This is exactly what can happen with some Samsung Galaxy smartphones according to a demonstration given by Ravi Borgaonkar at the recent Ekoparty security conference in Argentina. Borgaonkar said that a Samsung Galaxy SIII could have its SIM card deactivated and the phone wiped in just three seconds, without the user being able to prevent it.
The attack uses Unstructured Supplementary Service Data (USSD) codes, a protocol that allows GSM phones to communicate with Telcos for a range of services. But they can also be used to activate features on the phone – such as a factory reset. If this code is sent to the phone by Android on behalf of the owner, all well and good. But if the code can be sent by a hacker, then things are not so good. The problem is that on some - not all – Android phones this code can be pushed to the phone without user intervention via a special web page, a scanned QR code or even NFC.
It’s not a difficult problem for the phone manufacturers to solve – but until they do, it could be devastating. New Zealander Dylan Reeve has crafted a test page that Android users can visit to check the vulnerability of their phones. It doesn’t go through with the attack, but does tell visitors whether their phone is vulnerable. Until Samsung and any other relevant manufacturer produce and distribute a patch, it might be worth a visit.
Other short term advice includes turning off the Service Loading feature to prevent USSD codes from executing via SMS, uninstalling any barcode scanners, and switching off the NFC functionality.
Paul Ducklin of Sophos adds this advice. “The bottom line here is this: get into the habit of backing up your phone. Whether you choose to trust the cloud, or synchronise to your laptop, or just copy important files to removable storage, don't take the long-term data integrity of your phone for granted. You might suffer a hysterically-funny-to-some-childish-haxxor remote factory reset.”