×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Attack Can Disable Phones Via SMS

timothy posted more than 3 years ago | from the actually-don't-txt-me-lol dept.

Cellphones 62

Trailrunner7 writes "A pair of security researchers from Germany demonstrated several techniques at the CanSecWest conference here Wednesday that enable them to remotely reboot, shut down or even completely disable many popular mobile phones with SMS messages. The technique that Nico Golde and Collin Mulliner discussed relies on setting up a GSM network and sending specially crafted SMS messages to handsets. The pair showed a video demonstration of phones from a wide range of manufacturers, including LG, Sony Ericsson, Nokia and others rebooting, freezing and generally acting flaky after receiving the crafted SMS messages they sent."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

62 comments

/. News Network (2)

Even on Slashdot FOE (1870208) | more than 3 years ago | (#35447378)

Today the top story is things we've already reported on. In related news, movie theaters now want to get your cell number when you buy a movie ticket.

GSM Network (0)

Anonymous Coward | more than 3 years ago | (#35447382)

Does that mean CDMA phones (like Verizon for example) are immune?

Old news (1)

radl (1266970) | more than 3 years ago | (#35447386)

This was already demonstrated in December https://events.ccc.de/congress/2010/Fahrplan/events/4060.de.html [events.ccc.de] I think there was even a /. submission at that time. Although I can't find it right now...

Features Phones But Not Smart Phones? (1)

WrongSizeGlass (838941) | more than 3 years ago | (#35447392)

The pair showed a video demonstration of phones from a wide range of manufacturers, including LG, Sony Ericsson, Nokia and others rebooting, freezing and generally acting flaky after receiving the crafted SMS messages they sent.

They don't provide any real details or model numbers. They don't mention Android, iOS or Blackberry so they probably can't hit a smartphone with this attack. But there are enough feature phones out there that they can weak havoc.

Re:Features Phones But Not Smart Phones? (1)

BiggoronSword (1135013) | more than 3 years ago | (#35447616)

The pair showed a video demonstration of phones from a wide range of manufacturers...

Boy it would be nice to actually see said video...

Re:Features Phones But Not Smart Phones? (2)

grapeape (137008) | more than 3 years ago | (#35447656)

Why not just have someone send you a message?

Re:Features Phones But Not Smart Phones? (1)

RMingin (985478) | more than 3 years ago | (#35449016)

I'm guessing, but I'd imagine that most cell providers would quash or delete the malformed messages, or at least mangle them into a non-crashing form.

Re:Features Phones But Not Smart Phones? (1)

elsJake (1129889) | more than 3 years ago | (#35449494)

http://ftp.ccc.de/congress/2010/mp4-h264-HQ/

It should be there :).

Re:Features Phones But Not Smart Phones? (2)

Imabug (2259) | more than 3 years ago | (#35447754)

FTA

"The researchers only tested their methods on so-called feature phones, not smartphones such as Android devices or iPhones. The reason, they said, is that feature phones still are far more prevalent in most of the world than smartphones are, so the target area is much larger."

Re:Features Phones But Not Smart Phones? (0)

Anonymous Coward | more than 3 years ago | (#35449168)

The reason they didn't bother to say is that smart phones handle SMSes in user-space programs and thus are likely to fail, if at all, in a much less spectacular fashion. And you don't make a name for yourself by reporting that certain devices _don't_ die when fed a malformed input.

Re:Features Phones But Not Smart Phones? (1)

cpicon92 (1157705) | more than 3 years ago | (#35447780)

From TFA:

The researchers only tested their methods on so-called feature phones, not smartphones such as Android devices or iPhones. The reason, they said, is that feature phones still are far more prevalent in most of the world than smartphones are, so the target area is much larger.

Re:Features Phones But Not Smart Phones? (0)

Anonymous Coward | more than 3 years ago | (#35464230)

They did provide a few model numbers in their presentation (I know because I was at CanSecWest), but they also specifically stated that they were targeting feature phones, not smart phone, because feature phones are still the dominant share holder. Not to mention these are college kids working on their degree. They did have sponsors that purchased many of the phones for them, but that's only because the phone were about $10-$30 a piece. Finding a sponsor for that is much easier than for phones that cost $600 a piece.

Next up twitter? (3, Funny)

skids (119237) | more than 3 years ago | (#35447402)

Seriously, how hard can it be to secure a service that consists of nothing but 180 character text messages and a sending/receiving station address? Were the designers of SMS the morons here, or the phone OS coders?

