Jump to content

Remote USSD Attack - Prevention


Recommended Posts

Remote USSD Attack - Prevention


An interesting (and potentially devestating) remote attack against at least some Samsung Android phones (including the Galaxy S3) was disclosed recently.


Update 1: Samsung have been aware of this issue for a few months and the latest firmware for Galaxy S3 (4.0.4) appears to resolve the issue.


Update 1a: While some 4.0.4 versions appear to be secure, others are vulnerable.


Update 1b: The issue has been patched in some firmware builds. It appears that all 4.1-based builds are safe, and possibly some 4.0.4 builds are also.


Update 2: Samsung is not alone in being vulnerable to this issue.


Update 3: Some apps have been created specifically to catch these URL calls: TelStop (by @colimrm) and Auto-reset Blocker


In brief it works like this:

  • Phones support special dialing codes called USSDs that can display certain information or perform specific special features. Among these are common ones (*#06# to display IMEI number) and phone specific ones (including, on some phones, a factory reset code).
  • There is a URL scheme prefix called tel: which can, in theory, be used to hyperlink to phone numbers. The idea being that clicking on a tel: URL will initiate the phone's dialer to call that number.
  • In some phones the dialer will automatically process the incoming number. If it's a USSD code then it will be handled exactly as if it had be keyed in manually - requiring no user intervention to execute.
  • A tel: URL can be used by a hostile website as the SRC for an iframe (or potentially other resources like stylesheets or scripts I guess). It may then be loaded and acted upon with no user intervention at all.




If your phone is vulnerable to the recently disclosed tel: URL attack then this website will cause your phone to open the dialler and display the IMEI code. With other USSD codes it could do any number of other things, including wipe all phone data.





Currently known vulnerable devices to this attack are some mobile phones from Samsung's Galaxy line. The Galaxy SII and Galaxy Advance are known to be vulnerable at the time of writing. The Galaxy SIII is only vulnerable when using the NFC tag method, not by just visiting a site with the (stock) browser. The vulnerability is found in Samsung's TouchWiz UI, which makes the dialer automatically execute the (USSD) sequence in the malicious page.



This, however, can be disabled pretty easy:

  • Click on Messaging.
  • Go to the Settings.
  • Scroll to the bottom.
  • In Push message settings, set Service Loading to NEVER.
  • (Or turn off push messages altogether, which is the option above the one mentioned before.)



Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...

Important Information

By using this site, you agree to our Terms of Use.