Security – as if it needs to be said – is one of the most important aspects to any electronic device. With many of us reliant on our smartphones and tablets in order to function from day-to-day, it’s of paramount importance that our sensitive data is secure, safe, and locked away from prying eyes.
When it comes to mobile devices, it’s fair to say Android gets a lot more negative publicity than its main rival – iOS – and although outbreaks of malware and such are more commonplace on Google’s market-leading mobile operating system, one has to expect this in an open-source ecosystem.
The very nature of Android, with its large following and very mod-friendly environment, certainly makes it a more viable target for the unscrupulous and code-savvy, but that doesn’t excuse the nature in which one single line of code can supposedly prompt an infallible factory-reset of Samsung’s flagship Galaxy S III. That’s right, security bods have found the hole which, potentially, could allow dodgy websites to wipe out a user’s device with apparent ease.
Ravi Borgaonkar gave an insight into the flaw at the Ekoparty security conference, and by means of a basic USSD code which could be sourced from a website or pushed via NFC / QR code, a Samsung Galaxy S III – or any Samsung device for that matter – could be factory reset.
Although most of us have the presence of mind to back everything up at least once, this isn’t always the case, and if one hasn’t backed up and loses all data, it can be a living nightmare. Photos, videos, music, contacts and such are very cumbersome to recover if the correct steps have not been taken to regularly safe-keep via a computer or cloud-based infrastructure.
The news will certainly worry those running a Samsung smartphone, and despite the fact the user of breached smartphone would be able to see the attack taking place, they wouldn’t be able to do anything to stop it.
Before mass panic ensues, it should be noted that it only seems to be affecting Samsung devices running the TouchWiz aftermarket firmware. Those on stock, untouched version of Android will find the code shown in the dialer screen, but it won’t run automatically.
Borgaonkar also adds that the attack can be worsened still, since another USSD code can also defunct the SIM attached to the handset. One simple line of code can wipe a smartphone and finish off its SIM for good measure – it’s a scary thought, isn’t it?
If you’re worried about it happening to your device, ensure your deactivate automatic site-loading in all QR and NFC-related software, and if a link looks a bit suspicious, do not click it.
The Samsung Galaxy Beam, S Advance, Galaxy Ace, Galaxy S II and Galaxy S III are all said to be affected, although the Galaxy Nexus is apparently not. TeamAndIRC claims the issue in the Galaxy S III “is patched, and has been for some time,” adding that “Current i747 [AT&T Galaxy S III] and i9300 [European Galaxy S III] firmware are not vulnerable.”
We’ll keep an eye out for any further updates, as well as an official Samsung comment on the matter.