 characters), but unlike text messages, they can actually open a two-way network connection between a device and a network endpoint, so they’re more responsive than SMS messages and can be used for real-time interactive services.
Folks who rely on pre-paid phone services have probably used USSD services to check their remaining prepaid balance. For instance, T-Mobile pre-paid users dial #999# to see their balance. That’s USSD. However, USSD can support more sophisticated applications like mobile payment services — in fact, that’s one reason some developing nations are further along with mobile payments than North America and Europe. Other services have built social networking functions for Twitter, Facebook, and other social-networking services, although those are typically only seen on feature phones in emerging markets.
USSD is implemented in GSM phones (the standard users by carriers like AT&T and T-Mobile), but that does not mean you’re off the hook if you use a phone with a CDMA operator like Verizon or Sprint. Many USSD codes trigger actions on the local device and do not require a mobile operator that supports USSD. Many phones built for CDMA networks will respond to those codes.
USSD is, by definition, unstructured, which means phones don’t support the same sets of USSD codes. Different manufacturers and mobile operators have largely followed their own instincts on how they develop USSD features and services. A USSD code that does one thing on a Nokia phone may do something else entirely on an LG phone — or nothing at all. However, one commonly-used code is *#06#, which often displays a device’s unique IMEI (International Mobile Equipment Identity) number.
Tel: me a story
USSD is nothing new, and isn’t some new threat to Android. What Ravi Borgaonkar demonstrated was a stunningly simple combination of USSD codes with the “tel:” URL protocol. You’ve seen URL protocols in things like Web links and email addresses — those are http: and mailto:, respectively. However, there are hundreds of other URL protocols.
The tel: protocol enables users to dial a telephone number from a Web browser: tel:555-1212 should connect most Americans to nationwide directory assistance, for example. Borgaonkar’s demonstration combined the tel: URL scheme with a particular USSD code that — you guessed it — can perform a factory reset of some Android devices. Borgaonkar dubbed this factory reset USSD the “Samsung tragedy,” in part because Samsung’s implementation of its wipe command involves no user interaction. Some other devices have similar factory reset commands, but at least require manual confirmation from the user.
In theory, all an attacker would need to do is embed a malicious URL in a website, and any vulnerable device that loads that page would be reset to factory defaults. (In some cases, this even includes wiping out the SIM card.)
It’s tempting to think this is just a vulnerability with a phone’s built-in browser, but in Android’s case it’s really in the default Android dialer: Borgaonkar also demonstrated ways to execute the USSD reset using QR Codes, WAP Push SMS messages, and (in the case of the Galaxy S III) even via NFC. There’s no need to get a browser involved. Any app that can dial a number on an Android phone can potentially trigger a USSD command.
Not the end of the world?
The vulnerability might seem pretty dire, but Hendrik Pilz and Andreas Marx at independent German security firm firm AV-TEST note the vulnerability probably isn’t very appealing to cybercriminals.
“We think that the majority of malware writers might not be interested in exploiting the vulnerability, as it won’t make sense to wipe a phone or lock out users,” they said in a statement via email. “Malware tries to stay silent on your system, so your mobile device can be used for some kind of malicious, possibly criminal activities. This will only work with running and working systems.”
Is your phone vulnerable?
So far, only selected Samsung phones have been demonstrated to have a USSD code that performs a factory reset. However, that doesn’t mean phones from other vendors don’t have similar codes that attackers could use to wipe phones, cause data loss, or potentially even sign users up for expensive services. That, after all, is a favorite pastime of Android malware authors.
Unfortunately, there’s no sure-fire way to determine if an Android phone is vulnerable to a USSD-based attack, but users can check if their dialers are vulnerable.
The following devices have been confirmed to be vulnerable to dialing USSD codes from a Web page:
- HTC Desire HD
- HTC Desire Z
- HTC Legend
- HTC One W
- HTC One X
- HTC Sensation (XE) (running Android 4.0.3)
- Huawei Ideos
- Motorola Atrix 4G
- Motorola Milestone
- Motorola Razr (running Android 2.3.6)
- Samsung Galaxy Ace, Beam and S Advance
- Samsung Galaxy S2
- Samsung Galaxy S3 (running Android 4.0.4)
Again, this does not mean all these devices can be wiped via USSD. So far, only selected Samsung phones have been confirmed to be wipeable via a USSD command. Many other devices may dial USSD commands — and there are even reports some devices running Symbian and Samsung’s bada operating system will dial USSD commands using tel: URLs.
Borgaonkar offered a test page that uses an iframe to try to convince a browser to dial a USSD code — in this case, the *#06# that displays a device’s IMEI number:
http://www.isk.kth.se/~rbbo/testussd.html
Self-described geek Dylan Reeve also put together a quick test page that can reveal whether your Android dialer processes USSD codes, using the same *#06# USSD code:
http://dylanreeve.com/phone.php
However, Mr. Reeve is not a mobile security expert and, if one were an attacker looking to exploit this vulnerability, hacking either of these test pages would be a great way to cause some mayhem.
How to protect yourself
If you have a Samsung phone — Samsung has already released a firmware update that patches the vulnerability. Given that selected Samsung phones are currently the only devices known be susceptible to a wipe, we strongly recommend Samsung owners apply the update.
Update Android — So far, there are no indications devices running Android 4.1 Jelly Bean are susceptible to the USSD vulnerability. If Jelly Bean has been made available for your device and you’ve been putting off your update, now would be a good time. Unfortunately, availability of Jelly Bean on supported devices is largely at carriers’ discretion, and mobile operators are notoriously slow about certifying new software for their networks. Many devices vulnerable to possible USSD attacks will never be upgradable to Jelly Bean.
Use an alternative dialer — Android’s open platform may offer a workaround: Instead of relying on Android’s built-in dialer, Android users can install a third-party dialer that doesn’t let USSD commands pass. A favorite is the free DialerOne, which works with Android 2.0 and newer.
Block tel: URLs — Another approach is to block processing of tel: URLs. Joerg Voss is offering the free NoTelURL which essentially poses as a dialer: if users encounter a tel: URL (whether via a browser or scanning a code) they’ll be offered a choice of dialers instead of having it processed immediately.
Back up your phone — It should go without saying, but you are backing up your Android phone (and all your contacts, photos, media, and data) regularly, aren’t you? Whether you back up to a local PC, to a cloud-based service, or using some other scheme, regularly saving your data to a secure location is the best protection in the event your phone gets wiped — not to mention lost or stolen.
