Phone numbers in links - a security risk?

A few weeks ago I reported on how you can enable your visitors to open the phone app on mobile devices by tapping a phone number. Now a possibility has emerged to irrevocably block the SIM card or to reset the device to factory settings without the user having to do anything.


Via special links that lurk almost everywhere and can also be called up automatically (forums, mails, SMS, QR codes), for example, an incorrect PIN or PUK is entered several times in a fraction of a second. This irrevocably blocks the SIM card. This is achieved by control codes that would normally have to be entered manually via the numeric keypad of the dialler.

The vulnerability affects Google's Android operating system up to and including Ice Cream Sandwich (version 4.0.x) - a software-based solution to the problem in the form of an operating system update is almost impossible for many mobile phones (thanks to the update policy of the manufacturers!) Instead, you should use programs such as G Data USSD Filter, which you can get for free in the Android market.

Back