Feeds

SMS phone crash exploit a risk for older Nokias

Broken message, frozen phone

  • alert
  • submit to reddit

SANS - Survey on application security programs

Nokia has upgraded its phone software to guard against a security glitch that might allow a cracker to render a phone inoperable by sending a text message. However, older phones may still be vulnerable.

Job de Haas, a researcher at security firm ITSX, gave a presentation during a recent Black Hat conference, where he demonstrated how a malformed message crashes a Nokia 6210 phone on its receipt. He did this by adapting a program called sms_client, which sends an SMS message from an Internet-connected PC, in which the User Data Header is broken.

Once the message is received it is impossible to turn on an infected phone again without somehow deleting the offending message.

The vulnerability is tied to the software used by a phone. The flaw affects Nokia 6210, 3310 and 3330 phones, de Haas has discovered, but not a Siemens phone he tried.

Nokia spokesman Pekka Isosomppi told us that the phone manufacturer implemented a fix for the problem after de Haas contacted them about it in August.

He declined to be specific about the nature of the bug but said Nokia has "made the correction and implemented it in our phone programmes, meaning that phones rolling out of the factory have a fix in them."

de Haas said that although phones produced since this summer are immune, older phones might still be vulnerable to the exploit. He has determined the bug to be fixed in release 5.27 for the 6210. Upgrading phone software to guard against the flaw can't be done by users themselves, and would require a trip to a Nokia service centre.

Nokia told us that its users will not have come across the exploit and said the "snag is theoretical" but de Haas disagrees with this low impact assessment.

de Haas said: "Once you figure it out it is quite trivial and there are plenty of people with the knowledge to pull it off. Further we have already determined that there are more problems in the phones even as recent as v5.27."

A network development engineer at a European mobile operator, who asked to remain anonymous, has been in touch to tell us that it first encountered this security issue around 18 months ago. He found the vulnerability to be very much dependent on the version of software used on a Nokia phone, and remembers seeing the security flaw (which he blames on sloppy coding) on the handsets of other manufacturers. ®

Related Stories

How to crash a phone by SMS
Nokia 3330
Nokia 7650: smart phone, shame about the price
Microsoft and Vodafone launch mobile Outlook app
SMS pumps up Vodafone sales
GSM Association launches new standard for next-gen mobiles

External Links

ITSX in SMS security

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.