Slashdot Mirror
DoS Vulnerability On Nokia Phones
Matt_Bennett writes "According to this report from CNN, it is possible to send a SMS (Short Message Service) message to certain Nokia GSM phones, in particular the Nokia 7110, which will cause it to lock up. At this point, they are unsure if it is possible from an email-to-SMS gateway. The phone has to have its battery removed and replaced to return to normal operation." "Sorry I couldn't call you back, my phone was haxx0r3d." We laugh, but as personal electronics get better, we rely on them more... and at the same time, they become more complex: the potential security holes grow. Its kinda creapy.
On norwegian TV yesterday, they interviewed some Nokia techies finishing up their research on the matter. Its seems that this bug only can be recreated with some sort of Nokia development software and equipment. This things are not readlily avalible.
Next version of this software should solve the issue. A recall of the exploitalbe phones is not consideredIt's amazing how unclued that company can remain.
It's not really just Nokia, it's the general short-sightedness of corporations still unable to get the clue from their own work-force geeks.
We're moving to information age not because of funny gadgets, but because of real, hard-to-use, hard-to-beat endlessly-programmable-information-processing-cap
</rant>
Vision:
I want a necklace of batteries and PCMCIA cards wired to my earplugs and sights, that I can secure myself against hazardous SMS'es and other forthcoming hacks.
I think, therefore thoughts exist. Ego is just an impression.
how mission-critical is a cell phone? must it be online at all times? must it have zero down time?
for a DoS attack to be successful, the point is to flood a server that is required to be online at all times and that denial successfully takes them offline for an extended length of time.
this isn't a true DoS attack because the person sending it would have to send out a continual stream of these malformed messages that would get bounced back to them as soon as one brings down the phone. Also, the SMS provider software would shut down the point of entry if their load from a point becomes too large.
I would call this a simple software glitch that has the unfortunate problem of causing the phone's OS to crash.
call it a runtime error. call it a macintosh system error. it's just not a DoS
so this should be called a triggered runtime error instead of a DoS
Who are the geniuses that think these things up?
My guess would be Hanna-Barbara. We're all just bit players in a big Jetsons episode.
"I will gladly pay you today, sir, and eat up
Sacred cows make the best burgers.
Not really, a DoS attack is anything that Denies Service, its just so happens that what you describe (I believe its called a smurf attack) is one common way to do that on the net.
Also, cell phones are mission critical, for some people anyway. Emergency workers (firefighters, cops, ambulance drivers, etc) are beginning to rely more & more on cell phones for communication. The fact that someone can send my phone a message that forced me to manually reset the phone is pretty pitiful. IF something like this occured in, say, Pine or Elm, its would be considered a pretty big flaw.
---- I made the Kessel Run in under 11 parsecs.
Friend at work was able to construct a SMS message that crashed every GSM phone available at the company (And understandably, SMS messaging services oriented company has practically all models to test with), not only when sent to phone, but just by being on the SIM card. (Obviously, this crash triggered when parsing the message from memory.) On the bright side, you need SMSC to construct and send such a message.
Just to state that this is hardly Nokia-specific problem, but of course, Nokia is most visible target, just like Microsoft.
And the thing is, for reconfiguration messages, you have to confirm whether you want them or not. If the user chooses to do so, it's their fault... How clueless could you be to get a reconfiguration message out of the blue and go "Ooh, better accept this!"?
Open Source. Closed Minds. We are Slashdot.
- How mission-critical the cell phone is depends on who is using it. If it's your average SUV-driving latte-drinking yuppie, then no -- it isn't mission critical at all. But if it's a medical worker on call, it better be considered mission-critical.
- The downtime depends on how soon the person notices that the cellphone has crashed.
- I simply hate the way people are so used to Windows that they expect instability from an operating system. What happens when silicon becomes even more common? I would hate the day my refrigerator had a GPF...
for a DoS attack to be successful, the point is to flood a server that is required to be online at all times and that denial successfully takes them offline for an extended length of time.DoS stands for Denial of Service, in case you were wondering. A DoS attack is anything that denies anyone service. Neither does it have to be against a server, nor does it have to be a flood. For example, the Winnuke attack was neither a flood, nor against a server (assuming that people aren't running servers on Windos).
I would call this a simple software glitch that has the unfortunate problem of causing the phone's OS to crash.
Oh sure, let me just reboot my cellphone. That's no problem, right? I mean software was meant to crash. And if my refrigerator (just wait a few years) suddently decides to crash in the middle of the night, I'll just run down and reboot it as well. No problem!
call it a runtime error. call it a macintosh system error. it's just not a DoS
See above.
