Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Attack Can Disable Phones Via SMS

Posted by timothy on from the actually-don't-txt-me-lol dept.

Trailrunner7 writes "A pair of security researchers from Germany demonstrated several techniques at the CanSecWest conference here Wednesday that enable them to remotely reboot, shut down or even completely disable many popular mobile phones with SMS messages. The technique that Nico Golde and Collin Mulliner discussed relies on setting up a GSM network and sending specially crafted SMS messages to handsets. The pair showed a video demonstration of phones from a wide range of manufacturers, including LG, Sony Ericsson, Nokia and others rebooting, freezing and generally acting flaky after receiving the crafted SMS messages they sent."

62 comments

  1. /. News Network by Even+on+Slashdot+FOE · · Score: 2

    Today the top story is things we've already reported on. In related news, movie theaters now want to get your cell number when you buy a movie ticket.

  2. GSM Network by Anonymous Coward · · Score: 0

    Does that mean CDMA phones (like Verizon for example) are immune?

  3. Old news by radl · · Score: 1

    This was already demonstrated in December https://events.ccc.de/congress/2010/Fahrplan/events/4060.de.html I think there was even a /. submission at that time. Although I can't find it right now...

    --
    1266953+17
    1. Re:Old news by lart2150 · · Score: 2

      Something like this http://mobile.slashdot.org/story/11/01/07/1513258/SMS-of-Death-Could-Crash-Many-Mobile-Phones

    2. Re:Old news by radl · · Score: 1

      Exactly. But see all the other dupe reports...

      --
      1266953+17
  4. Features Phones But Not Smart Phones? by WrongSizeGlass · · Score: 1

    The pair showed a video demonstration of phones from a wide range of manufacturers, including LG, Sony Ericsson, Nokia and others rebooting, freezing and generally acting flaky after receiving the crafted SMS messages they sent.

    They don't provide any real details or model numbers. They don't mention Android, iOS or Blackberry so they probably can't hit a smartphone with this attack. But there are enough feature phones out there that they can weak havoc.

    1. Re:Features Phones But Not Smart Phones? by BiggoronSword · · Score: 1

      The pair showed a video demonstration of phones from a wide range of manufacturers...

      Boy it would be nice to actually see said video...

      --
      interactive hologram, or it didn't happen.
    2. Re:Features Phones But Not Smart Phones? by grapeape · · Score: 2

      Why not just have someone send you a message?

    3. Re:Features Phones But Not Smart Phones? by Imabug · · Score: 2

      FTA

      "The researchers only tested their methods on so-called feature phones, not smartphones such as Android devices or iPhones. The reason, they said, is that feature phones still are far more prevalent in most of the world than smartphones are, so the target area is much larger."

      --
      "For I am a Bear of Very Little Brain, and Long Words Bother Me"
    4. Re:Features Phones But Not Smart Phones? by cpicon92 · · Score: 1

      From TFA:

      The researchers only tested their methods on so-called feature phones, not smartphones such as Android devices or iPhones. The reason, they said, is that feature phones still are far more prevalent in most of the world than smartphones are, so the target area is much larger.

    5. Re:Features Phones But Not Smart Phones? by RMingin · · Score: 1

      I'm guessing, but I'd imagine that most cell providers would quash or delete the malformed messages, or at least mangle them into a non-crashing form.

      --
      The preceding comment is my own, and in no way construes an opinon of the Emperor of Mankind.
    6. Re:Features Phones But Not Smart Phones? by Anonymous Coward · · Score: 0

      The reason they didn't bother to say is that smart phones handle SMSes in user-space programs and thus are likely to fail, if at all, in a much less spectacular fashion. And you don't make a name for yourself by reporting that certain devices _don't_ die when fed a malformed input.

    7. Re:Features Phones But Not Smart Phones? by elsJake · · Score: 1

      http://ftp.ccc.de/congress/2010/mp4-h264-HQ/

      It should be there :).

