Feeds

Mobiles forced to send premium-rate texts in new attack

Hacker hijacks SMS error message flaw

Next gen security for virtualised datacentres

Cybercrooks may be able to force mobiles to send premium-rate SMS messages or prevent them from receiving messages due to security weaknesses in mobile telecoms standards.

The weakness involves the handling of messages directed towards SIM Application Toolkits, applications preloaded onto SIM cards by mobile operators. The applications can be used for functions such as displaying available credit or checking voicemail, as well as handling value-added services, such as micro-payments.

SIM Toolkits receive commands via specially formatted and digitally signed SMS messages. These messages are processed without appearing in a user's inbox and without triggering any other form of alert. Some mobiles may wake from a sleeping state on receipt of such messages but that is about all that's likely to happen.

The encryption scheme deployed is robust but problems might arise because error messages are automatically sent out if a command cannot be executed. The SIM Toolkit service message can be configured so that responses are made via SMS to a sender's number or to the operator's message centre. This creates two possible attack scenarios.

In the first case, an attacker might use an SMS spoofing service to force the dispatch of an error message to a premium-rate number, potentially ringing up fraudulent charges against the account of a targeted phone owner in the process.

Attackers can't control the content of the automatic error responses, a potential stumbling block when it comes to signing up people up for these services simply because they've sent a message, but it's easy to imagine this tactic will be effective enough times to make it potentially workable. A premium-rate number is restricted to signing up people to its services only in response to properly formatted requests rather than an any old message.

In the second case, an SIM Toolkit error message is sent to the operator's message centre, and this is interpreted as a message delivery failure. Operators usually attempt to resend the undelivered message: creating an error loop that prevents the delivery of legitimate SMS messages to a user's handset until a bogus SIM Toolkit message times out, typically after 24 hours or so. Because of this, sending a series of bogus SIM Toolkit messages creates a means of running an SMS DoS attack.

Independent security researcher Bogdan Alecu gave a presentation explaining the security shortcoming, and demonstrating how it might be exploited, at a recent DeepSec security conference in Vienna, Austria.

Alecu tested the attack against phones from Samsung, Nokia, HTC, RIM and Apple. Only phones from Nokia have the option to ask users before confirming the dispatch of an SIM Toolkit response. However the the option "Confirm SIM Service Actions" is usually disabled by default. Operators could mitigate the attack by filtering SIM Toolkit messages and whitelisting numbers that are allowed to send them. However Alecu said he is yet to encounter an operator that applies such controls, even after testing the attack on mobile operators in Romania, Bulgaria, Austria, Germany and France, IDG reports.

The vulnerability was reported by Alecu to the Computer Emergency Response Team and a vulnerability number has been allocated but there are no details on when a fix might be produced. Alecu said that the issue is more easily addressed by filtering by operators than by trying to update millions of handsets anyway. ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.