Sunday , July 23 2017

Samsung: Galaxy S III immune to USSD vulnerability (with OTA)

Updates
Sep-27 10.30am: Telstra’s current CrowdSupport Handset Updates page says a “bugfix” update for the Galaxy S III was approved on September 25 and is awaiting vendor deployment. This update has an ETA of today and may address this issue.
1.30pm: We’ve started adding responses from Australian carriers regarding the issue.
4.10pm: A new app to protect you from this exploit has been added to the list.
7.00pm: Today’s Telstra Galaxy S III update (mentioned above) appears to resolve this issue, as reported by @cswarris_27.

Multiple sources are reporting tonight that Samsung has confirmed the Galaxy S III is immune to the USSD wipe exploit vulnerability that’s taken the media by storm in the last 24 hours. We are receiving reports from readers that some local devices are still vulnerable to this exploit.

Samsung issued the following statement to Slashgear:

We would like to assure our customers that the recent security issue concerning the GALAXY S III has already been resolved through a software update. We recommend all GALAXY S III customers to download the latest software update, which can be done quickly and easily via the Over-The-Air (OTA) service.

Samsung hasn’t specified exactly which OS version or OTA update contained the fix for the exploit, nor whether the update was released before or after the recent panic. It’s also been difficult to narrow down precisely which variants of the device are vulnerable, with conflicting reports received from the community.

You should ensure your phone is running the latest available software.

Local Information

In the time since this post went live, Mike has already stated in the comments that a Telstra Galaxy S III is vulnerable to the exploit.

Ben Grubb at the Sydney Morning Herald posted a detailed explanation of the flaw and has begun assembling a list of vulnerable devices. Ben has also kindly reconfirmed his findings tonight on a Telstra Galaxy S III.

It appears the most recent OTA update to the device resolved this issue. This update went out to unlocked phones first, and received approval from Vodafone and Optus but Telstra was the last to approve its rollout. This approval was given on September 25, for a September 27 rollout.

As of late afternoon September 27, Galaxy S III phones from Vodafone, Optus and Telstra running the latest available firmware on each carrier have been confirmed immune to this flaw, matching Samsung’s statement yesterday.

Australian Carrier Statements

We’re reaching out to Australian carriers regarding the issue and will update this post with statements as they’re received.

Vodafone contacted us directly:

(Users) who have installed the most recent MR rolled out to our customers late last month are not affected by this vulnerability.

We are yet to receive statements regarding the issue from Telstra and Optus.

Older Devices

Of course, if you’re not using a Galaxy S III, this news will be of little comfort to you. Samsung Belgium responded to an enquiry about the Galaxy S II from Twitter user @Stinodd with the following statement (Google translated):

security issue is taken seriously. Firmware update is now being tested. Which you can install via OTA or KIES.

This still leaves updates for other phones like the Galaxy Beam and Galaxy Ace open to question.

Still Concerned?

Android Central created a USSD Test Page which uses a different USSD code to displays your phone’s IMEI number. If you’re concerned that your phone may be at risk, you should head over there and run the test before taking futher action.

If you’re unable to update a vulnerable device, consider installing a third-party dialer like Dialer One, which is known to not be vulnerable to this problem. As long as you’ve set it as your default Dialer, you should be OK.

A couple of apps designed to protect users from this exploit are now available on Google Play. These apps generally work by installing a handler for the tel protocol, causing your phone to open a Dialog instead of going straight to the Dialer when a tel URL is activated. This allows you to stop any such requests going through to your Dialer. Apps:

Sources: SammyMobile, SlashGear, Android Central, The Verge, Sydney Morning Herald, Samsung Belgium (Twitter), Telstra, Vodafone

Thanks: Ben Grubb, @cswarris_27 (Twitter), @mi7k (Twitter)

If you have any information to add regarding vulnerable phones, or you’ve wiped your phone inadvertantly as a result of this issue, let us know in the comments.

 
Source: SammyMobile, SlashGear, Android Central, The Verge, Sydney Morning Herald, Samsung Belgium (Twitter), Telstra CrowdSupport, and Vodafone.
Thanks: Ben Grubb, , and @cswarris_27 (Twitter).

Jason Murray   Deputy Editor

Before discovering the Nexus One, Jason thought he didn't need a smartphone. Now he can't bear to be without his Android phone. Jason hails from Sydney, Melbourne or Brisbane depending on his mood and how detailed a history you'd like. A web developer by day with an interest in consumer gadgets and electronics, he also enjoys reading comics and has a worryingly large collection of Transformers figures. He'd like to think he's a gamer, but his Wii has been in a box since he moved to Sydney, and his PlayStation Vita collection is quite lacking. Most mornings you'll find him tilting at various windmills on Twitter - follow @JM77 and say hi!

Join the Ausdroid Conversation

10 Comments on "Samsung: Galaxy S III immune to USSD vulnerability (with OTA)"

avatar
Sort by:   newest | oldest | most voted
Mike
Valued Guest
Mike

Telstra Samsung Galaxy S2 4G is confirmed still vulnerable to attack. No update yet…
Come on Telstra, you did well with the SGS3, why not the SGS2-4g?

Mike
Valued Guest
Mike

Just updated to Telstra OTA update IMM76D.I9300TDUBLH1 build.
Confirmed that Telstra SGS3 is immune to attack, and has nice brightness adjustment in notification menu.

sgs
Valued Guest

I updated my Telstra sgs 3 this evening and when I go to the dialer link it shows my imei??? Is that normal??

Monoclonal
Valued Guest
Monoclonal

Maybe we need more dramas like this – it might force the Telco’s to pull their finger out and rlease the updates faster. One could only hope.
Welcome to the party Telstra -sorry all we have left to drink is the goon.

Matt M
Valued Guest

Virgin GS3 with latest OTA updates shows dialler but doesn’t show code or IMEI number from test link above (Android 4.0.4 – Build IMM76D.I9300XXBLH3)

froggyperson
Valued Guest
froggyperson

Vodafone GS III is not vulnerable, no update required I guess.

Stephen Reeves
Valued Guest

Confirmed that my Telstra SGSII (4.0.3) is vulnerable. (GT-I9100T) no update is available OTA, haven’t checked Kies.

Jason Murray
Valued Guest

Could you check Kies when possible and let us know?

Mike
Valued Guest
Mike

Confirmed that Telstra SGSIII is vulnerable to this hack.

Member

Have you checked for an OTA update?

wpDiscuz

Check Also

The Australian Diamonds netball team will now be sponsored by Samsung

Samsung Australia has announced a new sporting sponsorship deal today, becoming the naming sponsor of …