Beware the SMS of Death

One of the more common predictions for 2011 among industry-watchers is that smartphone malware will become more common as smartphones grow more popular. But even feature phones are vulnerable to attacks.

We’ve already seen hacks that purportedly allow people to eavesdrop on GSM voice calls. Now researchers in Germany say feature phones can be shut down and knocked off the network via SMS attacks.

Collin Mulliner and Nico Golde – students in the Security in Telecommunications department at the Technische Universitaet Berlin – have demonstrated a so-called “SMS Of Death” attack on feature phones made by LG, Motorola, India-based Micromax Nokia, Samsung and Sony Ericsson that exploits the ability of the SMS protocol to send “binaries” (small programs) to the handset.

Cellcos use this function to remotely change phone settings, but attackers can use it to send malicious messages that can shut down the phones. While the attack requires the attacker to know the type phone someone is using, they can easily send five malicious SMSs targeting the top five handset models in that market and knock large numbers of users off the network, according to Technology Review.

The availability of Web-based bulk SMS services make this kind of attack both cheap and easy, Mulliner says.

Cellcos have two options to prevent such an attack, according to the TR report: update the firmware of existing phones, or filter SMS traffic for malware, the latter of which is tough because SMS filters are designed to block spam, not binaries.

Updating phone firmware is also a tough haul, Aurélien Francillon, a researcher in the system security group at ETH Zurich, tells TR: “Most of those phones don’t have automated updates, and when they do, patches are not made available quickly.”
 

Article source: http://www.telecomasia.net/blog/content/beware-sms-death?John%20C.%20Tanner