Mobiles forced to send premium-rate texts in new attack
Hacker hijacks SMS error message flaw
Cybercrooks may be able to force mobiles to send premium-rate SMS messages or prevent them from receiving messages due to security weaknesses in mobile telecoms standards.
The weakness involves the handling of messages directed towards SIM Application Toolkits, applications preloaded onto SIM cards by mobile operators. The applications can be used for functions such as displaying available credit or checking voicemail, as well as handling value-added services, such as micro-payments.
SIM Toolkits receive commands via specially formatted and digitally signed SMS messages. These messages are processed without appearing in a user's inbox and without triggering any other form of alert. Some mobiles may wake from a sleeping state on receipt of such messages but that is about all that's likely to happen.
The encryption scheme deployed is robust but problems might arise because error messages are automatically sent out if a command cannot be executed. The SIM Toolkit service message can be configured so that responses are made via SMS to a sender's number or to the operator's message centre. This creates two possible attack scenarios.
In the first case, an attacker might use an SMS spoofing service to force the dispatch of an error message to a premium-rate number, potentially ringing up fraudulent charges against the account of a targeted phone owner in the process.
Attackers can't control the content of the automatic error responses, a potential stumbling block when it comes to signing up people up for these services simply because they've sent a message, but it's easy to imagine this tactic will be effective enough times to make it potentially workable. A premium-rate number is restricted to signing up people to its services only in response to properly formatted requests rather than an any old message.
In the second case, an SIM Toolkit error message is sent to the operator's message centre, and this is interpreted as a message delivery failure. Operators usually attempt to resend the undelivered message: creating an error loop that prevents the delivery of legitimate SMS messages to a user's handset until a bogus SIM Toolkit message times out, typically after 24 hours or so. Because of this, sending a series of bogus SIM Toolkit messages creates a means of running an SMS DoS attack.
Independent security researcher Bogdan Alecu gave a presentation explaining the security shortcoming, and demonstrating how it might be exploited, at a recent DeepSec security conference in Vienna, Austria.
Alecu tested the attack against phones from Samsung, Nokia, HTC, RIM and Apple. Only phones from Nokia have the option to ask users before confirming the dispatch of an SIM Toolkit response. However the the option "Confirm SIM Service Actions" is usually disabled by default. Operators could mitigate the attack by filtering SIM Toolkit messages and whitelisting numbers that are allowed to send them. However Alecu said he is yet to encounter an operator that applies such controls, even after testing the attack on mobile operators in Romania, Bulgaria, Austria, Germany and France, IDG reports.
The vulnerability was reported by Alecu to the Computer Emergency Response Team and a vulnerability number has been allocated but there are no details on when a fix might be produced. Alecu said that the issue is more easily addressed by filtering by operators than by trying to update millions of handsets anyway. ®