Testing Samsung auto-dial shortcode exploit on Galaxy Note

It’s been widely reported today that the Samsung Galaxy S3 and other Samsung Galaxy phones have a glaring vulnerability: a webpage can trigger the Samsung dialer to dial a code which wipes the phone.

Example reports:

Gaping Hole in TouchWiz UI is Wiping Samsung Androids Clean (dailytech.com)


Samsung Galaxy S3 can be wiped and hard-reset with a single line of HTML (reddit.com)

Security Bug Can Wipe Out Your Android Phone By Visiting a Web Page (gizmodo.com)

I wanted to see if this was really true, so I thought I’d knock up a proof of concept using a much safer short-code, *#*#4636#*#*, which, if entered in the dialler, will take you to a testing / control menu where you can change various device settings (it’s useful to know about that hidden trick – but don’t change things unless you know what you’re doing).

So, I created a testmenu.html containing a frame which attempts to load tel:*#*#4636#*#*; it does indeed call up the dialler, but does not appear to actually trigger the test menu. (This debug code doesn’t require you to push send to confirm it – when you type the last “#”, the menu pops up – this is one reason I chose it as a test, as I assume that the problem with the wipe code (which I’m not testing out on my phone!) is that it works the same way (that, or people push to dial it, not knowing what will happen.)

Next, I decided to try a code that does need you to push send – *#100#. which typically returns your phone number. I created ownnumber.html. Loading that page in my Galaxy Note’s stock browser does indeed launch the dialler again – this time, though, the code *#100# is displayed, ready to be “dialled” if the user desires. This is the behaviour I’d expect from anything that links to tel:$number – the user to be asked for confirmation before placing a “call”.

Is it just that the Galaxy Note doesn’t have the same problem, or is there something special about the “wipe device” code?

Is, perhaps, the test menu code “executing”, but invisibly?

I am somewhat disturbed that Samsung modified the stock browser to support tel: URLs; I could see them being mildly useful for actual links to click to bring up the dialler, but using them as the source for a frame / image would never make sense.

(For what it’s worth, this is a Samsung Galaxy Note (GT-N7000) running Android 4.0.4, on UK Vodafone.)

One thought on “Testing Samsung auto-dial shortcode exploit on Galaxy Note”

Comments are closed.