Samsung has fixed the Unstructured Supplementary Service Data (USSD) exploit that could remotely wipe data from a Galaxy S III smartphone, but that doesn't mean the USSD threat is over: far from it in fact. According to some security researchers, 400 million Android device users are at risk from having their hardware bricked.
It's not just owners of the Samsung Galaxy S III that are vulnerable to this particular attack, or indeed just Samsung handsets at all as first thought. As is often the case, the discovery of a vulnerability leads to several new ways to exploit it and that's what has happened here. According to several IT security researchers, a new USSD attack variant is out there which works on a huge number of smartphones running the Android OS.
The new variant of the USSD exploit no longer worries about remotely wiping data from specific handsets, but instead now concentrates on killing your SIM card and bricking your expensive smartphone. The original exploit worked by tricking the owner into visiting a web page where a factory reset code inside an iframe was loaded via a 'tel:' uniform resource identifier. The dialer application on the handset will automatically execute the code, and perform a factory reset. Tricking, in this context, isn't just restricted to luring the unwary to click a rogue link but can actually also involve touching a rogue NFC tag (if the handset is NFC-enabled) or scanning a rogue QR code.
The new variant leverages a code which can change the PIN of a SIM card using the Personal Unblocking Key (PUK). By simply executing the code multiple times, with the wrong PUK, the SIM will automatically and permanently lock down. The only recourse being for the user to approach their network operator to get a new code. Until they do, their smartphone remains dumb and dead. Because the PUK approach is a standard SIM card feature, the exploit can impact upon just about any handset running the Android OS.
Unpatched Android devices are at risk, as the Android dialer doesn't differentiate between USSD codes and phone numbers. Unpatched devices ranging from Android version 2.3.x to Android version 4.1.x are all vulnerable to this new variant USSD SIM PUK attack.
At the moment, considering that very few Android devices will be patched against this exploit, the best defence would appear to come in the form of a couple of free tools from security vendors which will block the PUK changing attempts. Bitdefender USSD Wipe Stopper and ESET USSD Control are available free of charge from Google Play.
