Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Cellphones Communications Security

New Attack Can Disable Phones Via SMS 62

Posted by timothy
from the actually-don't-txt-me-lol dept.
Trailrunner7 writes "A pair of security researchers from Germany demonstrated several techniques at the CanSecWest conference here Wednesday that enable them to remotely reboot, shut down or even completely disable many popular mobile phones with SMS messages. The technique that Nico Golde and Collin Mulliner discussed relies on setting up a GSM network and sending specially crafted SMS messages to handsets. The pair showed a video demonstration of phones from a wide range of manufacturers, including LG, Sony Ericsson, Nokia and others rebooting, freezing and generally acting flaky after receiving the crafted SMS messages they sent."
This discussion has been archived. No new comments can be posted.

New Attack Can Disable Phones Via SMS

Comments Filter:
  • by Even on Slashdot FOE (1870208) on Thursday March 10, 2011 @04:17PM (#35447378)

    Today the top story is things we've already reported on. In related news, movie theaters now want to get your cell number when you buy a movie ticket.

  • This was already demonstrated in December https://events.ccc.de/congress/2010/Fahrplan/events/4060.de.html [events.ccc.de] I think there was even a /. submission at that time. Although I can't find it right now...
  • The pair showed a video demonstration of phones from a wide range of manufacturers, including LG, Sony Ericsson, Nokia and others rebooting, freezing and generally acting flaky after receiving the crafted SMS messages they sent.

    They don't provide any real details or model numbers. They don't mention Android, iOS or Blackberry so they probably can't hit a smartphone with this attack. But there are enough feature phones out there that they can weak havoc.

    • The pair showed a video demonstration of phones from a wide range of manufacturers...

      Boy it would be nice to actually see said video...

      • by grapeape (137008)

        Why not just have someone send you a message?

        • by RMingin (985478)
          I'm guessing, but I'd imagine that most cell providers would quash or delete the malformed messages, or at least mangle them into a non-crashing form.
      • by elsJake (1129889)
        http://ftp.ccc.de/congress/2010/mp4-h264-HQ/

        It should be there :).
    • by Imabug (2259)

      FTA

      "The researchers only tested their methods on so-called feature phones, not smartphones such as Android devices or iPhones. The reason, they said, is that feature phones still are far more prevalent in most of the world than smartphones are, so the target area is much larger."

    • by cpicon92 (1157705)

      From TFA:

      The researchers only tested their methods on so-called feature phones, not smartphones such as Android devices or iPhones. The reason, they said, is that feature phones still are far more prevalent in most of the world than smartphones are, so the target area is much larger.

  • by skids (119237) on Thursday March 10, 2011 @04:19PM (#35447402) Homepage

    Seriously, how hard can it be to secure a service that consists of nothing but 180 character text messages and a sending/receiving station address? Were the designers of SMS the morons here, or the phone OS coders?

    • by WrongSizeGlass (838941) on Thursday March 10, 2011 @04:20PM (#35447422)

      Were the designers of SMS the morons here, or the phone OS coders?

      Probably both.

      • by Bob_Who (926234)

        Were the designers of SMS the morons here, or the phone OS coders?

        Probably both.

        Don't forget the management, the boardroom, the bankers, and wall street in general. Its never about optimizing technology, its about optimizing the marketing options and fine print so that the corporate monolith can maximize profits. Getting it right would be counter productive to their strategy. Corporations are just like oligarchs.

      • by gl4ss (559668)

        in first phones they were the same guys.

        and then later they added to the spec a number of hacky things on top of it, like chained sms's, wap settings sms's.

    • by pep939 (1957678)
      OOps, saw your comment too late... see my post [slashdot.org] if you're interested in the subject and want to learn how GSM is (not) protected.
    • by Locke2005 (849178)
      Perhaps that's the problem -- they assumed the messages were only 180 characters, thus were susceptible to buffer overruns.

