A serious security flaw has been discovered on some Samsung Android smartphones which allows hackers to remotely wipe them just by sending an SMS or getting a user to visit a URL.

The security flaw was exposed at the Ekoparty security conference in Argentina overnight by Ravi Borgaonkar (click here for Youtube video of the demonstration), a researcher with the telecommunications department at the Technical University of Berlin, and Fairfax Media has confirmed it affects some Australian Samsung Android smartphones.

Samsung Electronics Australia said in a statement on Wednesday evening that its Australian arm was aware of the security issues on "some" of its devices and was working to provide a software update "as soon as possible" for local customers. Concerned customers could contact Samsung's customer service number, 1300 362 603, the statement said.

Telstra said it was aware of the issue and working closely with its handset partners to understand if any of its devices were affected. "If we think that our customers will be impacted in any way, we will contact them directly," the telco said.

An Australian security expert, Paul Ducklin, from the security firm Sophos, said the flaw served as a "wake up call" to users who didn't back up their smartphones.

"This just emphasises the importance of regular and current back-ups doesn't it?" he said. "Whether you do them into the cloud ... or to a USB drive."

Dylan Reeve, who works as a TV editor in New Zealand and has worked in IT in the past, said millions of Samsung devices would be affected by the flaw and recommended users running Android on Samsung devices check whether they were affected by using a test website he has developed.

The website (available here) does not run the code to reset a Samsung device to its factory default settings but instead runs code to see whether the phone will automatically display its International Mobile Equipment Identity number, Reeve said.

This allowed a user to find out if a factory reset code could be run too on their Samsung smartphone without user intervention. If a user was vulnerable, Reeve recommended they download a new dialler to their phone that was not vulnerable to the attack.

A dialler Reeve recommended on the Google Play store was "Dialler One".

An app called TelStop has also been created specifically to catch the wipe code.

Important to note is the fact not all handsets allow for a factory reset code to be sent to them.

At present, only Samsung devices have been found to be vulnerable to the remote wipe. There may, however, be other codes that aren't reset ones that can be run on other Android devices.

How the hack works

Manufacturers like Samsung use special USSD codes that can be typed into the dial pad by end-users to make it easy for handset makers and telcos to do support over the phone with their customers. One such code - *#06# - is used to display a phone's IMEI number on the screen. Another code resets the phone.

What Borgaonkar discovered was that a person could craft a website with the reset code embedded - in Samsung's case *2767*3855# (do not type this into your phone!) - and get the code to automatically run when a user visited it.

A hacker could also exploit an affected phone by getting a user to scan a malicious QR code or by sending them a malicious SMS or NFC transmission.

Devices identified as being able to be wiped using special reset code without user intervention



Samsung Galaxy S3 (3G) running Android 4.0.4 (tested by Fairfax)

Samsung Galaxy S2 (3G) running Android 4.0.3 (tested by Fairfax)

Devices identified as not being able to be wiped automatically using special reset code:

Samsung Galaxy S3 (4G) running Android 4.1.1 (tested by Fairfax)

Samsung Galaxy Tab 10.1 (tested by iTnews.com.au)

Devices vulnerable to running special codes automatically but not tested if they can run a reset code:

HTC Velocity (tested by iTnews.com.au)

HTC One S running Sense 4.0 on Android 4.0.3 (tested by Buzz Moody ‏ of Ausdroid)

HTC One X running HTC Sense 4.0 on Android 4.0.3 (tested by Dylan Reeve)

HTC Desire S running Sense 4.1 on Android 4.0.4 (tested by Jodie M of Melbourne)

HTC Sensation XL running Android 4.0.1 (tested by Fairfax reader who provided screenshot)

HTC Sensation running HTC Sense 3.6 on Android 4.0.3 (tested by Fairfax reader Stuart Littler)

HTC Desire HD running HTC Sense version 3.0 on Android 2.3.5 (tested by Fairfax reader Richard Palmer)

HTC HD2 on Android 2.3.5 (tested by Fairfax reader Janette Fairleigh)

Sony Ericsson Xperia Arc S running 4.0.2 (tested by a Fairfax reader )

Devices vulnerable to running special codes automatically but not factory reset codes:

HTC One S running Sense 4.0 on Android 4.0.3 (tested by Buzz Moody ‏ of Ausdroid)

Motorola Defy running Cyanogen Mod 7 on Android 2.3.5 (tested by Dylan Reeve)

Motorola RAZR running Android 4.0.4 (tested by Fairfax reader Luke Walker)

(In response to the above two Motorola devices being listed, Motorola said in a statement: "Motorola does not support a USSD code on any of its smartphones to factory reset the handset hence it is not possible to reset the device via a website or URL unless the device has been modified or rooted.")

To add to the above list email bgrubb@smh.com.au with screenshots listing Android version, build and phone model.

-Fairfax Australia

