Security Bug Can Wipe Out Your Android Phone By Visiting a Web Page (Update 3)
Important update: It's not only Samsung with TouchWiz. Apparently it's happening with other Android phones too.
Here's how it works: the HTML frame loads a tel: URL. This url tells the telephone that its content is a clickable telephone number. However, instead of a phone number, the URL contains a special USSD code that tells the phone to wipe out itself. USSD means Unstructured Supplementary Service Data, special number sequences used by phone carriers to execute instructions in your phone.
We are vulnerable but...
ensboarder said:
Security Bug Can Wipe Out Your Android Phone By Visiting a Web Page (Update 3)
Important update: It's not only Samsung with TouchWiz. Apparently it's happening with other Android phones too.
Here's how it works: the HTML frame loads a tel: URL. This url tells the telephone that its content is a clickable telephone number. However, instead of a phone number, the URL contains a special USSD code that tells the phone to wipe out itself. USSD means Unstructured Supplementary Service Data, special number sequences used by phone carriers to execute instructions in your phone.
Click to expand...
Click to collapse
I have tested it and our phone is vulnerable (v20s rooted stock)...
To test if you are affected by this bug in your configuretion try load this page: goo(dot)gl/7H8CTI
if your IMEI shows up your phone is vulnerable...
A temporary fix is to install an app calles TelStop: play.google(dot)com/store/apps/details?id=org.mulliner.telstop
it works by intercepting the "tel:" link and opening up a warning...
Share the info
(Sorry for the links but i cannot publish link)
http://www.isk.kth.se/~rbbo/testussd.html
----------------------------------------------------------------------
arcee: the star, the galaxy R, and the grand X are completely different devices. different components, different resolutions, different radios, different audio amps,different panel manufacturers, different almost everything. The designs have nothing in common other than being T2
tonyp: so it's either LG or nothing?
arcee: yes
CM7.2 vulnerable too on O2X.
I just installed "NoTelURL" from Joerg Voss from Play Store. Save for now.
Yes, USSD codes are able to be launched from the browser, but that doesn't mean the O2X is vulnerable to the exploit.
Does the USSD that wipes Samsung phones even exist in stock and/or custom roms for the O2X?
Sent from my Optimus 2X using Tapatalk 2
kingvortex said:
Yes, USSD codes are able to be launched from the browser, but that doesn't mean the O2X is vulnerable to the exploit.
Does the USSD that wipes Samsung phones even exist in stock and/or custom roms for the O2X?
Sent from my Optimus 2X using Tapatalk 2
Click to expand...
Click to collapse
Good question!
Some USSD codes are uniqe for a manufacturer and some of them not
It looks like (im a novice) that THE code, factory reset, are samsung only code.
As example, dial *#06# and your IMEI pops up, thats used on every phone on every os. On android dial *#*#4636#*#*
You get the point
-Does that mean that i'm safe?
-No, you're not. Other LG and Android codes can be executed
-Is there any safe ROMs?
-I have only tried my link i posted earlier, with Benees hackfest (CM10). I'm safe.
If you dont pass the test, try another dialer. And please report back in this thread.
Edit: exDialer are an easy fix ( http://feber.se/android/art/252978/ett_klick_p_en_lnk_kan_terstll/ )
https://play.google.com/store/apps/details?id=com.modoohut.dialer
----------------------------------------------------------------------
arcee: the star, the galaxy R, and the grand X are completely different devices. different components, different resolutions, different radios, different audio amps,different panel manufacturers, different almost everything. The designs have nothing in common other than being T2
tonyp: so it's either LG or nothing?
arcee: yes
I am using Nova HD... Not safe
HerrKuk said:
Some USSD codes are uniqe for a manufacturer and some of them not
It looks like (im a novice) that THE code, factory reset, are samsung only code.
As example, dial *#06# and your IMEI pops up, thats used on every phone on every os. On android dial *#*#4636#*#*
You get the point
-Does that mean that i'm safe?
-No, you're not. Other LG and Android codes can be executed
-Is there any safe ROMs?
-I have only tried my link i posted earlier, with Benees hackfest (CM10). I'm safe.
If you dont pass the test, try another dialer. And please report back in this thread.
