It has been discovered that a single USSD code could be used to force Samsung Touchwiz phones such as the Samsung Galaxy S3 to factory reset, wiping away all the owner’s data.
Unstructured Supplementary Service Data (USSD) codes are used to communicate directly with the computers of network operators – in a similar fashion to sending a payment via SMS – and can, amongst other things, be used to diagnose or update the device. Here though, a code has been found that will cause the device to start its factory reset procedure.
The code is particularly malicious as once the reset is under way there is no way for the user to stop it.
Particularly worrying is that the code could be invoked just by visiting a particular destination with the phone’s standard web browser – something that could be invoked via a nefarious NFC tag or QR code.
However, the code only effects Samsung devices running a standard Touchwiz install – not a customised or default installation of Android – and only if using the default web browser. Nonetheless, a number of sources have replicated the effect on Samsung Galaxy S3, Samsung Galaxy S2 and Samsung Galaxy Advance devices.
Here’s what it looks like happening to a Samsung Galaxy S2:
The security hole was revealed by Ravi Borgaonkar during a presentation at the Ekoparty security conference where he was talking broadly on the subject of USSD codes.
Thankfully, though, there are as yet no reports of anyone using the code maliciously.
Samsung is currently investigating the issue and we’ll report back as soon as we get further information.