NOWSECURE NOW AVAILABLE IN THE MICROSOFT AZURE MARKETPLACE

Microsoft Azure customers gain access to NowSecure Mobile App Security and Privacy Testing for scalability, reliability, and agility of Azure to drive mobile appdev and shape business strategies.

Read More
Media Announcement
NOWSECURE NOW AVAILABLE IN THE MICROSOFT AZURE MARKETPLACE NOWSECURE NOW AVAILABLE IN THE MICROSOFT AZURE MARKETPLACE Show More
magnifying glass icon

Remote USSD Code Execution on Android Devices

Posted by
Kevin Swartz

Kevin Swartz

Former Marketing Manager at NowSecure
Kevin is dedicated to perfecting the art and science of marketing through a mix of technology, analytics, and philosophy.
Remote USSD Code Execution on Android Devices
Research & Threat Intel

UPDATED: 2012-09-26 Updated to clarify research, and add recommendation for users to protect against the vulnerability.

viaForensics analysts Jon Pisani and Tony Collins recently expanded upon a disclosure made by Ravi Borgaonkar at the security conference Ekoparty 2012 Youtube – Borgaonkar at Ekoparty 2012 https://www.youtube.com/embed/Q2-0B04HPhs The original findings indicated that the factory reset for the Samsung Galaxy S3 can be triggered via an injected frame, QR code, Near Field Communications, or SMS text message.

Further investigation revealed that redirects within web pages, either hard-coded or javascript, could also be used to push an arbitrary USSD code to the phone’s dialer. The feature being abused to trigger the reset is normally used to make placing phone calls easier while operating in the web browser. The disclosure shows that some unpatched devices could trigger the factory reset without human interaction.

Although the remote wipe issue is patched on many Samsung devices, the execution of USSD codes without user intervention could be found to have other exploits.

Many Samsung devices not vulnerable

As various outlets have pointed out, the issue has been patched on many Samsung devices running 4.0.x or later. However, it is also reported by Ravi to PCMag that carrier-tied Samsung devices may remain vulnerable to this issue if the user is unable to receive the latest update.

Ravi offers a page for users to test their device (without remote wipe) to see if it executes a USSD code without dialing.

Easy means to protect yourself

For Samsung users who are vulnerable or want to protect themselves just in case, viaForensics recommends the installation of an a third party add-on dialer app, free or inexpensive in the Google Play market. After installation, set the new dialer as the default in order to be protected.

Our testing on an otherwise-vulnerable Samsung device found that the third party dialer app prevented automatic dialing of USSD codes.

Other browsers are affected

Earlier today, a report was released by Engadget stating the vulnerability was only apparent in the stock Android Browser.

“The Unstructured Supplementary Service Data (USSD) code (which we won’t reproduce here) apparently only works on Samsung phones running Touchwiz, and only if you are directed to the dodgy destination while inside the stock browser (rather than Chrome, for example). “

However, viaForensics’ testing revealed that any browser that could execute javascript or accept server-side redirects could trigger the USSD codes to be loaded into the dialer, across all browsers and Android devices. Some devices would require no human interaction after navigating to a maliciously crafted page, whereas other devices required the user press the dial button.

Vulnerability of various devices

We tested the USSD auto-dial vulnerability on multiple devices, from varying manufacturers, including Samsung, HTC, Motorola, and Apple. The concept was tested on other devices by altering the USSD Code in our “malicious” page to “*#06#”, which is is a universal code that harmlessly displays the device’s IMEI number.

Our stock Samsung Galaxy Note running Android ICS (4.0.3) was confirmed to be vulnerable as it will automatically dial the USSD for retrieving the IMEI number without confirmation whereas the Galaxy Nexus running Jellybean (4.1) was confirmed to not automatically dial the code.

It should be noted that any USSD code could be pushed to any phone using this method, and other vendor-specific factory resets may be possible and exist on unpatched devices. The key is to check whether the dialing happens automatically or with user interaction. Vendors could filter specific codes from auto-dialing, but this would be less thorough and harder to confirm.

As stated above, users can protect themselves immediately from auto-dial USSD codes through installation of a third party dialer app and using as default.

iPhone prompts user before executing

The Apple iPhone we tested (iPhone 4 running iOS 5.1.1) is not directly vulnerable to the attack, in part because USSD codes are vendor-specific and also because no method currently exists to automatically dial the code from a webpage. While the iPhone’s Web Browser did execute the redirect, when the device attempted to load the webpage, a pop-up was displayed asking the user if they would like to dial the USSD. The end-user would have to the select “OK” in order for the USSD Code to be executed on the device.

Impact and further research

The full impact of this issue depends on the USSD codes available on a given device (i.e. what they do) and whether they execute automatically. These codes are not publicized by the carriers, although available in various forums online, and functions more damaging than factory reset might not exist. Regardless, the automatic execution of such codes is a vulnerability we will monitor and test further.

Related Content

5 Common OWASP-MASVS Secure Coding Mistakes
Mobile App Privacy Testing Checklist
Checklist
Clothing Company Sews Up Mobile AppSec
Case Study