    8. Re:Features Phones But Not Smart Phones? by Anonymous Coward · · Score: 0

      They did provide a few model numbers in their presentation (I know because I was at CanSecWest), but they also specifically stated that they were targeting feature phones, not smart phone, because feature phones are still the dominant share holder. Not to mention these are college kids working on their degree. They did have sponsors that purchased many of the phones for them, but that's only because the phone were about $10-$30 a piece. Finding a sponsor for that is much easier than for phones that cost $600 a piece.

  5. Next up twitter? by skids · · Score: 3, Funny

    Seriously, how hard can it be to secure a service that consists of nothing but 180 character text messages and a sending/receiving station address? Were the designers of SMS the morons here, or the phone OS coders?

    --
    Someone had to do it.
    1. Re:Next up twitter? by WrongSizeGlass · · Score: 4, Insightful

      Were the designers of SMS the morons here, or the phone OS coders?

      Probably both.

    2. Re:Next up twitter? by Anonymous Coward · · Score: 0

      It appears that the phone companies usually sanitize SMS messages. So the phone manufactures are at fault for assuming someone else does their job for them.

    3. Re:Next up twitter? by pep939 · · Score: 2

      OOps, saw your comment too late... see my post if you're interested in the subject and want to learn how GSM is (not) protected.

    4. Re:Next up twitter? by Locke2005 · · Score: 1

      Perhaps that's the problem -- they assumed the messages were only 180 characters, thus were susceptible to buffer overruns.

      In general, this is what happens when you ignore the robustness principle and trust the data you are receiving to be properly formed. Several years ago I was able to crash the login process in Windows NT servers by sending invalid SMB messages, so it's not that uncommon. (This was by accident, I wasn't TRYING to crash the machines, just use them for authentication. And of course Windows NT was designed so that you cannot shut it down gracefully once the login process is gone...)

      --
      I've abandoned my search for truth; now I'm just looking for some useful delusions.
    5. Re:Next up twitter? by peragrin · · Score: 1

      Becasue it wasn't designed to send 180 character messages, it was a a random hack a brilliant engineer figured out after the system was built to bring in extra revenue from an existing setup.

      --
      i thought once I was found, but it was only a dream.
    6. Re:Next up twitter? by timeOday · · Score: 2

      That was originally true, but is either A) no longer true or B) should no longer be true. I don't think any analog networks are still in service, and I don't see why SMS would be sent that way on a network designed for digital payloads. Either way, there are no excuses for this in 2011.

    7. Re:Next up twitter? by Anonymous Coward · · Score: 2, Informative

      I don't think you realize exactly what SMS is.

      SMS was originally a control channel designed for sending configuration and command messages. Then someone noticed it could be used to little text messages "out of band", and shortly after people started using it for mostly that.

      The SMS spec defines all sorts of things you wouldn't believe. You can send binary messages that configure all sorts of things on the handset, or pop up messages on the phone, or even get delivered to applications that are running on the phone or sim card. The sim card is actually a small computer, it has storage, ram, and a processor, some sim cards even run a java variant VM (JavaCard), and they can communicate with the handset using AT commands (how cool is that) and the network with SMS.

      There is a complete port-based delivery system, a hugely complicated encoding mechanism, a complete spec for how to encode xml into compact binary form (wbxml), and dozens if not hundreds of different specs for various messages that can be sent. Want to configure the access points on a phone? yep it can. Want to configure the home page of the browser? yes, download a ringtone? yep, send a picture? of course.

      Now consider the number of handset manufactures, the number of different handsets, with different firmware, and the varying range of support for all these things. It's absolutely no surprise you can crash a phone with a well (or badly) crafted message.

    8. Re:Next up twitter? by pclminion · · Score: 1

      Neither. To perform these attacks it's necessary to set up a fake GSM "network" -- you can't do it from another phone over a carrier network. Whether this should have been anticipated and handled depends on how likely we all thought it would be that somebody would actually set up their own GSM station.

      The problem isn't necessarily crappy code, it's trusting that the bits coming over the GSM network have a certain level of sanity -- this is a reasonable assumption as long as people aren't setting up their own rogue base stations. Until last year that hadn't even been demonstrated before. I think you're being overly harsh.

      In other news, if you shoot a phone with a missile it won't function too well after that either.

    9. Re:Next up twitter? by Bob_Who · · Score: 1

      Were the designers of SMS the morons here, or the phone OS coders?

