Walker News

Over Worry About USSD Attack That Perform Remote Wiping?

As a HTC One X owner, I’ve the same question to ask – Is HTC One X vulnerable to “remote wipe” attack via USSD code?.

Background of the story

The stock Android OS endeavors to process USSD code embedded in website (in form of tel: URL), QR Code, WAP Push SMS, NFC, etc. If your Android smartphone supports factory reset USSD code, then there is a chance your smartphone can be remotely wiped (all data gone/removed from the phone storage)!

The latest Samsung Galaxy S3 is said to have inherited this vulnerability but does promptly respond to the reported threat by releasing firmware update.
What about HTC One X?

Bad news
I’ve tested my HTC One X and confirmed that the latest HTC firmware update (Android 4.0.4 with HTC Sense 4.1) is also inherit the same vulnerability!

Good news
HTC One X doesn’t support hard reset using USSD code, as confirmed by HTC via The Guardian. But what about other harmful USSD codes?

Verdict
As long as the Android OS automatically responds to USSD code or any other Android secret keycode (i.e. without letting user to choose how it should react), then it’s a bad design that exposes the smartphone to certain risks!

A YouTube video shows HTC One X (firmware version unknown) doesn’t respond to *#*#7780#*#* (the so-called Android secret code used to perform hard reset):



How to tell your Android smartphone is vulnerable to USSD attack?

Dylan Revee who first discovered and shared the finding has created a simple webpage to test this vulnerability – please find Dylan’ webpage URL in The Guardian post (at last paragraph) that I’ve shared in “Good news” section (above).
Use your Android smartphone to open Dylan’s test webpage:

1. If the phone shows you its IMEI code, then it’s positive (vulnerable)!

2. If your Android phone also supports hard reset by secret keycode, then your Android phone is at risk (double positive)!!!

How to fix the USSD attack (double positive)?

Best if the handset marker will release firmware update to fix it, like what Samsung did. The latest Android 4.1 (Jelly Bean) also works, as this release has fixed the design flaw.

If you’re not using Android 4.1 and there is no firmware update from handset marker, then think about using an alternate dialer from Google Play Store (e.g. Dialer One suggested by Dylan) that ignore or not process USSD code.
When there are two or more dialer apps installed, Android will prompt user to choose one of them to process the secret code. As long as there is NO default dialer setup, and you choose the dialer that silently ignores USSD code, then you’re safe!

I hope HTC will consider fixing the flaw asap, despite their Android smartphones do not support factory reset via secret code (what about other “dangerous” secret codes that work and expose user privacy to attacker?)!

Custom Search

2014  •  Privacy Policy