31 December 2008

Mobile Virology:
Curse of Silence, a Symbian S60 SMS Exploit?

Now when the platform is hacked and just when we thought we know practically everything there was to know about the 3rd edition of the S60 platform and new security system, I stumbled upon something really interesting.

F-secure has just warned mobile phone users of a new worm which as is not S60 2nd Edition exclusive as usually and affects 3rd edition devices as well.

Sounds bad but to be really honest with you, I'm not scared about it. With the risk of repeating myself I'll say again that there is no real danger if you are careful enough, actually, Smartphone users have to do a lot wrong to get infected and the latest exploit isn’t expected from this rule.

Anyway, this easily reproducible SMS exploit was disclosed and demonstrated today at the 25th Chaos Communication Congress by the Tobias Engel. What is the most interesting about the exploit is fact that exploit is effective against a most of the Symbian S60 Smartphones and will effectively prohibit victims from receiving SMS messages.

The 25th Chaos Communication Congress (25C3) is the annual four-day conference organized by the Chaos Computer Club (CCC) in Berlin, Germany.

First held in 1984, it since has established itself as “the European Hacker Conference”, attracting a diverse audience of thousands of hackers, cientists, artists, and utopists from all around the world.

According to Engel's research, the exploit affects the messaging components of Nokia S60 2nd ed and 3rd ed Fp1 devices as well, but F-secure’s labs determined that Sony Ericsson UiQ devices are vulnerable as well.

Versions 2.6, 2.8, 3.0, and 3.1 are also better known as S60 2nd Edition, Feature Pack 2; S60 2nd Edition, Feature Pack 3; S60 3rd Edition (initial release); and S60 3rd Edition, Feature Pack 1 respectively.

The vulnerability is very simple to exploit via an SMS message. No special software is required and the message can be drafted from a large number of phones. The message just needs to be formatted in a particular way. (We will not provide exact details here.)

What happens when a vulnerable
phone receives the exploit message?

Example 1 — on the older 6680 nothing happens. Nothing at all… The first exploit message is enough to crash the SMS messaging service. It is a completely silent attack and there are no hints of trouble presented to the victim. The phone will simply stop receiving SMS (as well as MMS) messages.

Example 2 — on the newer N95, nothing will happen until several messages have been sent by the attacker. Then, once the critical limit has been reached, the phone will prompt an alert: "Not enough memory to receive message(s). Delete some data first."

The attack messages will not be visible from the Inbox, and deleting previously received messages will not resolve the problem.

There will also be one additional notification on the N95. A blinking envelope, indicating that the Inbox is full, appears in the upper right-hand corner of the display.

Turning the N95 off and on again may return some limited functionality, but that functionality is very fragile. One multi-part message was enough to completely disable our test phone's SMS/MMS service, at which point even cycling the power did not help.