designsbylareau.com
Multi-discipline Technology Consultants


Our Mission: To reduce your personal and business risks by deriving action items from recent news stories.

Note: Brent LaReau is your point of contact for this blog.

« Previous 10 | Next 10 »

018

A Web Site Can Reset Your Samsung Phone to Factory Defaults

Permalink Brent LaReau, designsbylareau.com
Posted: Oct 12, 2012

The headline shown above seems too extreme to be true, doesn't it? But in fact, if you are reading my blog on a specific type of Android phone made by Samsung, I could have instantly "wiped" your phone RIGHT NOW by simply embedding a specific "USSD" code here. You wouldn't even have had time to read these sentences. Instead, your phone would have begun to reset itself as soon as it loaded this web page. When it was finished you would have found:

Information Security Cartoon
(You can see all of my cartoons here.)

Fortunately, not all Samsung Android phones are vulnerable to this attack. Full details are not yet known, but at least we know the following Samsung phones are vulnerable:

How did this enormous vulnerability creep into Samsung phones? There is a short answer and a longer answer. The short answer is that Samsung's software development teams created a "dialer" app for its Android phones, which will instantly execute any USSD code without asking the user to confirm this action. One of those USSD codes will wipe the phone (reset it to its factory original condition). And if any of those USSD codes is embedded in a web page, the code is immediately executed when the page loads.

That was the short answer. Now for a longer answer that some people won't like: agile software development methodologies permit companies like Samsung to make 10,000 software modifications—new features and bugfixes—each year in a frantic race against their competitors. We have to admit this rapid, incessant march forward is quite an accomplishment, but how can an agile design team consider the consequences of each software modification when their main goal is to do more and do it faster?

How can an agile culture that revolves around optimization of business processes (not security processes) avoid oversights and mistakes that place end users at risk—to the delight of malicious hackers, teenagers, and blog writers like me?

How can the "user stories" embraced by agile methodologies include security considerations when the "user" is just an average consumer instead of a security expert?

And how can the "unit tests" embraced by agile software developers even begin to address system security issues at all? Especially since many lean, agile teams act as if unit tests can replace integration testing and system testing!

[Update: February, 2013—Samsung isn't the only vendor that fails to assess security issues when developing its products and software. The Federal Trade Commission (FTC) has announced a settlement with HTC over complaints about lack of security in its mobile phone software. The FTC stated that HTC made little or no effort to address user security when HTC customized Android and Window Phone software for its smartphones. HTC's software was claimed to be sloppy; HTC didn't train its design teams in secure software development practices; HTC didn't perform any penetration testing on its mobile devices; and HTC's staff used software development methods that are well-known to be poor security practices.]

Let's peruse the facts of this case and generate some action items that we can use to reduce our risks:

You can read an original news article about this topic here. You can contact me here.

Permalink


« Previous 10 | Next 10 »


Home


What We Do


Contact Us

Brent Report
Security
Blog
Bombardier
Security
Cartoon
Our
Success
Stories

Kudos

Page validated by:
Valid HTML 4.01 Transitional