      Probably both.

      Don't forget the management, the boardroom, the bankers, and wall street in general. Its never about optimizing technology, its about optimizing the marketing options and fine print so that the corporate monolith can maximize profits. Getting it right would be counter productive to their strategy. Corporations are just like oligarchs.

    10. Re:Next up twitter? by CheerfulMacFanboy · · Score: 1

      Perhaps that's the problem -- they assumed the messages were only 180 characters, thus were susceptible to buffer overruns. In general, this is what happens when you ignore the robustness principle and trust the data you are receiving to be properly formed. Several years ago I was able to crash the login process in Windows NT servers by sending invalid SMB messages, so it's not that uncommon. (This was by accident, I wasn't TRYING to crash the machines, just use them for authentication. And of course Windows NT was designed so that you cannot shut it down gracefully once the login process is gone...)

      Thanks god nothing like that can happen today - USB driver bug exposed as "Linux plug&pwn"

      Rafael Dominguez Vega of MRW InfoSecurity has reported a bug in the Caiaq USB driver which could be used to gain control of a Linux system via a USB device. The bug is caused by the device name being copied into a memory area with a size of 80 bytes using strcpy() without its length being tested. A crafted device with a long device name could thus write beyond the limits of this buffer, allowing it to inject and execute code. Because the driver is included, and automatically loaded, in most Linux distributions, to execute code in kernel mode an attacker would merely have to connect such a device to a Linux system's USB port.

      --
      Fandroids hate facts.
    11. Re:Next up twitter? by Anonymous Coward · · Score: 0

      Holy shit. Have you used a feature phone lately? They've gone to total shit. I have a Samsung model that for two years has an outstanding bug where recurring calendar appointment reminders don't work. A freakin' calendar reminder isn't programmed right and you want these guys to do security? Don't even get me started on how the entire phone crashes if you receive an SMS while opening another SMS.

    12. Re:Next up twitter? by gl4ss · · Score: 1

      in first phones they were the same guys.

      and then later they added to the spec a number of hacky things on top of it, like chained sms's, wap settings sms's.

      --
      world was created 5 seconds before this post as it is.
    13. Re:Next up twitter? by Anonymous Coward · · Score: 0

      I assume they're using a backdoor called SIM application toolkit that allows SMS to be used to download code that executes on the SIM. I'm amazed that it hasn't been exploited many times before in the 10+ years it has existed.

    14. Re:Next up twitter? by Anonymous Coward · · Score: 0

      Will there ever be a time we can remove the stupid strcpy function and force the use of strncpy? This has to be one of the dumbest functions in a section of the C standard that was already idiotic.

    15. Re:Next up twitter? by Locke2005 · · Score: 1

      Can't remove it without breaking backward compatibility. But any competent developer should have already done a global search of their code base for strcpy, strcat, etc. and made sure they either did appropriate up front checks or replaced them with strncpy, strncat etc. -- preferably the latter, to keep the issue from having to be revisited in the future.

      --
      I've abandoned my search for truth; now I'm just looking for some useful delusions.
    16. Re:Next up twitter? by CheerfulMacFanboy · · Score: 1

      Can't remove it without breaking backward compatibility. But any competent developer should have already done a global search of their code base for strcpy, strcat, etc. and made sure they either did appropriate up front checks or replaced them with strncpy, strncat etc. -- preferably the latter, to keep the issue from having to be revisited in the future.

      You'd think so - but did you read the article I linked to? http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftiwai%2Fsound-2.6.git&a=commitdiff&h=eaae55dac6b64c0616046436b294e69fc5311581 - obviously that change was made less than a month ago.

      --
      Fandroids hate facts.
    17. Re:Next up twitter? by Locke2005 · · Score: 1

      Yes, I am implicitly accusing the original author of that driver of incompetence. Sadly, he's got plenty of company.

      --
      I've abandoned my search for truth; now I'm just looking for some useful delusions.
    18. Re:Next up twitter? by sjames · · Score: 1

      Definitely the OS coders. Much the same way the IETF wasn't to blame for the ping of death.