--
Some Qualcomm QCP phones will let you spy on other people's SMS messages if you send a SMS to yourself full of high-bit characters. This was working with Bell Titanic's email-to-SMS gateway a few months back, not sure about now. It was kind of weird to get people's backup failure notices, NOCOL errors, and Oracle alerts though.
when trying to make it easier to use (Microsoft all over). I'm fairly confident that this can't be caused by a normal SMS-msg with "normal" text (unless those Nokia engineers pulled it off -again-). Nokia phones can be configured using SMS-messages. Take Nokia WAP phones for example. They can be configured for WAP operation by receiveing an SMS message from your operator. Non-WAP Nokia phones also have similar functionality. Sending a malformed "config" msg might be what is causing this. Anyway, big deal. Nokia is a "designer" phone. Nice looks. Geeks in Scandinavia go for Ericsson (yes, I know they've fucked up in the past, but at least not as bad as Nokia this time :)
What it means is that in North America there is not the infrastructure for digital phones to be always on the digital service. Dual band phones in North America might mean Digital and Analogue, but Dual Band phones in the rest of the world mean two different carrier band frequencies. I think this answers points (1) and (2) as well.
Analogue works because the infrastructure is there. Once the infrastucture is there, digital is MUCH preferable to Analogue, and I say this having been on a digital service for four years now in Europe, and when having to deal with the hiss and crackle of a analogue service both when in Canada and the States, it really annoyed me.
As for the hacking, no it cannot happen on AMPS, but then of course with a cheap scanner, anyone can listen in on your calls.
All this new-fangled technology, it will never last!! End sarcasm.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
How many people outside of Japan know about the guy who set up a WAP home page that redirected the viewer's phone to 110 (the Japanese phone number for emergency services)? They got 5500 false calls in three months around the country from idiots viewing the page. The guy who made it was arrested the other day for interfering with official services.
Now imagine that as a phone virus...
SMS is hardly the only way to lock up your GSM
Indeed not. You can permanantly destroy many GSM mobiles (including the SIM card) just by repeatedly hitting them with a sledgehammer.
Yes, that was a joke.
Michael
...another comment from Michael Tandy.
"Goodness me, how unlike the FBI to abuse the trust of the American public." -- The Onion
> (I believe its called a smurf attack)
No, a smurf attack consisits of sending and ICMP Echo packet to the bradcast address of a subnet who still allows that sort of thing, but the trick is, you spoofed the source IP in the IP header, so every host on that subnet sends an ICMP Echo Response packet to the spoofed source IP (your target). This has the benefit of multiplying you outgoung datastream by the number of hosts on the subnet you are bouncing from. it allows you to flood the target with much more bandwidth than you have available to you.
That is a smurf attack, emailing a Cell Phone does not count.
I have a 7110 and occasionally use it for WAP - I would use it more, but about 1/3 of all pages I browse, including some portal sites, just can't be displayed. So calling this a good browser is rather an exaggeration, though it may well be better than the others you tested.
But that reminds me of a funny story. A very long time ago, I was working with an engineer who'd come out of the auto industry. I asked him when we would see ABS brakes in actual consumer cars. He told me he would never drive a car that relied on (possibly buggy) software to stop. "It brings a whole new meaning to the halting problem!"
This is already second time this happens to Nokia. My roommate's Nokia 5110 had originally buggy firmware (which he later upgraded for obvious reasons...) which locked the phone if someone sent him an SMS-message with 160 dots. The phone locked up completely, only removing the battery brought it back to life.
Jacco /var/log
---
# cd
-------
Warning: Slashdot may contain traces of nuts.
Must your desktop computer be online at all times? Must it have zero down time? If not, please give me your IP address, and a vulnerability which causes you to do a full reset on your computer. I'll write an appropriate exploit.
Here's how to turn it into a true DoS.
while(1){crashPhone();
sleep(120);
}
Now as you were noting about this not being a DoS attack, could you please give me your Nokia phone's SMS e-mail gateway address?
----------------------------
Fortunately though, most people with the skills to cause such hassles also realize that it's just plain dumb to do such things.
----------------------------
Finland-based Nokia said that it was already in contact with Web2Wap, but that Nokia, the world's largest mobile phone maker, had itself never experienced such problems in the past.
That is not true.
Sending a message with 160 chars of '.' in it to older 5110 models caused them to lock up too. I've heard that this was an easter-egg deliberately made by some coder (though I'm not sure is this true or just another urban legend). The newer models don't have the bug (eg. mine doesn't - version 05.07 20-11-98 (you can see the version by typing *#0000#)).
Furthermore, this article (only Finnish, sorry) says that in some cases the SMS also destroyed the SIM-card (no specifics mentioned).
The article also mentions that Web2Wap has contacted Nokia and Nokia experts will meet with them Wednesday, but Nokia denies getting any contact requests. Typical.
I doubt, therefore I may be.
Many of the early crackers were phone phreaks. Looks like we've come full circle.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
This is how that thing called 'progress' works. Someone comes up with a cool new technology. People come up with hundreds of nifty new gadgets and applications for that technology. Those gadgets and applications that people want to use become household items. Those gadgets that people don't want to use show up in fifty years time as jokes in TV shows.
Go back and look at all the stupid ideas people had when they first came up with that "electricity" thing. Think of the wacky ideas people had about how radio and television could be used. Think of the fact that only about one in twenty high-tech startups survive.
