Feeds

Mobiles forced to send premium-rate texts in new attack

Hacker hijacks SMS error message flaw

The Power of One eBook: Top reasons to choose HP BladeSystem

Cybercrooks may be able to force mobiles to send premium-rate SMS messages or prevent them from receiving messages due to security weaknesses in mobile telecoms standards.

The weakness involves the handling of messages directed towards SIM Application Toolkits, applications preloaded onto SIM cards by mobile operators. The applications can be used for functions such as displaying available credit or checking voicemail, as well as handling value-added services, such as micro-payments.

SIM Toolkits receive commands via specially formatted and digitally signed SMS messages. These messages are processed without appearing in a user's inbox and without triggering any other form of alert. Some mobiles may wake from a sleeping state on receipt of such messages but that is about all that's likely to happen.

The encryption scheme deployed is robust but problems might arise because error messages are automatically sent out if a command cannot be executed. The SIM Toolkit service message can be configured so that responses are made via SMS to a sender's number or to the operator's message centre. This creates two possible attack scenarios.

In the first case, an attacker might use an SMS spoofing service to force the dispatch of an error message to a premium-rate number, potentially ringing up fraudulent charges against the account of a targeted phone owner in the process.

Attackers can't control the content of the automatic error responses, a potential stumbling block when it comes to signing up people up for these services simply because they've sent a message, but it's easy to imagine this tactic will be effective enough times to make it potentially workable. A premium-rate number is restricted to signing up people to its services only in response to properly formatted requests rather than an any old message.

In the second case, an SIM Toolkit error message is sent to the operator's message centre, and this is interpreted as a message delivery failure. Operators usually attempt to resend the undelivered message: creating an error loop that prevents the delivery of legitimate SMS messages to a user's handset until a bogus SIM Toolkit message times out, typically after 24 hours or so. Because of this, sending a series of bogus SIM Toolkit messages creates a means of running an SMS DoS attack.

Independent security researcher Bogdan Alecu gave a presentation explaining the security shortcoming, and demonstrating how it might be exploited, at a recent DeepSec security conference in Vienna, Austria.

Alecu tested the attack against phones from Samsung, Nokia, HTC, RIM and Apple. Only phones from Nokia have the option to ask users before confirming the dispatch of an SIM Toolkit response. However the the option "Confirm SIM Service Actions" is usually disabled by default. Operators could mitigate the attack by filtering SIM Toolkit messages and whitelisting numbers that are allowed to send them. However Alecu said he is yet to encounter an operator that applies such controls, even after testing the attack on mobile operators in Romania, Bulgaria, Austria, Germany and France, IDG reports.

The vulnerability was reported by Alecu to the Computer Emergency Response Team and a vulnerability number has been allocated but there are no details on when a fix might be produced. Alecu said that the issue is more easily addressed by filtering by operators than by trying to update millions of handsets anyway. ®

Designing a Defense for Mobile Applications

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.