Samsung slaps swift patch over phone-wiping Galaxy S III vuln
Smartmobe owners can bonk without fear again
Samsung has whipped out a fix for an embarrassing flaw in its smartphones that allows miscreants to wipe victims' phones with a simple web link. The South Korean electronics giant is pushing out the patch right now.
The Galaxy S III has a firmware update available that closes the security hole, and it can be picked up from an over-the-air download - and it may already be installed on many handsets.
Fixes for other Samsung phones should be expected soon although the manufacturer is being uncharacteristically taciturn about the details. But a rapid fix is always a good thing, especially as knowledge of the flaw spreads.
The existence of the problem was revealed at the Ekoparty 2012 hacking event over the weekend, and enables mischievous colleagues and vandalistic hackers to hard reset Samsung handsets with ease, wiping all the data and returning the phone to its factory state.
The TouchWiz phone dialling application, it seems, was responsible. The software responds to phone numbers delivered in a URL in the same way as those entered manually, allowing special codes to be entered and executed from a web link picked up by wireless NFC, embedded in a web page or read off a QR code.
Given the nature of the problem the quick fix isn't a surprise: a minor tweak to the dialler was all that's needed although Samsung still deserves credit for getting the patch deployed so quickly.
Users wanting to know if their fix has been applied can drop by Android Central, which has a benign example available, while those who want to live dangerously can follow these instructions and bet their data that Samsung has fixed the problem. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Samsung Galaxy
- Samsung Galaxy Ace
- Trusted Platform Module
- Zero trust