Updates
Sep-27 10.30am: Telstra’s current CrowdSupport Handset Updates page says a “bugfix” update for the Galaxy S III was approved on September 25 and is awaiting vendor deployment. This update has an ETA of today and may address this issue.
1.30pm: We’ve started adding responses from Australian carriers regarding the issue.
4.10pm: A new app to protect you from this exploit has been added to the list.
7.00pm: Today’s Telstra Galaxy S III update (mentioned above) appears to resolve this issue, as reported by @cswarris_27.
Multiple sources are reporting tonight that Samsung has confirmed the Galaxy S III is immune to the USSD wipe exploit vulnerability that’s taken the media by storm in the last 24 hours. We are receiving reports from readers that some local devices are still vulnerable to this exploit.
Samsung issued the following statement to Slashgear:
We would like to assure our customers that the recent security issue concerning the GALAXY S III has already been resolved through a software update. We recommend all GALAXY S III customers to download the latest software update, which can be done quickly and easily via the Over-The-Air (OTA) service.
Samsung hasn’t specified exactly which OS version or OTA update contained the fix for the exploit, nor whether the update was released before or after the recent panic. It’s also been difficult to narrow down precisely which variants of the device are vulnerable, with conflicting reports received from the community.
You should ensure your phone is running the latest available software.
Local Information
In the time since this post went live, Mike has already stated in the comments that a Telstra Galaxy S III is vulnerable to the exploit.
Ben Grubb at the Sydney Morning Herald posted a detailed explanation of the flaw and has begun assembling a list of vulnerable devices. Ben has also kindly reconfirmed his findings tonight on a Telstra Galaxy S III.
It appears the most recent OTA update to the device resolved this issue. This update went out to unlocked phones first, and received approval from Vodafone and Optus but Telstra was the last to approve its rollout. This approval was given on September 25, for a September 27 rollout.
As of late afternoon September 27, Galaxy S III phones from Vodafone, Optus and Telstra running the latest available firmware on each carrier have been confirmed immune to this flaw, matching Samsung’s statement yesterday.
Australian Carrier Statements
We’re reaching out to Australian carriers regarding the issue and will update this post with statements as they’re received.
Vodafone contacted us directly:
(Users) who have installed the most recent MR rolled out to our customers late last month are not affected by this vulnerability.
We are yet to receive statements regarding the issue from Telstra and Optus.
Older Devices
Of course, if you’re not using a Galaxy S III, this news will be of little comfort to you. Samsung Belgium responded to an enquiry about the Galaxy S II from Twitter user @Stinodd with the following statement (Google translated):
security issue is taken seriously. Firmware update is now being tested. Which you can install via OTA or KIES.
This still leaves updates for other phones like the Galaxy Beam and Galaxy Ace open to question.
Still Concerned?
Android Central created a USSD Test Page which uses a different USSD code to displays your phone’s IMEI number. If you’re concerned that your phone may be at risk, you should head over there and run the test before taking futher action.
If you’re unable to update a vulnerable device, consider installing a third-party dialer like Dialer One, which is known to not be vulnerable to this problem. As long as you’ve set it as your default Dialer, you should be OK.
A couple of apps designed to protect users from this exploit are now available on Google Play. These apps generally work by installing a handler for the tel protocol, causing your phone to open a Dialog instead of going straight to the Dialer when a tel URL is activated. This allows you to stop any such requests going through to your Dialer. Apps:
Sources: SammyMobile, SlashGear, Android Central, The Verge, Sydney Morning Herald, Samsung Belgium (Twitter), Telstra, Vodafone
Thanks: Ben Grubb, @cswarris_27 (Twitter), @mi7k (Twitter)
If you have any information to add regarding vulnerable phones, or you’ve wiped your phone inadvertantly as a result of this issue, let us know in the comments.
Telstra Samsung Galaxy S2 4G is confirmed still vulnerable to attack. No update yet…
Come on Telstra, you did well with the SGS3, why not the SGS2-4g?
Just updated to Telstra OTA update IMM76D.I9300TDUBLH1 build.
Confirmed that Telstra SGS3 is immune to attack, and has nice brightness adjustment in notification menu.
I updated my Telstra sgs 3 this evening and when I go to the dialer link it shows my imei??? Is that normal??
Maybe we need more dramas like this – it might force the Telco’s to pull their finger out and rlease the updates faster. One could only hope.
Welcome to the party Telstra -sorry all we have left to drink is the goon.
Virgin GS3 with latest OTA updates shows dialler but doesn’t show code or IMEI number from test link above (Android 4.0.4 – Build IMM76D.I9300XXBLH3)
Vodafone GS III is not vulnerable, no update required I guess.
Confirmed that my Telstra SGSII (4.0.3) is vulnerable. (GT-I9100T) no update is available OTA, haven’t checked Kies.
Could you check Kies when possible and let us know?
Confirmed that Telstra SGSIII is vulnerable to this hack.
Have you checked for an OTA update?