Following on from Ravi Borgaonkar’s recent Samsung exploit of using USSD codes (which are acutally MMI codes) embedded within the tel URI, I mulled over other potential uses, and it came to mind that you could also use call redirect and insert a premium rate number as the termination point.

The same method is used with the MMI URI call embedded into an iframe, but instead of calling a factory reset a call redirection code is used.

The syntax for call redirect is:

**21*<number>#

So we would then have:

<frame src="tel:**21*<number>#" /> * Code format thanks to Paul Oliva

Whereby <number> would be an MSISDN (or phone number).

An attacker could then place a premium rate number as the termination point.

Anyone who then calls the victim would automatically be redirected to the premium rate line, without the victim knowing anything about this. With some premium lines generating 1 euro per connection, this could be quite lucrative in the wrong hands.

Here you can see where I use the code to forward to my voice mail. I also tried the same forwarding to my colleagues phone which worked as well, so its open to all number types.

Should anyone play around with this, you can remove the redirect with:

#21#

EDIT: On further reflection this would not work as such as the code requires you to SEND (where as the former code invokes without the SEND / CALL press). Still its a pretty damaging function to have around still. What’s to stop someone picking up your phone and typing in the redirect themselves.