      In general, this is what happens when you ignore the robustness principle and trust the data you are receiving to be properly formed. Several years ago I was able to crash the login process in Windows NT servers by sending invalid SMB messages, so it's not that uncommon. (This was by accident, I wasn't TRYING to crash the machines, just use them for authentication. And of course Wind
      • Perhaps that's the problem -- they assumed the messages were only 180 characters, thus were susceptible to buffer overruns. In general, this is what happens when you ignore the robustness principle and trust the data you are receiving to be properly formed. Several years ago I was able to crash the login process in Windows NT servers by sending invalid SMB messages, so it's not that uncommon. (This was by accident, I wasn't TRYING to crash the machines, just use them for authentication. And of course Windows NT was designed so that you cannot shut it down gracefully once the login process is gone...)

        Thanks god nothing like that can happen today - USB driver bug exposed as "Linux plug&pwn" [h-online.com]

        Rafael Dominguez Vega of MRW InfoSecurity has reported a bug in the Caiaq USB driver which could be used to gain control of a Linux system via a USB device. The bug is caused by the device name being copied into a memory area with a size of 80 bytes using strcpy() without its length being tested. A crafted device with a long device name could thus write beyond the limits of this buffer, allowing it to inject and execute code. Because the driver is included, and automatically loaded, in most Linux distributions, to execute code in kernel mode an attacker would merely have to connect such a device to a Linux system's USB port.

        • by sjames (1099)

          So you're saying the caiaq is a trap?

          • So you're saying the caiaq is a trap?

            By whom? And even if it where - this is about a "this type of error was made fun off 20 years ago" boo-boo inside a major OSS project unnoticed for years. If a trap that mind-numbingly stupid can avoid detection, the whole idea of "it's safe because anyone can check the source code" is destroyed by the fact that actually nobody bothers to do that thinking somebody else already has.

    • by peragrin (659227)

      Becasue it wasn't designed to send 180 character messages, it was a a random hack a brilliant engineer figured out after the system was built to bring in extra revenue from an existing setup.

      • by timeOday (582209)
        That was originally true, but is either A) no longer true or B) should no longer be true. I don't think any analog networks are still in service, and I don't see why SMS would be sent that way on a network designed for digital payloads. Either way, there are no excuses for this in 2011.
    • Re: (Score:2, Informative)

      by Anonymous Coward

      I don't think you realize exactly what SMS is.

      SMS was originally a control channel designed for sending configuration and command messages. Then someone noticed it could be used to little text messages "out of band", and shortly after people started using it for mostly that.

      The SMS spec defines all sorts of things you wouldn't believe. You can send binary messages that configure all sorts of things on the handset, or pop up messages on the phone, or even get delivered to applications that are running on t

    • by pclminion (145572)

      Neither. To perform these attacks it's necessary to set up a fake GSM "network" -- you can't do it from another phone over a carrier network. Whether this should have been anticipated and handled depends on how likely we all thought it would be that somebody would actually set up their own GSM station.

      The problem isn't necessarily crappy code, it's trusting that the bits coming over the GSM network have a certain level of sanity -- this is a reasonable assumption as long as people aren't setting up their ow

      • by sjames (1099)

        Considering the decades long saga of phreaking that all got started because they let random people send arbirtrary commands within the network (based on the false belief that nobody would figure it all out), you'd think they would be a bit more sensitive to that sort of thing this time around.

    • by sjames (1099)

      Definitely the OS coders. Much the same way the IETF wasn't to blame for the ping of death [wikipedia.org].

  • Now Carriers and Phone Manufacturers will blame dropped calls, phone flakiness, phone failures of malicious messages from hackers. Before, it was, "well you have to expect that with radio signals" or sunspots, or that you abused the phone.

    Anything for a cell phone provider to avoid responsibility for their failure to deliver services or features they promised.

