A single line of code can apparently trigger an unstoppable factory-reset of the Samsung Galaxy S III, security researchers have discovered, with the potential for malicious websites to wipe out users’ phones, SlashGear reports.
The hack was detailed by Ravi Borgaonkar at the Ekoparty security conference, with a simple USSD code – that could be sent from a website, or pushed to the handset by NFC or triggered by a QR code – that can reset the Galaxy S III or indeed other Samsung handsets.
Although the phone user is able to see the process taking place, hitting back on the device will not stop the reset. For QR code readers that automatically load whatever website has been stored to each code, or indeed NFC readers that do the same with NFC tags, the user would have no warning – and no hope of stopping – their handset from running the malicious code.
Only Samsung devices running TouchWiz appear to be affected, with basic Android only showing the code in the dialer screen but not running it automatically, Pau Oliva reports. Samsung’s default, though, is to dial the code automatically.
Perhaps most concerning, it’s possible to double up on the attack, including a USSD code that also kills the SIM card currently in the handset. That way, a single message could be used to wipe a Samsung phone and leave the user with a broken SIM too, SlashGear says.
It’s also possible to push Samsung handsets straight to a website running the bad code using a WAP-push SMS message.