Nokia: SMS vulnerability is not a serious risk to customers
Nokia's current recommendation for guarding against crafted messages is that users of Nokia phones, based on the S60/Symbian OS, should only open SMS and MMS messages if they are from a trusted sender. The Chaos Computer Club (CCC), at its annual conference in late December, reported a vulnerability in many recent Nokia mobile phones that allows blocking the receipt of any further SMS and MMS messages, by sending a specially-crafted SMS.
The vulnerability, which has been dubbed the 'Curse of Silence', has so far only been demonstrated in practice in a CCC video. According to Nokia, they have not as yet received any customer reports of actual problems relating to this issue with S60-based phones. Nokia is also reported as saying that it does not believe this represents a serious risk to customer phones.
Nevertheless, Nokia states that it takes such warnings very seriously. They are currently checking whether the problem described really can occur with the products cited. In comments to heise Security, Nokia has confirmed that initial test results indicate that S60-based phones with Symbian OS, may contain a vulnerability. They are reportedly working with the Symbian team on locating and remedying the problem.
Mobile network operators are apparently already filtering out nefarious messages in order to alleviate any consequences, so that those messages will not be forwarded to mobile devices. Vendors of anti-virus software for the mobile sector such as F-Secure and Fortinet have added new functions to their products to protect against this type of attack. Nokia and some mobile network operators were reportedly informed of the vulnerability back in November.
According to the CCC, the problem occurs in the Nokia S60 2.6, 2.8, 3.0 and 3.1. For the S60 2.6 and 3.0, a single crafted message is enough to trigger the problem, for 2.8 and 3.1, the blockade is activated after a total of eleven messages. According to reports, mobiles with S60 3rd Edition, Feature Pack 2 are not affected. According to tests carried out by F-Secure, however, the Sony Ericsson UiQ is also prone to this attack.
- 25C3: SMS "killer application" for many Nokia mobiles, report from heise Security UK