Few months ago, after doing lots of security bug hunting on websites of MS, Dropbox, Yahoo, etc etc.. I finally decided to try out something new. I looked around to fool around with some gadgets and I realized the only option available was my Sony Xperia Sola cell phone. I decided to give it a try just for fun sake and satisfy my hunger for curiosity. I realized I don’t have any knowledge into mobile-sec but decided to give it a try anyways.
Moving forward: I thought, why not start with the lock screen and try some unusual combos to bypass the lock. After a few combos and tries and wasting lots of time waiting I was nowhere ! Oh but wait! I saw an emergency dialer option below the passcode keypad.
“Hm!”, I said to myself, “What can I possibly find here ?”.
Suddenly, I remembered the USSD code execution in web-browser which used “TEL” protocol which affected samsung mobiles.
I thought, why not enter USSD codes here to make certain paid services activate. After multiple attempts I was no where.
Finally I decided why not try to access the IMEI USSD code and see if it executes it. So I keyed in *#06# and BAM !
The code successfully executed and gave a pop-up of IMEI.
After several attempts of different codes I realized that, some of these codes don’t at all execute and some of them execute in the background, meaning, you have to run the USSD in emergency dialer, unlock the phone to access the services.
After finding nothing useful, other than poping a IMEI code, my reaction was:
Then suddenly a movie (I think it was Trackdown) reminded me of a wild term called “FTM” or also known as “FACTORY TEST MODE” …!!!!
So after a few google search I found the IMEI to launch the FTM for Xperia cell phones.
The code is : *#*#7378423#*#*
After obtaining the code, I went back to emergency dialer, keyed in the FTM USSD code and BAM!!!! I got the FTM access.
Yup !! GOT the FTM access.
A little more fiddling here and there and found the bluetooth option. I took another cell phone which was paired previously to my Xperia.
On Xperia I activated the bluetooth via FTM and also on the other phone simultaneously. Xperia detected the other phone in vicinity and I was successfully able to transfer file from the other cell to my my cell phone !
HM ! nice way of sharing malware to locked phone isn’t it
After sitting on this vulnerability for a while due to college exams and what not, I wasn’t able to report to Sony earlier. But now since there are vacations I decided to go and report it. Although, Sony doesn’t have a responsible disclosure or bug-bounty policy, I had to find an security address via customer-support team.
After reporting the issue with some more details about it, Sony security team acknowledged the vulnerability but also said that it was previously reported by other researchers !