Feeds

How to slay a cellphone with a single text

SMS of Death explained

Securing Web Applications Made Simple and Scalable

Attacks that crash most older cellphones are frequently compounded by carrier networks that send booby-trapped text messages to the target handset over and over. In other cases, they're aided by a “watchdog” feature embedded in the phone, which takes it offline after receiving just three of the malformed messages.

The so-called SMS of death attacks were unveiled late last year at a hacker conference in Berlin. They use special binary characters and overflowed headers to temporarily crash most older models made by manufacturers including Nokia, Samsung, Sony Ericsson, LG, Motorola, and Micromax. Carrier networks often aggravate the attacks by bombarding the target with the same malicious message, making them an inexpensive way to take a phone completely offline.

“With this bug, you can basically shut down a phone with one SMS and let the network do the retransmission all the time,” Collin Mulliner, a Ph.D. candidate at the Berlin Institute of Technology, told The Reg recently. “For very cheap, you can have the network attack the phone for you.”

The retransmission happens as a result of the way most carrier networks are designed. When they send SMS, or short message service, texts, they cache the message until the phone responds with an acknowledgment indicating it has been properly received. If the answer isn't transmitted, the network will resend the message for hours or days at a time, disabling the phone in the process.

Even in cases when the messages aren't resent, Nokia phones come equipped with a feature dubbed the Watchdog, which is designed to protect a phone by shutting it down after receiving three malformed messages. The SMS causes the Nokia screen to go white and then reboots the phone, causing it to disconnect from the network. Sending the message while a call is in progress will terminate the conversation.

Sending the message three times in close succession invokes the Watchdog to shut down the device. The bug affects virtually all feature phones shipped by Nokia prior to 2010, said Mulliner, who presented updated findings earlier this month at the CanSecWest security conference along with Nico Golde, a Berlin Institute of Technology student who worked on the project for his Master's thesis.

The SMS used to crash Nokia phones was described as an 8-bit class 0 (Flash SMS) with certain TP-UD payload. Messages with different specifications can be used to take out handsets made by other manufacturers.

Feature phones may have lost much of their cachet to smartphones over the past few years, but they are still relied upon by almost 80 percent of the world's mobile phone users, the researchers said.

The attacks could be used in targeted attacks against social enemies and business rivals, but the researchers say there's also the potential for the vulnerabilities to be exploited in a more widespread fashion by using bulk SMS services, smartphone-based botnets, or SS7, a series of telephony signaling protocols the researchers said are becoming increasingly accessible to companies and individuals.

The smart choice: opportunity from uncertainty

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.