27C3 presentation claims many mobiles vulnerable to SMS attacks
According to security experts, an 'SMS of death' threatens to disable many current Sony Ericsson, Samsung, Motorola, Micromax and LG mobiles. In a presentation given to the 27th Chaos Communication Congress (27C3) in Berlin on Monday, Collin Mulliner and Nico Golde, security researchers at TU Berlin, claimed that sending malicious text or MMS messages represents a relatively simple means of crashing current mobile phones. Some of the bugs discovered have the potential to cause problems for entire mobile networks.
In recent months, the tendency has been for hackers and security testers to focus their efforts on smartphones such as the iPhone or Android-based phones. However, according to Mulliner, only 16 per cent of mobile phone users possess sophisticated handsets of this type. By contrast, worldwide, more than 4.6 billion people use simpler 'feature phones'. These often have just a single processor, are unable to run external native applications, but are often able to run Java apps.
Vendors also often use the same software on most of their handsets. Texting is always supported, as are, usually, additional functions such as the ability to have messages displayed immediately by means of flash texts, to attach a digital business card, to address various ports and to send texts in more than one part. All of these functions are prone to bugs, and when an application crashes, it tends to affect the phone as a whole.
In view of the promising outlook for hackers, the researchers set to work in a shielded test environment with their own base station and tested the susceptibility of a range of phones to unwanted killer texts. They sent around 120,000 texts to each test phone and evaluated the effects. They took a close look at any crashes which caused a phone to disconnect from the mobile network or to restart.
Golde reports that the researchers' bug hunt turned up plenty of hits. The Nokia 540, for example, was quick to display a white screen of death, disconnect from the network and restart. The malicious text itself was invisible to the user. On the third attempt, the handset's control software took over and turned it off completely. The Sony Ericsson mobiles tested produced similar results, in some cases resulting in the screen freezing completely, with no response to user interaction.
According to Golde, Samsung mobiles were primarily vulnerable to multi-part texts, which caused them to restart. A 'silent text' was able to completely disable the application for reading text and MMS messages. LG devices permitted memory overflows to be provoked in a number of MMS information fields. After restarting, some mobiles subsequently requested the PIN, and one then permanently switched to offline status. Opening the message in question starts the whole process over again. Motorola phones frequently responded with a flashing white screen and by disconnecting from the network. On Micromax devices, the screen simply went blank.
Particularly problematic, according to Mulliner, is Nokia and Sony Ericsson phones habit of crashing before having confirmed receipt of a rogue text. The result is that the network keeps on trying to resend the malicious text. In this case, the only remedy is to insert the SIM card into a non-vulnerable handset. By increasing the frequency with which malicious texts were sent, an attacker would also be able to ensure that a phone user was completely unable to be contacted.
Mulliner also suggests the possibility of targeted attacks on the entire mobile network infrastructure by, for example, causing "ten thousand mobiles to try to reconnect simultaneously". An attack could also be concentrated on users of a specific brand of mobile. To prevent such occurrences, he called for phone manufacturers to provide more security updates and to simplify the dissemination of updates. He believes that installing patches is currently far too complicated. The researchers were unable to identify a contact person for security issues at Samsung, LG or Micromax. This was not a problem at Nokia and Sony Ericsson due to the researchers' personal contacts. At Motorola, their email regarding the bugs appears to have landed in an unread inbox.
(Stefan Krempl / ehe)