    19. Re:Next up twitter? by sjames · · Score: 1

      So you're saying the caiaq is a trap?

    20. Re:Next up twitter? by sjames · · Score: 1

      Considering the decades long saga of phreaking that all got started because they let random people send arbirtrary commands within the network (based on the false belief that nobody would figure it all out), you'd think they would be a bit more sensitive to that sort of thing this time around.

    21. Re:Next up twitter? by CheerfulMacFanboy · · Score: 1

      So you're saying the caiaq is a trap?

      By whom? And even if it where - this is about a "this type of error was made fun off 20 years ago" boo-boo inside a major OSS project unnoticed for years. If a trap that mind-numbingly stupid can avoid detection, the whole idea of "it's safe because anyone can check the source code" is destroyed by the fact that actually nobody bothers to do that thinking somebody else already has.

      --
      Fandroids hate facts.
    22. Re:Next up twitter? by sjames · · Score: 1

      Whoosh!

  6. Oh, No. Carriers and Phone Manufacturers will by www.sorehands.com · · Score: 2

    Now Carriers and Phone Manufacturers will blame dropped calls, phone flakiness, phone failures of malicious messages from hackers. Before, it was, "well you have to expect that with radio signals" or sunspots, or that you abused the phone.

    Anything for a cell phone provider to avoid responsibility for their failure to deliver services or features they promised.

    --
    Fight Spammers!
    1. Re:Oh, No. Carriers and Phone Manufacturers will by Captain+Spam · · Score: 1

      Now Carriers and Phone Manufacturers will blame dropped calls, phone flakiness, phone failures of malicious messages from hackers. Before, it was, "well you have to expect that with radio signals" or sunspots, or that you abused the phone.

      Anything for a cell phone provider to avoid responsibility for their failure to deliver services or features they promised.

      Worse. They'll start implementing some sort of filtering for this, even for phones that aren't affected. And then they'll claim they're "justified" in charging through the nose and/or teeth for SMS messages (as well as increasing the price regardless, naturally) because of all these wonderful, magical filters they're providing. The fools! Why did they have to report this? They've doomed us all!

      --
      Demanding constant attention will only lead to attention.
    2. Re:Oh, No. Carriers and Phone Manufacturers will by Linker3000 · · Score: 3, Informative

      The Iphone 4 has a special 'safe-mode grip' the user can do with their hand that blocks these dangerous messages. It's a 'feature'.

      --
      AT&ROFLMAO
    3. Re:Oh, No. Carriers and Phone Manufacturers will by Anonymous Coward · · Score: 0

      Informative 4? I lose maybe one bar if I cover the whole left side of the phone. An ordinary grip does nothing to the signal power. Seems like they've fixed this issue or it only affects people with big slimy hands. Maybe wankers like you?

  7. GSM = long overdue. by pep939 · · Score: 1

    It's old news really... I remember karsten nohl talking about this end of 2009. Check out this ccc talk, gave me lots of ideas for a USRP I had access to at the time: http://events.ccc.de/congress/2009/Fahrplan/events/3654.en.html

  8. Already presented at 27C3 in Berlin in December by mxs · · Score: 3, Informative

    The presentation from the 27th Chaos Communication Congress in Berlin last December (http://events.ccc.de/congress/2010/Fahrplan/events/4060.en.html) is available at http://www.youtube.com/watch?v=8bkg3AjY6fs or http://mirror.fem-net.de/CCC/27C3/mp4-h264-HQ/27c3-4060-en-attacking_mobile_phones.mp4 .

  9. Very very old news by Anonymous Coward · · Score: 0

    My first experience with SMS DoS was done with flood more than 10 years ago, let alone other basic stuff.

    sorry for the anonymous post.

    7

  10. I'd never know... by Anonymous Coward · · Score: 1

    My LG likes to turn itself off on a whim (doesn't matter the battery level)... so it acts flaky enough by itself.... I'd never know if it was hit by this.

  11. It may be in the wild by bab72 · · Score: 1

    I received a specially crafted SMS message the other day that caused my phone to power off. The text of the message was "Please turn off your phone."

    --
    Bab72 (Not my real name)
    1. Re:It may be in the wild by swanzilla · · Score: 5, Insightful

      Please turn off your computer.

