Samsung Galaxy remote wiping flaw

EDIT: the flaw is wider than just Samsung Android phones. I "successfully" ran the test on:
- HTC Desire with Android 2.2
- HTC Desire HD with Android 2.3
- Sony Ericsson Xperia Kino with Android 2.3

Mitigation updated to include TelStop.

When a friend comes to me looking for an advise for a smartphone purchase, I point my finger at both the iPhone and the Nexus (vanilla Android). The main reason is because they get the security updates faster.

For example Apple released iOS6 last week. Withing 5 days it was deployed to over 100 millions devices. From the iPhone 3GS that was released in june 2009 to the 5 millions iPhone 5 sold over the launch week-end.

I have a couple of Samsung friends (Galaxy S2 and Galaxy Note) that are stuck with Android 2.3.3. Because for an obscure reason Samsung decided to cripple the Over The Air update capability of Android. The only way to update these phones is thru Samsung Kies.

The flaw

The default browser in Samsung TouchWiz interface is able to dial a call on its own. All you have to do is include a special command in a webpage to trigger a phone call on Samsung Galaxy smartphones. The number can be a regular one, a XXX expensive line or a command code.

This command code can display the phone IMEI (*#06#), wipe the entire phone memory (*2767*3855#) or more. So it is trivial to add a line in a website that will wipe all the visiting Samsung Galaxy smartphones.

The mitigation

The simplest way to mitigate this flaw is to install TelStop. TelStop registers as "tel:" handler. Which means that whenever a webpage tries to trigger your dialer TelStop intercept it. If the phone number is non standard, TelStop window will pop-up to warn you.

The solution

The only definitive solution is for Samsung to clean its mess and provide updates for its smarphones. The latest version of the Galaxy S3 using Android 4.0.4 is safe. For the older devices, you'll need to sync and update your phones using Samsung Kies.

Android dialer test

I posted "Android dialer test" on this blog. Opening this post will try to dials *#06# (USSG code to display the IMEI code).