Presentation Material
Abstract
USSD stands for Unstructured Supplementary Service Data and is a session based GSM protocol unlike SMS or MMS. Typically it is used to send messages between a mobile phone and an application server in the network. Nowadays there are multiple services based on USSD, such as mobile banking, social networking (facebook, twitter), updating mobile software over-the-air, prepaid recharge/account balance info etc. In this talk, I will discuss how to play with USSD codes using different tools and exploit different services based on it. In addition, critical security issues in USSD based services such as virtual money transfer/mobile banking and social networking will be discussed. At last, I would discuss what exactly does ‘dirty use of’ means.
AI Generated Summary
This presentation details a vulnerability in Samsung Android devices (models S1-S3 and others) stemming from a misconfigured “service loading” feature in their firmware. This feature, intended for operator pushes like firmware updates, can be set to “always” accept and automatically execute incoming service messages without user interaction.
The core attack vector involves sending a specially crafted silent SMS or a URL triggered via a QR code or NFC tag. When received, the device automatically opens the link in the browser, executing any JavaScript payload. Demonstrated payloads include code that repeatedly triggers a USSD command to block the SIM card and another USSD code that performs a factory reset, wiping all user data including the SD card.
The vulnerability is not exclusive to SMS; any method that can cause the device to open a URL silently—including malicious QR codes read by inattentive apps or NFC tags—can initiate the same destructive sequence. The researcher notes that many popular QR reader and NFC tag reader applications lack proper permission prompts, enabling this attack.
Key findings include the discovery of hidden, destructive USSD codes within Samsung’s firmware through reverse engineering, and the realization that a single misconfiguration affects multiple input channels. Practical implications are severe: an attacker within SMS range or with physical access to place an NFC tag/QR code can permanently deny service by destroying the SIM card and all device data. Mitigation requires users to avoid default “always accept” settings for service messages, use cautious QR/NFC reader applications that confirm URL opening, and be aware that the vulnerability resides in the device’s base firmware, not individual apps.