The trick, however, is that it's nearly impossible to tell before the fact which gadgets will be wanted, and which will not. Some things that are really good ideas will tank because it was released in the wrong place at the wrong time. Some things that we all think are stupid will turn into the next big craze in consumer electronics. So the only logical thing to do is to produce all of them, and let Darwin sort them out.
We prosper as a society when we allow people to think as wildly as possible, give them enough rope^H^H^Hesources to try their ideas out, take the best, and let the rest drop out.
Charles Miller
--
The more I learn about the Internet, the more amazed I am that it works at all.
nokia 7110 has wap. i think it was the first phone public with wap... at least here in sweden
Ring brother, ring for me | Ring the bells of hope and faith
Ring for my damnation | I am at the gallows end
Imagine, soon we'll have computers in CARS! Now if someone would to DoS them ;-) *CRASH*
What about fridges? Now if someone would h4xx0r my fridge and all my coke would be warm someone would be DEAD! ;-)
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Also, I've often wondered if a cel.tel could be activated - on the sly - as a surveillance device... i.e. open the microphone in response to a (silent) incoming call/message... it doesn't ring, light up , vibrate or talk... but listens and sends what it hears to an unknown operator.
If not now, then it's just a matter of time...
This isn't a WAP thing, its just dodgy software in nokia phones (they arent even wap phones).
Ewan
I'm willing to bet that today's Nokias are more powerful that the PCs of 15 years ago. What kind of security problems will we be seeing from phones in 5 years time?
--- Hot Shot City is particularly good.
so it's a malformed message that causes the computer to freeze up. big deal. they're already fixing the problem on the server side so that a malformed message can't be routed through the server. and if it happens to you, you simply pop out the battery and pop it back in. oh darn. that's really difficult. it's not a hack. it's not even a DoS attack. it's simply a fuckup. it wouldn't be all that hard for the companies that make the SMS server software to fix the problem. (that's more than I can say for today's companies that get DoS attacks and can't do a damn thing to prevent them)
The 7110 had problems in the early versions of the firmware, but the one shipping the last few months is pretty good. It has the best protocol stack and best browser of the competing Ericsson R320 and Motorola Talkabout. I had to test them all, part of my job. I hope you get your hands on these models so you can compare. Try with several WAP sites, browse around, and decide for yourself.
Check the firmware version of the 7110, 4.80 is already rather good (even though about 6 months old). Type *#0000# to check the version.
BTW, IMHO the Motorola Talkabout has an outright ugly and unfriendly screen. Where on earth has Motorola found such cheap, contrastless LCD screens!?
Sigged!
SMS is hardly the only way to lock up your GSM, although it is certainly the most accessible. The WAP-capable phones appear to open a whole new can (no, make that a barrel) of worms.
:).
Earlier in the year we were working on a WAP application for a major automibile company. We actually had to put special effort in to ensure that the application *did not* lock up the phones. We tested the app with a number of phones from different manifacturers, including Nokia (I think the model used was 7110). The shocking part was that _almost all_ could be locked up, usually in different ways (which made things all the more frustrating, of course), and the problems occurred even when using the most basic WML. (the design of WML is another interesting discussion topic, but I guess I would have to leave that rant for another time)
A particularly interesting side of all that was that a lot of the ways in which the problems occurred pointed out to possible buffer overflow problems, something that would explain the lockups (one of the most obvious ones was lockups on some phones when the encoded and compressed WML pages, together with the POST data were above a certain size). Given this observation, I have been pondering since then whether those problems are actually exploitable. If they are, that would be majorly cool, or majorly scary, depending on what side of the fence you are on. Pity I don't have the zeal to delve into phone hacking at this point
I get fed up with people who want to web-enable everything in your entire house. They want to put barcode readers in your fridge to tell you when your milk is bad, internet access so the fridge can order more milk for you, heaters/airconditioners that can access the weather forecasts to more efficiently mantain your thermostat, web-enabled robots to feed your pets, even lightbulbs that have built-in TCP/IP support so you can turn them off via the web! Why in the hell would we ever need such silliness? Is it too much trouble to flip a god damn switch!? Who are the geniuses that think these things up?
"Hey, I got an idea! Why don't we make people so lazy that they don't ever have to get out of bed to do anything, and at the same time forget about how totally insecure the technology we are creating is, and thus give all those kiddie h4xxors the ability to spoil peoples' food, freeze them to death, starve their animals to death, and submit them to torturous light shows, all via the anonymity and distance of the internet!"
120 characters isn't enough to explain it.
We have come used to take software as no-warranty (EULAs,...), but we think we have some rights when we buy physical items.
Since phones are more and more software, can we finally reclaim for faulty software?
__
__
Men with no respect for life must never be allowed to control the ultimate instruments of death.
GW Bu
No big deal. I have Siemens S10, also known as "the brick", and if a message arrives from www.quios.com onto this phone, the moment you try to read it, the phone shuts down. The same happens if you want to view a saved message from Quios. The only way to read message is to EDIT it instead of VIEWing it.