----------------------------------------------------------------------
arcee: the star, the galaxy R, and the grand X are completely different devices. different components, different resolutions, different radios, different audio amps,different panel manufacturers, different almost everything. The designs have nothing in common other than being T2
tonyp: so it's either LG or nothing?
arcee: yes
Click to expand...
Click to collapse
kingvortex said:
Yes, USSD codes are able to be launched from the browser, but that doesn't mean the O2X is vulnerable to the exploit.
Does the USSD that wipes Samsung phones even exist in stock and/or custom roms for the O2X?
Sent from my Optimus 2X using Tapatalk 2
Click to expand...
Click to collapse
Code i have tested working
*#06# >IMEI
#*#4636#*#* > Test Menu
1809#*990# >Hidden Menu
*#*#8255#*#* >Gtalk service
iosonogerva said:
Code i have tested working
*#06# >IMEI
#*#4636#*#* > Test Menu
1809#*990# >Hidden Menu
*#*#8255#*#* >Gtalk service
Click to expand...
Click to collapse
But attackers wouldn't benefit from launching those things on our phone as only we can see the results. Hopefully we don't find something triggering a wipe.
i tried that and my phone don't show anything??
Does this affect stock LG ? may be then it will cause them to roll out an update sooner...
Related
If there are any things you want improved in the software call the support now
My complaints:
Bluetooth does not work with third party software and is unreliable in general.
This has been fixed on other phones with the same broadcom bt chip via custom firmware.
USB host needs software but the hardware is capable.
(same usb controller as motorola xoom)
F-Secure's annoying sound every time it finishes a scan without finding viruses.
(LG is the customer not us so they have to force them)
End your call with asking the case to be elevated.
I've called them with little luck but if we all do they have to fix it.
1. Would be nice if they would give you the option to "repair" your phone in LG update software. Sony Ericsson's Update software allows you to reflash your phone with the newest firmware, even if its already present on the phone.
2. I would also like support for the mkv container, would save me some time remuxing some videos. And while we are at it, recording in FullHD should be 1920x1080, not 1920x1088.
3. The thing I would like the most would be a pure Android OS, without all the LG stuff (Facebook for LG etc.), F-Secure and such. This way I would be able to choose the applications that should be installed on my phone.
My few "complaints", other than that, best phone I have ever had
Then call the support number on their website. The message they gave me is that they are wayting for feedback before they release a patch
Sent from my LG-P990 using XDA App
KernelCrap said:
3. The thing I would like the most would be a pure Android OS, without all the LG stuff (Facebook for LG etc.), F-Secure and such. This way I would be able to choose the applications that should be installed on my phone.
Click to expand...
Click to collapse
According to what I have heard the Android OS that is running on the LG is as "close" to Vanilla Android you will get with an custom UI. So apparently LG is not too deeply rooted in the OS as say HTC are.
The public reasoning for the close to stock approach is because they want the hard core of the android development community to program for the device another example is the unlocked bootloader and easy rooting. Sure you loose your warranty but its easy to do.
Sent from my LG-P990 using XDA App
Great thread, magfal. I hope users here use their voices & inform LG of all the bugs they've encountered. I'm glad LG wants ownership opinion, & now it's up to us to push for change.
MeX_DK said:
According to what I have heard the Android OS that is running on the LG is as "close" to Vanilla Android you will get with an custom UI. So apparently LG is not too deeply rooted in the OS as say HTC are.
Click to expand...
Click to collapse
It's totally true. There's no framework integration except for:
Music bar in shade
Font engine
Toggle buttons in shade
Graphics
It's completely unlike Sense or Blur, you can simply remove the bits you don't want and replace them with stock Android stuff (except the actual framework).
There no extra system process or services running as a result of LG framework mods on the O2x - it's a "raw" as it can get whilst still being an "LG Phone".
The only things that are tightly integrated are the Music controls and font management and you can hardly blame them for that, they're better than stock Android. My problem is that the music controls only work with the LG Music app so they're useless to me (PlayerPro). Modding this is what resulted in my temp brick...
