USSD Code dialling exploits

28 September 2012

The recent disclosure of the finding that many phones respond to USSD dial strings in a tel: html markup without requiring any user input has recently been demonstrated.

The issue comes from the tel: html markup, that the phone will automatically execute a USSD command embedded in a tel link.

The Samsung S series has some powerful hidden codes, including one that will reset the phone to factory default *2767*3855#

The html string <iframe src=”tel:*%2306%23″/>  will display the IMEI, but if the code above is used this resets the phone. My experience suggests that most phones have secret codes that perform these sorts of actions. It only remains for these to be discovered for much wider exploitation.

Normally when a tel: prompt is encountered this just populates the dial number field and the user would then need to hit call to initiate the call. Some USSD codes do not require this, all phones should respond to the *#06# string with the IMEI of the phone.

Video of the presentation: http://www.youtube.com/watch?v=Q2-0B04HPhs

There is a test page: http://mobilephonesecurity.org/tel/ This is safe to go to as it only has the code to display your IMEI. If you visit this page on a phone browser, this page should open the dialler and pre-fill the dial string with *#06# ready for you to hit send. If your phone is vulnerable you will just see the IMEI displayed, that is the phone has immediately dialled this string.

Advertisements