Friday, 28 September 2012

So, what does that security vulnerability do on a Samsung Galaxy Nexus running stock Android JellyBean 4.1.1?

Thanks to Mikeybear to highlighting this one for me on Facebook and Dylan Reeve for a nifty testing tool and an example.. It seems that some Samsung Android handsets have a vulnerability that allows invoking USSD codes from a browser with minimal user interaction.

Not seeing anything about my particular handset, the Samsung Galaxy Nexus, I decided to test it out.
Turns out, it half works.

In stock Android 4.1.1 Jellybean (I upgraded from my telco supplied image, using images available from Google on their website) on the Samsung Galaxy Nexus (with Skype installed alongside the default "Phone") I tested loading a page with:
<html>
<body>
<iframe width="4" height ="4" src="tel:%23100%23"></iframe>
</body>
</html>
in it. #100# is the USSD code for account information on my telco.

Putting it to the test...

Chrome 18.0.1025308

It doesn't load initially, but if you go to another page and then go back... or go to previous page and then forward, it invokes the dialler keypad but does not execute the code, you have to hit dial, then it will give dialler options (on my phone, standard and skype).. If you pick the standard one, then it will run the code supplied.

Firefox 15.0.1

Immediate load of dialler keypad, again it won't run it until you hit dial.

Android 4.1.1 Jellybean Browser

Immediate load of dialler keypad, again it won't run it until you hit dial.

Conclusion

The Galaxy Nexus running current firmware isn't fully vulnerable, but there is room for 'mischief'.. You have to be careful not to hit dial if you weren't expecting to dial a number, and if you were, that the number doesn't contain unusual codes. Not all codes will necessarily be available, but clearly some do work if you let them proceed.

No comments:

Post a Comment