Lets keep on track here but the issue i see as the most important in your post is the ability to use the player controls with third party music players. Call lg and tell them what you think they should improve
Sent from my LG-P990 using XDA App
Hi Guys, the browser hack that wipes Samsung phones is not limited to just those handsets. These guys do a better job of describing the whole thing:
http://www.theverge.com/2012/9/26/3412432/samsung-touchwiz-remote-wipe-vulnerability-android-dialer
Here is a direct link to the exploit test:
http://dylanreeve.com/phone.php
I'm running MavRom4 with the China telco radio image and my device is vulnerable. Just wanted to share the info so people are aware; having two dialers and no default will force the exploit to ask you to actively pick a dialer; this would neutralize most cases but that is a pretty annoying work around.
Maybe people can post D3 Roms that aren't vulnerable.
majatt said:
I'm running MavRom4 with the China telco radio image and my device is vulnerable. Just wanted to share the info so people are aware; having two dialers and no default will force the exploit to ask you to actively pick a dialer; this would neutralize most cases but that is a pretty annoying work around.
Click to expand...
Click to collapse
Also, installing DialerOne and making it the default will protect you as well - you do not have to leave it without a default dialer set. DialerOne is actually a good dialer - I used to use it with my Droid Eris with CyanogenMod ROMs, in order to have the dial by name function that the Sense dialer supported back. And you can still leave the stock dialer set in a home page or on the launcher dock - it will still work if you call it up. It will not be called up if you launch the dialer from another app, though, if you make DialerOne the default.
The stock dialer is vulnerable - a predictable result, based on the vulnerability of MavRom, but I did want to say that I tested it. I haven't tested any other ROM - at this point, I don't have much time to try some out, and I think I recently deleted my most recent Liberty and Bionic Nandroid backups.
Let's see how long before Moto releases a critical patch update for stock.
Thanks, this is good to know. I thought it was only Samsung phones that had the issue, but since I'm still on stock 2.3.4 it appears I'm vulnerable. I have GrooveIP Lite installed on my phone, an app that allows you to make voice calls with using your Google Voice number. With this app installed I get a complete action using Dialer or GrooveIP window so I should be safe if I get a random popup Ill be sure to not select Dialer.
I heard about this "wipe" problem and when I saw it was just passing dialer codes to the fone I knew it would affect more than just Samsung.
Does anyone know if they have a list started of fones that might be vulnerable?
I read somewhere (though haven't tested it...) that the D3 does not have a dialer code that resets the phone, as the Samsung phones do/did. So, the D3 fails the display the IMEI test, but I believe that the reset code does not work with the D3.
FYI: CM10 kexec isn't vulnerable. Probably b/c it's JB (I think they fixed the vulnerability in JB). I go to the site and dialer pops up w/ *#06# No IMEI displayed
Sent from my AOKP JB GT-P3113 using Tapatalk
AFAIK our Optimus 4X is safe because its result only show dialer, but you should try it yourself.
If your phone is vulnerable to the recently disclosed tel: URL attack then this website will cause your phone to open the dialler and display the IMEI code. With other USSD codes it could do any number of other things, including wipe all phone data.
You can find some more information and a simple workaround here: http://dylanreeve.posterous.com/remote-ussd-attack
To test vulnerability, open this URL from your phone browser and wait for the effect:
http://dylanreeve.com/phone.php
What does it all mean?!
If visiting this page automatically causes your phone's dialler application to pop up with *#06# displayed then you are not vulnerable. If, however, the dialler pops up and then you immediately see your phone IMEI number (a 14- or 16-digit number) then you are potentially vulnerable to attack.
Sent from my LG-P880 using xda app-developers app
Is it any possible to create your own secret code to show up some text or picture on wp8 and if It is, how?
You know what I m talking about, like when you type *#06# your IMEI will show up.
No. Most GSM short codes aren't even controlled by the phone OS at all, as far as I know. The handful of codes that are phone-controlled, such as the ones to install/launch various diagnostics apps, require more permissions to create or edit than we currently have access to.
GoodDayToDie said:
No. Most GSM short codes aren't even controlled by the phone OS at all, as far as I know. The handful of codes that are phone-controlled, such as the ones to install/launch various diagnostics apps, require more permissions to create or edit than we currently have access to.
Click to expand...
Click to collapse
Thank you.