      --
      0 = 1 + e^(Alt something)
    2. Re:It may be in the wild by Anonymous Coward · · Score: 0

      Somebody set up me the bomb !

      It's you !!

    3. Re:It may be in the wild by sjames · · Score: 1

      You have received the honor system virus version b. You must now delete 10 random files from your system and forward this message to at least 4 other message boards. On Nov. 11th 2011 you must roll a 6 sided die. If you get an even number, you must wipe out your PC and reinstall from scratch.

      Thank you for your cooperation.

  12. Dupe from January by Khopesh · · Score: 1
    From the SMS-o-Death talk from the 27th Chaos Communication Congress last year:

    Using only Short Message Service (SMS) communications—messages that can be sent between mobile phones—a pair of security researchers were able to force low-end phones to shut down abruptly and knock them off a cellular network. As well as text messages, the SMS protocol can be used to transmit small programs, called "binaries," that run on a phone.

    This was also covered HERE ON SLASHDOT, 'SMS of Death' Could Crash Many Mobile Phones.

    --
    Use my userscript to add story images to Slashdot. There's no going back.
  13. big flash happening now by Anonymous Coward · · Score: 0

    you may feel mild vibration you may also (barely) be able to hear it. as far as loading you up on positive energy, that's covered too. the genetically challenged nazi mutants find the photon showers etc... disabling, as it reacts poorly with their altered dna. it is imperative that they be disarmed. the rest of it is what is supposed to happen, starting a while back. be careful. let's not mood it. see you there. thanks.

  14. This is news? by M3wThr33 · · Score: 4, Funny

    My Palm Pre already locks up and sometimes reboots when I get a regular SMS from anybody.

    I hate my phone.

  15. Control network by tombeard · · Score: 1

    AFAIK, SMS rides on the cell control network. I assume it works by sending SMS control messages to devices on the network. It shouldn't surprise anybody that you can break things via SMS, it is surprising that it isn't more common. Anyone know if there is an open standard for the control structure?

    --
    The reason we subjugate ourselves to law is to better procure justice. If law does not accomplish this purpose then it m
  16. xkcd... by Smask · · Score: 1

    Bobby Tables, anyone?

  17. SMS/MMS and disconnects by Matheus+Villela · · Score: 1

    A lot of phones(including Androids) have issues when receiving SMS and MMS, the other day we had a problem with a certification made by a carrier that failed. Our software was getting disconnected when a MMS arrived(not even downloaded), turns out the phone connection was getting completely locked for more than 1 minute and that only happened with said carrier, with another the issue only happened when the MMS was downloaded. The whole thing is a a mess, both from manufacturers and carriers.

  18. Good thing? by petman · · Score: 1
    From TFA:

    "The good thing is that there's no user interaction needed and the attacker can be anywhere in the world," said Mulliner. "We don't need proximity to the device."

    Are the researchers evil or what?

    --
    Dropbox drops it like it's hot.
  19. Thanks! by Anonymous Coward · · Score: 0

    Excellent article! Delivering maximum value is something you are an expert at. Thanks..

    steve barbarich, directtohomeappliances

  20. Old and wrong by RichiH · · Score: 1

    This was demonstrated at 27c3.

    Also, you don't need to set up your own network, having a Motorola C123 and a serial cable is enough.

  21. No iPhone? by hesaigo999ca · · Score: 1

    I noticed that the iPhone was not one of these, I guess it is funny, but they just unwittingly added a few more bucks to the price of Apple stocks......unless of course this was the plan all along. I truly wonder, unless you have some proof of concept properly defined and able to be checked by peers, just how much some of these stories are real, and others are faked. Remember that study about the shots and the MS....how the study was faked, I am sure there is a lot of rampant faking going on, at least I know when my GF fakes it, but knowing when a study fakes it is a different thing all together.

    1. Re:No iPhone? by Anonymous Coward · · Score: 0

      FTA: "The researchers only tested their methods on so-called feature phones, not smartphones such as Android devices or iPhones. The reason, they said, is that feature phones still are far more prevalent in most of the world than smartphones are, so the target area is much larger."