25C3: SMS "killer application" for many Nokia mobiles

Some of the SMSs expected to be sent to mobile phones in the New Year period are unlikely to contribute to their recipients' holiday joy. The Chaos Computer Club (CCC) is warning, in at least one vulnerability report, of dangerous emails, sent as SMSs, that block reception of further SMSs or MMSs on many current Nokia mobile phones. Tobias Engel, a member of CCC, discovered the security leak and baptized it the "Curse of Silence", because it shuts off the channel for incoming SMSs on the attacked mobile phone. The CCC has also issued a demo video.

Still from CCC video Engel said on Tuesday at the 25th Chaos Communication Congress (25C3) in Berlin that SMS standards are expressed in broad terms, which means a number of different types of short messages can be sent. Although the relevant functions have rarely, if ever, been used by mobile owners, they are nevertheless in the standards. That makes it possible in principle to send, for example, emails as SMSs. If a short message is identified as an email in accordance with the standards, the sender's email address instead of the phone number is displayed to the addressee.

Engel said Nokia implemented this feature in 2002 or 2003 without pursuing it further or advertising it, and while doing so they allowed an error to slip in. The SMS standard says a sender's address must not exceed 32 characters. If an email address is of greater length, the SMS into which the email is converted remains in intermediate memory. Any further SMSs or MMSs can then only be received following a factory reset.

The warning lists as "certainly affected" – all S60 phones in versions 2.6, 2.8, 3.0 and 3.1. These include models such as the E90 Communicator, the N95, the N81 and the N70 as well as some older Nokia mobiles. Altogether, the warning lists some 40 vulnerable models. The CCC says it told Nokia and all the big German network operators about the problem seven weeks ago. Little if any help has yet to be received from Finland, but Vodafone did pass the alarm on to the global GSM association, so at least 1600 mobile phone companies know of the issue. T-Mobile has now installed a filter that resets the dangerous type of SMS to a normal one. That isn't much use to the recipient, said Engel, as the messages were sent via the sender's SMS centre. He said there are no specific countermeasures against this kind of attack, but Fortinet, a Californian company, is working on software that will clear the SMS memory without the phone having to be sent back to Nokia.

For more reports on the 25C3, see also:

• 25C3: MD5 collisions crack CA certificate
• 25C3: More light shed on "denial of service" vulnerabilities in TCP
• 25C3: Reliable exploits for Cisco routers
• 25C3: Cracks in the iPhone security architecture

(Stefan Krempl)

(djwm)