Present at the 8th edition of the ekoparty Security Conference, Ravi Borgaonkar – researcher at the Technical University of Berlin – revealed in a presentation entitled “Dirty use of USSD Codes in Cellular Network” how the Unstructured Supplementary Service Data (USSD) codes could be utilized in cyberattacks against mobile phones.
USSD is a session-based GSM protocol that’s utilized nowadays to send messages between a network application server and a mobile phone. Commonly used services based on USSD are social networking, mobile software updates, and even mobile banking.
Borgaonkar showed that the USSD codes could be utilized to cause some serious damage. According to the researcher, if an attacker manages to push a cleverly designed USSD code to certain Samsung smartphones, he can hard reset the device. The worst part is that no user interaction is needed.
Apparently, the attacker has a number of ways in which he can push the code: WAP Push SMSs, QR codes, malicious websites, and even via near-field communications (NFC)-enabled devices.
Expert Pau Oliva explains that the method can rely on a “WAP Push SMS which opens a website with tel://url handler.”
“Yes, you can remotely wipe any friend's Galaxy S3 now, just by sending him a WAP Push SMS,” Oliva said.
The vulnerability doesn’t affect devices running a “stock” version of the Android operating system. Samsung phones are the only ones affected because the company set a USSD code for a factory reset.
In the case of Samsung Galaxy S3, the factory data reset code is *2767*3855#, which can be easily triggered on a webpage by using this command: <frame src="tel:*2767*3855#" />
On phones that don’t contain the factory reset code, the attack only works if the potential victim can be convinced to run the code.
Here is the ekoparty video in which Ravi Borgaonkar demonstrates his findings: