Samsung Galaxy S III secret USSD reset code discovered

Security team discovers secret USSD command that completely wipes Samsung devices in under three seconds

A security research team at the Ekoparty Security Conference has demonstrated a single line of USSD code that can be used to completely reset a Samsung S III handset and 'kill' the owners SIM card in under three seconds.

Security expert Ravi Borgaonkar demonstrated the line of code, and how it can be sent from a website, pushed to the handset by NFC, or triggered by a QR code. It then performs a complete wipe of the handset, resetting it to factory condition. Once the line of code is pushed to the Samsung S III there is no way to stop the reset from taking place. There is no warning given to the user, and no means of stopping it.

The USSD (Unstructured Supplementary Service Data) code is a protocol used by GSM telephones to communicate with the service provider's computers for configuring the phone. The security team has also shown a USSD code that can be used to wipe the SIM card from the Samsung S III leaving the user with a very expensive plastic brick for a handset.

It's not just the Samsung S III that is affected, the code also wipes the Galaxy Beam, S Advance, Galaxy Ace and Galaxy S II. Although it does not wipe the Galaxy Nexus tablet.

Samsung has not responded to the discovery, although owners will be hoping they fix this security leak quickly. In the meantime Samsung S III owners should be careful which links they follow (especially in social networks such as Twitter and Facebook), and be sure not to scan any QR codes that they don't trust.

Here is a video demonstration of just how quick it is to wipe all the data on the Samsung S III.

Comments

Alin Vlad

1

Hi there,

Just wanted to let you know that we (Bitdefender) already released a tool on the Play Store that protects against this vulnerability. Now, once you would tap on a exploiting link, Bitdefender will intercept the wipe command and ask you to decide what to do next. You may, if unsure, dismiss the USSD command.

You can download it from: http://bit.ly/BD_USSD_Wipe_Stopper

/Alin Vlad
Global Social Media Coordinator at Bitdefender

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

ZENworks® Endpoint Security Management

Protect against bugs in USB Storage devices

more »

Submit your own security event

Submit your training courses

Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.

Read More
more »