Skip to main content

Dialer vulnerability exists in some Android phones could lead to data damage

Release Date: 28 Sep 2012 7978 Views

In the security conference "Ekoparty 2012", Ravi Borgaonkar demonstrated a security flaw in Android smartphone. This flaw could lead to remote wiping of device or data damage of SIM card.

 

Ravi demonstrated the vulnerability of default Dialer application, which received and automatically executed USSD codes passed from other applications. In the demonstration, Ravi sent a "remote wipe" USSD code to the Android phone and successfully reset the phone to factory default condition.

 

 

 

 

 

 

 

What is USSD?

 

Unstructured Supplementary Service Data (USSD) is an execution code set provided by service provider to phone user to allow them inputting commands via the dialer to configure setting of telecommunications services.

 

Example of common USSD codes:

  • **21*<phone number># : call forward setting to a specified phone number
  • *#06# : show the IMEI of cellphone

 

Different brand has its specified USSD codes. For example, Samsung phone would enter an internal testing mode, when you input *#0*# in the dialer. By the way, Samsung has a specified USSD to perform wiping phone to the factory default condition.

 

 

 

Exploit the vulnerability of Dialer application by USSD attack

 

Some apps, like Android browser, could pass a URI which contains "tel:" to the dialer application. If the URI is "tel: " followed by a phone number, dialer would receive the phone number and show it for the user. Alternatively, if URI contains a USSD code, a patched dialer should ignore or refuse the USSD code passed by other apps. However, a vulnerable dialer would execute the USSD directly without prompting. This flaw could be exploited by attackers to perform remote attack.

 

The dialer flaw could be exploited in many forms to perform USSD attack, like

  1. Through phone browser; a web page contains a link with "tel:<USSD code>".
  2. Through QR code reader; a QR code contains a URI of "tel:<USSD code>" or a link to malicious web page above.
  3. Through NFC reader; a NFC tag contains a URI of "tel:<USSD code>" or a link to malicious web page above.
  4. Sending a WAP Push SMS contains a URI of "tel:<USSD code>" or a link to malicious web page above to a specified device.

 

What are the devices having the dialer vulnerability?

 

HKCERT has tested several devices. The dialer vulnerability was found in both Samsung Galaxy W (Android 2.3.6) and Galaxy Y (Android 2.3.6). We also discover another device (Android 2.3.7) using custom firmware CM7 has the same dialer vulnerability. We believe that some devices of other brands with Android 4.0 or Android 2.3 or below have the dialer flaw.

 

How to test a phone having the dialer vulnerability?

 

HKCERT provides a testing QR code. It contains a testing USSD code (no harm) which instructs displaying the IMEI. You may test your phone dialer by following the steps below.

  1. Open a QR code reader1
  2. Read the QR code below and retrieve the string of text. Click the link with dial action to test your device. (If the QR reader has already enabled “auto open webpage” feature, you are not required to click the link.)
  3. The dialer app would open automatically. If an IMEI code is pop-up and shown, the phone has the dialer vulnerability.

    

 

Solution:

  1. Upgrade your phone to the latest firmware version
     
  2. Use the 3rd party of dialer which ignores USSD codes, such as "Dialer One", and set the app as default.
    Steps:
    • Download an app called "Dialer One" by Yermek Zhumagulov from Play Store.
    • Read the QR code below and retrieve the string of text. Click the link with dial action.
    • The phone would pop-up an option of choosing default action. Check "Use by default for this action", and then choose "Dialer One".
    • Finish.

     

     

     

    (Remark: After choosing "Dialer One" as the default dialer, you can still use the original phone dialer. To avoid the USSD attack, "Dialer One" is just the default action of receiving URI with "tel:".)
     
  3. Turn off auto-execute option in other apps
    • QR code scanner: turn off the feature of auto open web page and auto dial
    • NFC: turn off the NFC as default; turn off the feature of auto open web page and auto dial
    • If the phone supports WAP Push SMS feature, turn the service as "prompt" or "never".

 

Note 1: Regarding download of QR coder reader, please refer to "Mobile security tools" in HKCERT website.
https://www.hkcert.org/mobile-security-tools