A Security researcher andhacker, named John Gordon,has found an easy way to bypass the security of locked smartphones running Android 5.0 and 5.1 (Build LMY48M). Many of us use various security locks on our devices like Pattern lock, PIN lock and Password lock in order to protect the privacy of our devices. However, a vulnerability could now allow anyone to take your Android smartphone (5.0 build LMY48I) with locked screen, perform a "MAGIC TRICK" and as a result crash the user interface (UI) for the password screen and gain access to your device.
The vulnerability, assigned CVE-2015-3860, has been dubbed as "Elevation of Privilege Vulnerability in Lockscreen".
How the Attack Works?
The secret behind the researcher's "MAGIC TRICK" is as follows:
Get the device and open the Emergency dialer screen. Type a long string of numbers or special characters in the input field and copy-n-paste a long string continuously till its limit exhausts.
Now, copy that large string. Open up the camera app accessible without a lock. Drag the notification bar and push the settings icon, which will show a prompt for the password.
Now, paste the earlier copied string continuously to the input field of the password, to create an even larger string.
Come back to camera and divert yourself towards clicking pictures or increasing/decreasing the volume button with simultaneously tapping the password input field containing the large string in multiple places.
All this is done to make the camera app crash. Further, you will notice the soft buttons (home and back button) at the bottom of the screen will disappear, which is an indication that will enable the app to crash.
At this time, stop your actions and wait for the camera app to become unresponsive.
After a moment, the app will crash and get you to the Home Screen of the device with all the encrypted and unencrypted data.
Now without wasting time go to Settings > Developer Options > Enable USB Debugging and control the device by installing the Android Debug Bridge (ADB) utility.
In addition to this, if we notice the number of users with Android 5.0 and 5.1 with hardware compatibility as Nexus 4 and software installed as Google factory image - occam 5.1.1 (LMY47V) are less.
Therefore, the risk associated will affect those users only.
Furthermore, for those users we have a good news that is - the patch has released for the vulnerability and is made public by Google.
My question is, will it also affect other L users???
First off:
That text formatting,</thread> also, this will affect anyone running Roms with pretty much unaltered SystemUI based on 5.1.1_r8 (or lower)
Roms that alter heavily SystemUI (i.e samsung and lg stock roms) are unaffected. hence this issue didnt get a wide spread across news sites
opssemnik said:
First off:
That text formatting,</thread> also, this will affect anyone running Roms with pretty much unaltered SystemUI based on 5.1.1_r8 (or lower)
Roms that alter heavily SystemUI (i.e samsung and lg stock roms) are unaffected. hence this issue didnt get a wide spread across news sites
Click to expand...
Click to collapse
Thanks for informing me. But sure that WILL affect users of CyanogenMod, Cataclysm and other non-modded AOSP based ROMs.
Sent from my HTC Desire 616 dual sim using Tapatalk
MSF Jarvis said:
Thanks for informing me. But sure that WILL affect users of CyanogenMod, Cataclysm and other non-modded AOSP based ROMs.
Sent from my HTC Desire 616 dual sim using Tapatalk
Click to expand...
Click to collapse
Cm has already merged r14 so its safe, cataclysm is based stock roms, so if it has a version for the lastest, then its also safe.
any rom with code base post r8 its safe, which afaik should be a lot of them.RR, rastapop,omni,cm,chroma,D.U. are the ones i remember that has the fix
if you want a deeper look, see if the rom has this fix
https://android.googlesource.com/platform/frameworks/base/+/8fba7e6
opssemnik said:
Cm has already merged r14 so its safe, cataclysm is based stock roms, so if it has a version for the lastest, then its also safe.
any rom with code base post r8 its safe, which afaik should be a lot of them.RR, rastapop,omni,cm,chroma,D.U. are the ones i remember that has the fix
if you want a deeper look, see if the rom has this fix
https://android.googlesource.com/platform/frameworks/base/+/8fba7e6
Click to expand...
Click to collapse
Whew. Now as I think, I remember my cousin's N5 getting a ~100 MB FOTA update, maybe that includes the r14 fix.
Sent from my HTC Desire 616 dual sim using Tapatalk
Mod Edit
Thread Closed at OP request
ronnie498
Senior Moderator