Samsung is facing calls to issue a security update for the Galaxy S3 smartphone after it was discovered that the device can be reset by code hidden in a web page.
German security researchers have demonstrated how an 11-character code can be embedded in the HTML of a web page that will restore factory defaults, wiping all user data.
The vulnerability raises the threat that hackers could trick Samsung smartphone owners into wiping gigabytes of data, simply by clicking a link, according to the Telegraph.
Researcher Ravi Borgaonkar warned that the code will also trigger a factory reset on the Galaxy S2 and other devices that use the Korean firm’s version of Google’s mobile operating system, Android.
But devices from other Android manufacturers appear to be unaffected. “It’s possible to exploit this attack only on Samsung devices,” Borgaonkar told a security conference in Argentina.
He also warned that he has discovered other codes, built into Samsung devices, that could be used in other attacks, such as a code that would kill the SIM card.
A hacker could also exploit an affected phone by getting a user to scan a malicious QR code or by sending them a malicious text or NFC transmission.
The codes conform to a protocol known as unstructured supplementary service data (USSD), which is used by mobile phone operators to provide basic services such as pre-paid top-up.
Paul Ducklin, Asia-Pacific head of technology for security firm Sophos said, the bottom line is to get into the habit of backing up smartphones.
“Whether you choose to trust the cloud, or synchronise to your laptop, or just copy important files to removable storage, don't take the long-term data integrity of your phone for granted,” he wrote in a blog post.
“You might suffer a hysterically-funny-to-some-childish-haxxor remote factory reset. It could happen. But you might also leave your phone in the pub, have it stolen from your bag, or drop it,” he said. “Assume that all your electronic devices might break at any time, and that at least some of them will.”