Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Text message of 'death' threatens smartphone security

Security researchers have shown that many popular phones can be knocked offline by carefully crafted text messages

Security researchers have shown that carefully crafted text messages sent to cell phones via short message service (SMS) can cause them to shutdown without the knowledge of the owner. Popular models by Nokia, LG, Samsung, Motorola and Sony Ericsson are said to be affected by what the researchers call ‘SMS-o-Death'.

Researchers from the Berlin Institute of Technology used the simple trick of imitating the data messages network providers send to phones. Usually the messages are used for tasks such as configuring the device for a particular provider, but they can easily be subverted.

Perhaps surprisingly, the attack targets regular "feature phones" rather than smartphones. Feature phones are so-called because they typically perform one or two other tasks, such as MP3 playback or web browsing, in addition to making calls.

Feature phones are significantly less expensive than smartphones, so--although smartphones get most press attention--out in the real world they find most use amongst the world's population. Therefore, the scale of the hack could be huge.

The researchers made their discoveries by creating their own testbed cell phone tower in a lab shielded from outside signals. They monitored communications from the phone and by doing so were able to create messages that attacked every single model of phone they studied.

To attack an individual's phone, one would need to know the make and model. However, a large-scale random denial of service attack would be easy to carry out: with a little research to find the most popular phone models on the market today, an attacker could send a series of messages targeting each phone to specific or random numbers via the various Internet gateways that allow bulk text message sending. Anybody receiving the dodgy message would have their phone silently switch off, without their knowledge. If the hack didn't work on a user's particular model of phone, it would simply be ignored as gibberish.

Of course, the researchers are keeping secret their exact methods but now the cat is out of the bag it won't be long until hackers come up with their own versions.

There's little that can be done to thwart attacks. Phone firmware could be reprogrammed to block such messages, but the majority of non-smartphone owners simply don't update their phones. Many aren't even aware it's possible, and those who are often avoid doing so for fear updating to buggy software, something that sadly is all too common. Often inexpensive phones come without a USB cable, making updating impossible unless one is purchased.

Service providers could filter out the messages from their network but, although filtering software is often already in place to capture spam, it doesn't presently have the ability to catch data messages, such as those used in the attack.

The good news is that the relative simplicity of feature phones means that the hack is limited to annoying tricks, such as turning-off the phone. It'll be almost impossible for attackers to inject their own code into phones in order to steal data, for example, something which is possible with higher-level smartphones such as the Apple iPhone and, potentially, devices running Google Android.

It's been an uneasy time recently in the world of mobile phone security. Last year it was shown how GSM phone communications can be hacked with just $1500 of hardware, allowing attackers to listen into communications.

To view a video of the presentation by the researchers behind the ‘SMS-o-Death' hack, Nico Golde and Collin Mulliner, click here.

Keir Thomas has been writing about computing since the last century, and more recently has written several best-selling books. You can learn more about him at http://keirthomas.com and his Twitter feed is @keirthomas .

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Apple, Ericsson, etwork, Google, LG, Motorola, Nokia, Samsung, Sony, Sony Ericsson
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Android, antispam, consumer electronics, e-mail security, Ericsson, Motorola, Nokia, phishing, Phones, security, spam, viruses
Latest Blog Posts
Whitepapers
  • SOA and Business Processes: Making the Connection
    Service-Oriented Architecture (SOA) is also complex, and one of its main characteristics is that an SOA system is comprised of multiple applications that are combined to accomplish critical business processes. Discussions of SOA can quickly grow so complex that the system’s main benefits to an organization are difficult to fully understand. This article discusses SOA Suite 11g, a family of products that take SOA to a new level and correct some of the problems caused by the very combination of components and multiplication of languages that make SOA a flexible, agile system.
    Learn more »
  • Protecting Against the Leading Causes of Data Breach
    This whitepaper was written for the organisation that wants to focus on prevention of data loss and doesn’t have millions to spend, but needs affordable solutions that can be implemented today to protect millions of sensitive records and dollars worth of intellectual property. This whitepaper addresses: - What organisations can do to prevent the four leading causes of data breaches - Why dedicated (pure-play) DLP solutions may not protect you from all four leading causes of data breaches - How to get prevent sensitive data leaving your organisation
    Learn more »
  • Cloud printing in the enterprise: liberating the mobile print experience from cables, operating systems and physical boundaries
    In recent years mobile technology has proliferated throughout the enterprise. Today, virtually no one in the workforce is bound to a desk to work, check e-mail or communicate with co-workers and customers. At the same time, we’re seeing the rise of cloud technologies, loosely defined as online resources, often provided as a service, that manage the data and software that used to run solely on PCs. This merger of mobile and cloud technologies is on its way to becoming one of most significant enablers of business productivity and innovation seen in the past decade. Read more.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments