A security research team at the Ekoparty Security Conference has demonstrated a single line of USSD code that can be used to completely reset a Samsung S III handset and ‘kill’ the owners SIM card in under three seconds.
Security expert Ravi Borgaonkar demonstrated the line of code, and how it can be sent from a website, pushed to the handset by NFC, or triggered by a QR code. It then performs a complete wipe of the handset, resetting it to factory condition. Once the line of code is pushed to the Samsung S III there is no way to stop the reset from taking place. There is no warning given to the user, and no means of stopping it.
The USSD (Unstructured Supplementary Service Data) code is a protocol used by GSM telephones to communicate with the service provider’s computers for configuring the phone. The security team has also shown a USSD code that can be used to wipe the SIM card from the Samsung S III leaving the user with a very expensive plastic brick for a handset.
It’s not just the Samsung S III that is affected, the code also wipes the Galaxy Beam, S Advance, Galaxy Ace and Galaxy S II. Although it does not wipe the Galaxy Nexus tablet.
Samsung has not responded to the discovery, although owners will be hoping they fix this security leak quickly. In the meantime Samsung S III owners should be careful which links they follow (especially in social networks such as Twitter and Facebook), and be sure not to scan any QR codes that they don’t trust.