Feeds

SMS phone crash exploit a risk for older Nokias

Broken message, frozen phone

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

Nokia has upgraded its phone software to guard against a security glitch that might allow a cracker to render a phone inoperable by sending a text message. However, older phones may still be vulnerable.

Job de Haas, a researcher at security firm ITSX, gave a presentation during a recent Black Hat conference, where he demonstrated how a malformed message crashes a Nokia 6210 phone on its receipt. He did this by adapting a program called sms_client, which sends an SMS message from an Internet-connected PC, in which the User Data Header is broken.

Once the message is received it is impossible to turn on an infected phone again without somehow deleting the offending message.

The vulnerability is tied to the software used by a phone. The flaw affects Nokia 6210, 3310 and 3330 phones, de Haas has discovered, but not a Siemens phone he tried.

Nokia spokesman Pekka Isosomppi told us that the phone manufacturer implemented a fix for the problem after de Haas contacted them about it in August.

He declined to be specific about the nature of the bug but said Nokia has "made the correction and implemented it in our phone programmes, meaning that phones rolling out of the factory have a fix in them."

de Haas said that although phones produced since this summer are immune, older phones might still be vulnerable to the exploit. He has determined the bug to be fixed in release 5.27 for the 6210. Upgrading phone software to guard against the flaw can't be done by users themselves, and would require a trip to a Nokia service centre.

Nokia told us that its users will not have come across the exploit and said the "snag is theoretical" but de Haas disagrees with this low impact assessment.

de Haas said: "Once you figure it out it is quite trivial and there are plenty of people with the knowledge to pull it off. Further we have already determined that there are more problems in the phones even as recent as v5.27."

A network development engineer at a European mobile operator, who asked to remain anonymous, has been in touch to tell us that it first encountered this security issue around 18 months ago. He found the vulnerability to be very much dependent on the version of software used on a Nokia phone, and remembers seeing the security flaw (which he blames on sloppy coding) on the handsets of other manufacturers. ®

Related Stories

How to crash a phone by SMS
Nokia 3330
Nokia 7650: smart phone, shame about the price
Microsoft and Vodafone launch mobile Outlook app
SMS pumps up Vodafone sales
GSM Association launches new standard for next-gen mobiles

External Links

ITSX in SMS security

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.