Android's "dirty USSD" exploit allows hackers to wipe your entire phone, and all you have to do is click the wrong link. Here's how it works, and how you can protect yourself.
The Android ecosystem got a jolt yesterday with the revelation that simple links — something you might merely open online — could trigger a complete wipe of some Android devices. Researcher Ravi Borgaonkar revealed the exploit, and (of course) the device that got all the attention was the top-selling Samsung Galaxy S III. Samsung has already issued a patch for the vulnerability. But it turns out lots of other Android phones are apparently vulnerable to the same exploit. The root of the problem lies in the standard Android dialer; even though Google patched the problem months ago, that fix may not have made it out to current Android devices, and many will never will receive it.
There’s cause for concern, but not outright panic. Here’s how the exploit works, and some tips for how Android users can protect themselves.
What’s USSD?
The new Android exploit relies on a protocol built into most phones called USSD, or Unstructured Supplementary Service Data. Think of USSD a bit like a text-messaging protocol, but instead of being used to transmit short messages between phone users, it’s intended to let both device makers and mobile carriers build add-on services for their phones and network. Like text messages, USSD messages are short (up to 182 characters), but unlike text messages, they can actually open a two-way network connection between a device and a network endpoint, so they’re more responsive than SMS messages and can be used for real-time interactive services.Folks who rely on pre-paid phone services have probably used USSD services to check their remaining prepaid balance. For instance, T-Mobile pre-paid users dial
#999#
to see their balance. That’s USSD. However, USSD can support more sophisticated applications like mobile payment services — in fact, that’s one reason some developing nations are further along with mobile payments than North America and Europe. Other services have built social networking functions for Twitter, Facebook, and other social-networking services, although those are typically only seen on feature phones in emerging markets.USSD is implemented in GSM phones (the standard users by carriers like AT&T and T-Mobile), but that does not mean you’re off the hook if you use a phone with a CDMA operator like Verizon or Sprint. Many USSD codes trigger actions on the local device and do not require a mobile operator that supports USSD. Many phones built for CDMA networks will respond to those codes.
USSD is, by definition, unstructured, which means phones don’t support the same sets of USSD codes. Different manufacturers and mobile operators have largely followed their own instincts on how they develop USSD features and services. A USSD code that does one thing on a Nokia phone may do something else entirely on an LG phone — or nothing at all. However, one commonly-used code is
*#06#
, which often displays a device’s unique IMEI (International Mobile Equipment Identity) number.Tel: me a story
USSD is nothing new, and isn’t some new threat to Android. What Ravi Borgaonkar demonstrated was a stunningly simple combination of USSD codes with the “tel:” URL protocol. You’ve seen URL protocols in things like Web links and email addresses — those are
http:
and mailto:
, respectively. However, there are hundreds of other URL protocols.The
tel:
protocol enables users to dial a telephone number from a Web browser: tel:555-1212 should connect most Americans to nationwide directory assistance, for example. Borgaonkar’s demonstration combined the tel:
URL scheme with a particular USSD code that — you guessed it — can perform a factory reset of some Android devices. Borgaonkar dubbed this factory reset USSD the “Samsung tragedy,” in part because Samsung’s implementation of its wipe command involves no user interaction. Some other devices have similar factory reset commands, but at least require manual confirmation from the user.In theory, all an attacker would need to do is embed a malicious URL in a website, and any vulnerable device that loads that page would be reset to factory defaults. (In some cases, this even includes wiping out the SIM card.)
It’s tempting to think this is just a vulnerability with a phone’s built-in browser, but in Android’s case it’s really in the default Android dialer: Borgaonkar also demonstrated ways to execute the USSD reset using QR Codes, WAP Push SMS messages, and (in the case of the Galaxy S III) even via NFC. There’s no need to get a browser involved. Any app that can dial a number on an Android phone can potentially trigger a USSD command.
Not the end of the world?
The vulnerability might seem pretty dire, but Hendrik Pilz and Andreas Marx at independent German security firm firm AV-TEST note the vulnerability probably isn’t very appealing to cybercriminals.“We think that the majority of malware writers might not be interested in exploiting the vulnerability, as it won’t make sense to wipe a phone or lock out users,” they said in a statement via email. “Malware tries to stay silent on your system, so your mobile device can be used for some kind of malicious, possibly criminal activities. This will only work with running and working systems.”
Is your phone vulnerable?
So far, only selected Samsung phones have been demonstrated to have a USSD code that performs a factory reset. However, that doesn’t mean phones from other vendors don’t have similar codes that attackers could use to wipe phones, cause data loss, or potentially even sign users up for expensive services. That, after all, is a favorite pastime of Android malware authors.
Unfortunately, there’s no sure-fire way to determine if an Android phone is vulnerable to a USSD-based attack, but users can check if their dialers are vulnerable.
The following devices have been confirmed to be vulnerable to dialing USSD codes from a Web page:
- HTC Desire HD
- HTC Desire Z
- HTC Legend
- HTC One W
- HTC One X
- HTC Sensation (XE) (running Android 4.0.3)
- Huawei Ideos
- Motorola Atrix 4G
- Motorola Milestone
- Motorola Razr (running Android 2.3.6)
- Samsung Galaxy Ace, Beam and S Advance
- Samsung Galaxy S2
- Samsung Galaxy S3 (running Android 4.0.4)
tel:
URLs.Borgaonkar offered a test page that uses an iframe to try to convince a browser to dial a USSD code — in this case, the
*#06#
that displays a device’s IMEI number:http://www.isk.kth.se/~rbbo/testussd.html
Self-described geek Dylan Reeve also put together a quick test page that can reveal whether your Android dialer processes USSD codes, using the same
*#06#
USSD code:
0 comments:
Post a Comment