"Remote wipe vulnerability" on Android devices

Missing input validation in Android stock dialpad allows initiating special char handling by Intents

 --

This paste is intended to deliver some thoughts about the "remote wipe vulnerability" on Android devices.

The issue is not directly linked to Samsung or TouchWiz UI.
USSD and "phone codes" are not malicious at all.
Manual and intended input of "phone codes" and the resulting effects are no indication of malfunction.
REPEAT: typing "*#06" into your dialer SHOULD display phone's IMEI and "*2767*3855#" is INTENDED to wipe your device.

I mention that because there is a huge confusion about the range of affected devices...
And especially because of this video: http://www.youtube.com/watch?v=yuaFMG6VQCI :)

 --

Description

A user can use the phone dialer to call phone numbers or trigger a varying set of actions by entering special chars or char sequences. Depending on used dialer application the set of possible codes and resulting actions is varying. Some common examples are:

[phone_number]	dial phone number
*#06#		display IMEI
*61#		activate divert if no reply
*#*#232337#*#	show bluetooth device address
*2767*3855#	factory format device

Furthermore the dialpad can be addressed by Intents.

A Intent is an abstract object within Android OS to provide a facility for performing runtime binding between the code in different applications. It's most significant use is in launching of activities. Applications within Android send Intents to other applications to perform specific actions. The data to operate on is expressed by an Uniform Resource Identifier.

The URI "tel:[phone_number]" targets the phone's dialer application and tries to pass a phone number. Sender could be a browser, QR code scanner, NFC handler, ... or something else.

The dialpad receives that Intent and proceeds further depending on implementation, number, code, permissions or source of Intent.

 --

Vulnerability

The stock dialpad or dailers based on stock dialpad application in Android versions prior to Android 4.1.1 release 1.1 (Jul 2012) allow initiating handling by Intents through special chars or sequences without propper validation and rejection. This allows the non intended execution of actions without any input or confirmation by the user.

Possible and already used in the wild attack vectors are tricking users to scan QR codes with "tel:[code]" or including iframes with "tel:[code]" as source on websites. Both will pass an Intent to the phone dialer and through the non exsistent input validation this could initiate actions bound to that code.

Although the dialpad should accept and handle "tel:[phone_number]" inputs, it should not accept arbitrary code which is not a telephone number as defined in the IETF RFC 3966.

Executing USSD codes without confirmation could lead to an unintended device wipe or locking the SIM card by triggering commands in combination with false PINs.

The code "*2767*3855#" has been confirmed working on at least some HTC and Samsung phones.

 --

Prevention and fixes:

To avoid this exploit it is recommended to use a Android firmware >= version 4.1.1 release 1.1 or an equivalent custom ROM. It is also possible to use an alternative phone dialer or tools which prevent passing "tel:" URIs.

Stop NoTelURL, Joerg Voss
https://play.google.com/store/apps/details?id=com.voss.notelurl

Auto-reset blocker, Rusty Burchfield
https://play.google.com/store/apps/details?id=net.gicode.android.autoresetblocker

 --

More details:

http://tools.ietf.org/html/rfc3966
http://developer.android.com/reference/android/content/Intent.html
http://developer.android.com/guide/appendix/g-app-intents.html
https://android.googlesource.com/platform/packages/apps/Contacts/+/39948dc7e34dc2041b801058dada28fedb80c388
https://android.googlesource.com/platform/packages/apps/Contacts/+/1fc1e42b92904472aecc8b99379b1e8c670e5a88
https://android.googlesource.com/platform/packages/apps/Contacts/+/android-4.1.1_r1.1
forum.xda-developers.com/showthread.php?t=1748506