    • Now Carriers and Phone Manufacturers will blame dropped calls, phone flakiness, phone failures of malicious messages from hackers. Before, it was, "well you have to expect that with radio signals" or sunspots, or that you abused the phone.

      Anything for a cell phone provider to avoid responsibility for their failure to deliver services or features they promised.

      Worse. They'll start implementing some sort of filtering for this, even for phones that aren't affected. And then they'll claim they're "justified" in charging through the nose and/or teeth for SMS messages (as well as increasing the price regardless, naturally) because of all these wonderful, magical filters they're providing. The fools! Why did they have to report this? They've doomed us all!

    • by Linker3000 (626634) on Thursday March 10, 2011 @07:47PM (#35449068) Journal
      The Iphone 4 has a special 'safe-mode grip' the user can do with their hand that blocks these dangerous messages. It's a 'feature'.
  • It's old news really... I remember karsten nohl talking about this end of 2009. Check out this ccc talk, gave me lots of ideas for a USRP I had access to at the time: http://events.ccc.de/congress/2009/Fahrplan/events/3654.en.html [events.ccc.de]
  • by mxs (42717) on Thursday March 10, 2011 @04:30PM (#35447518)

    The presentation from the 27th Chaos Communication Congress in Berlin last December (http://events.ccc.de/congress/2010/Fahrplan/events/4060.en.html) is available at http://www.youtube.com/watch?v=8bkg3AjY6fs [youtube.com] or http://mirror.fem-net.de/CCC/27C3/mp4-h264-HQ/27c3-4060-en-attacking_mobile_phones.mp4 [fem-net.de] .

  • by Anonymous Coward
    My LG likes to turn itself off on a whim (doesn't matter the battery level)... so it acts flaky enough by itself.... I'd never know if it was hit by this.
  • I received a specially crafted SMS message the other day that caused my phone to power off. The text of the message was "Please turn off your phone."

  • From the SMS-o-Death [events.ccc.de] talk from the 27th Chaos Communication Congress last year:

    Using only Short Message Service (SMS) communications—messages that can be sent between mobile phones—a pair of security researchers were able to force low-end phones to shut down abruptly and knock them off a cellular network. As well as text messages, the SMS protocol can be used to transmit small programs, called "binaries," that run on a phone.

    This was also covered HERE ON SLASHDOT, 'SMS of Death' Could Crash Many Mobile Phones [slashdot.org].

  • by M3wThr33 (310489) on Thursday March 10, 2011 @05:59PM (#35448378) Homepage

    My Palm Pre already locks up and sometimes reboots when I get a regular SMS from anybody.

    I hate my phone.

  • AFAIK, SMS rides on the cell control network. I assume it works by sending SMS control messages to devices on the network. It shouldn't surprise anybody that you can break things via SMS, it is surprising that it isn't more common. Anyone know if there is an open standard for the control structure?

  • A lot of phones(including Androids) have issues when receiving SMS and MMS, the other day we had a problem with a certification made by a carrier that failed. Our software was getting disconnected when a MMS arrived(not even downloaded), turns out the phone connection was getting completely locked for more than 1 minute and that only happened with said carrier, with another the issue only happened when the MMS was downloaded. The whole thing is a a mess, both from manufacturers and carriers.
  • From TFA:

    "The good thing is that there's no user interaction needed and the attacker can be anywhere in the world," said Mulliner. "We don't need proximity to the device."

    Are the researchers evil or what?

  • This was demonstrated at 27c3.

    Also, you don't need to set up your own network, having a Motorola C123 and a serial cable is enough.

  • I noticed that the iPhone was not one of these, I guess it is funny, but they just unwittingly added a few more bucks to the price of Apple stocks......unless of course this was the plan all along. I truly wonder, unless you have some proof of concept properly defined and able to be checked by peers, just how much some of these stories are real, and others are faked. Remember that study about the shots and the MS....how the study was faked, I am sure there is a lot of rampant faking going on, at least I kno

Bus error -- please leave by the rear door.

Working...