During a recent security conference in South America, a Berlin-based researcher revealed that Samsung has a major problem with its iPhone challengers, the Galaxy 3 and Galaxy S2 smartphones.
Both can easily be remotely wiped by code embedded in a web page.
Ravi Borgaonkar found that the Galaxy’s “service loading” feature, its method of communicating with application servers, can be exploited with just one line of code tucked away in a web page’s HTML. If the attack is successful, the malicious code reverts the phones to their factory settings. Worse still, once the attack begins, the phone’s user can’t do a thing about it.
That’s bad enough. There’s also this:
Alongside web pages, the code can also be embedded in malicious text messages, or triggered by a QR code or NFC tag.
Security researchers are pressing Samsung to patch the problem because as DigitalSpy reports, experts say this is a “major security vulnerability.”
Mr. Borgaonkar, who reportedly wondered aloud what Samsung’s engineers were smoking when they created the vulnerable system, demonstrates how it works in the video below.
Viewers may need headphones to hear Mr. Borgaonkar clearly, but the shocked audience reaction at 2:10, when he uses a link from a tweet to demonstrate how quickly a malicious web page can reset the phone, is unmistakable.