The article is kind of misleading, the exploit was part of Android rather than anything to do with Samsung and was patched in AOSP as of 4.1.1(?). This meansn it was an issue on any phone that dialled automatically and doesn't run a build with the patch applied. Also the patch from Samsung was part of an OTA update from at least a week ago in the US, I know it pinged up just after I booted the S3 I bought on Saturday in the UK.
In what way was the exploit a part of Android? I thought it was a touchwiz dialer issue that it automatically dialled USSD numbers without secondary confirmation from the user?
No, I've confirmed that a random sample of HTC & Huawei phones around my office are also vulnerable. Nothing specific to TouchWiz. The thing that MIGHT be specific to Samsung is the actual remote wipe code, but relying on that is simply security-by-obscurity. I'd bet ALL phones have got some USSD code you'd rather not be instantly triggerable by a web page.
From what I understand stock Android doesn't have the problem. Multiple manufacturers seem to have introduced the flaw in the same way with their customizations.
it was an issue in any Android variant that featured autodial, I saw someone reporting it worked on CyanogenMod 7 for example and it also worked on some HTC devices
CM7 user here. Can confirm that it is vulnerable. Easily fixed by installing a second dialer so that you'll always get a prompt.
Also I can't find any info on whether cm7 supports USSD factory reset. Anybody aware?
Apparently the bug is fixed in 4.1 (I'm still on 4.0.4). I installed a temporary fix - TelStop. It just handles telephone Intents so that you get a popup asking you to choose an application.
Well done to Samsung for getting the update out quickly (although obviously better not to ship with the vulnerability).
Is this something the carriers get to block or is it direct over the Internet to everyone? One of my big concerns about Android is about the ability to get security fixes. The slow major updates are very public but if security fixes are better distributed much quicker that isn't so much of a worry.
In the absence of reassurance my advice to friends and family if asked would be to avoid Android (except the Nexus models which I think can always be updated).
This (updates of any kind) is 25% of why my Galaxy is sitting in my sock drawer (75% being the cost of the data plan and "being a hotspot" fee).
I discovered that I bought a computer that cannot be updated except by the whim of an intermediary, the telco. I watched for a year while my phone languished under its originally installed version of Android, while the update rolled out around the world and my carrier (Sprint) said "no shit really, soon, real soon now." That's too much bullshit for too much money.
Yes, it is pretty bad. But it is quite easy to update your phone using Odin. It is no excuse, obviously the right way would be to receive it on a timely manner, but if you can update yourself in like 30 minutes I see no reason to wait for a year.
Phone OS has direct ability to query the manufacturer for updates and download them if available/requested by the user.
Works for Apple. (Until iOS 5 download to PC and install with iTunes was required but now phone can directly download.)
Works for Sony TVs (and probably many others too) that are connected to the internet. Broadcast (with digital TV at least in Europe) can also be used to update OTA but may need broadcaster approval. In this scenario using both approaches makes sense as not every TV is connected to the internet or broadcast signals.
A better question is how to make it happen. I would suggest that Samsung is big enough and their phones high profile enough that they should be able to insist and still have their phones offered by the operators. However they would need to consider it an important point worth arguing for and may have to trade something else whether it is price or customization support or something else.
That solves your update problem. But you are still under control of a central entity that has its own interests and tightly controls their ecosystem and the apps you can install on the product you bought. You have replaced your carrier with the hardware manufacturer. A better alternative would be to buy your smartphone without contract to begin with, which comes down to the same price very often.
For most users it is the update problem that I'm concerned about, particularly from a security point of view. The contract is completely irrelevant to this issue isn't it? An iPhone on contract is completely updatable, I don't know if it is relevant with Samsung's phones or not. Even if non-contract Samsung's are updatable that makes advice to friends/family even more complicated.
The freedom problem is an issue with all the mainstream phones on the market but isn't a problem for most users. The solutions with the current market products are jailbreaking/rooting or joining developer programmes. In the Apple case developer programme costs $99 and additional agreements (in practice you need a Mac too). Or using a web app to get round the limitations.
There real solution will be when there is a real open source open platform on the market. And personally I wouldn't sacrifice much performance/capability to get it although the option would be nice.