Re:Next up twitter? (4, Insightful)

WrongSizeGlass (838941) | more than 3 years ago | (#35447422)

Were the designers of SMS the morons here, or the phone OS coders?

Probably both.

Re:Next up twitter? (1)

Bob_Who (926234) | more than 3 years ago | (#35449970)

Were the designers of SMS the morons here, or the phone OS coders?

Probably both.

Don't forget the management, the boardroom, the bankers, and wall street in general. Its never about optimizing technology, its about optimizing the marketing options and fine print so that the corporate monolith can maximize profits. Getting it right would be counter productive to their strategy. Corporations are just like oligarchs.

Re:Next up twitter? (1)

gl4ss (559668) | more than 3 years ago | (#35450536)

in first phones they were the same guys.

and then later they added to the spec a number of hacky things on top of it, like chained sms's, wap settings sms's.

Re:Next up twitter? (-1, Flamebait)

tehcyder (746570) | more than 3 years ago | (#35451302)

Were the designers of SMS the morons here, or the phone OS coders?

Probably both.

I think the cunts who spend their lives dreaming up exploits to crash mobile phones by abusing SMS are the fucking morons myself.

I realise this is not a popular opinion here.

Re:Next up twitter? (0)

Anonymous Coward | more than 3 years ago | (#35447474)

It appears that the phone companies usually sanitize SMS messages. So the phone manufactures are at fault for assuming someone else does their job for them.

Re:Next up twitter? (2)

pep939 (1957678) | more than 3 years ago | (#35447530)

OOps, saw your comment too late... see my post [slashdot.org] if you're interested in the subject and want to learn how GSM is (not) protected.

Re:Next up twitter? (1)

Locke2005 (849178) | more than 3 years ago | (#35447540)

Perhaps that's the problem -- they assumed the messages were only 180 characters, thus were susceptible to buffer overruns.

In general, this is what happens when you ignore the robustness principle and trust the data you are receiving to be properly formed. Several years ago I was able to crash the login process in Windows NT servers by sending invalid SMB messages, so it's not that uncommon. (This was by accident, I wasn't TRYING to crash the machines, just use them for authentication. And of course Windows NT was designed so that you cannot shut it down gracefully once the login process is gone...)

Re:Next up twitter? (1)

CheerfulMacFanboy (1900788) | more than 3 years ago | (#35450056)

Perhaps that's the problem -- they assumed the messages were only 180 characters, thus were susceptible to buffer overruns. In general, this is what happens when you ignore the robustness principle and trust the data you are receiving to be properly formed. Several years ago I was able to crash the login process in Windows NT servers by sending invalid SMB messages, so it's not that uncommon. (This was by accident, I wasn't TRYING to crash the machines, just use them for authentication. And of course Windows NT was designed so that you cannot shut it down gracefully once the login process is gone...)

Thanks god nothing like that can happen today - USB driver bug exposed as "Linux plug&pwn" [h-online.com]

Rafael Dominguez Vega of MRW InfoSecurity has reported a bug in the Caiaq USB driver which could be used to gain control of a Linux system via a USB device. The bug is caused by the device name being copied into a memory area with a size of 80 bytes using strcpy() without its length being tested. A crafted device with a long device name could thus write beyond the limits of this buffer, allowing it to inject and execute code. Because the driver is included, and automatically loaded, in most Linux distributions, to execute code in kernel mode an attacker would merely have to connect such a device to a Linux system's USB port.

Re:Next up twitter? (0)

Anonymous Coward | more than 3 years ago | (#35453506)

Will there ever be a time we can remove the stupid strcpy function and force the use of strncpy? This has to be one of the dumbest functions in a section of the C standard that was already idiotic.

Re:Next up twitter? (1)

Locke2005 (849178) | more than 3 years ago | (#35454794)

Can't remove it without breaking backward compatibility. But any competent developer should have already done a global search of their code base for strcpy, strcat, etc. and made sure they either did appropriate up front checks or replaced them with strncpy, strncat etc. -- preferably the latter, to keep the issue from having to be revisited in the future.

Re:Next up twitter? (1)

CheerfulMacFanboy (1900788) | more than 3 years ago | (#35455694)

Can't remove it without breaking backward compatibility. But any competent developer should have already done a global search of their code base for strcpy, strcat, etc. and made sure they either did appropriate up front checks or replaced them with strncpy, strncat etc. -- preferably the latter, to keep the issue from having to be revisited in the future.

You'd think so - but did you read the article I linked to? http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftiwai%2Fsound-2.6.git&a=commitdiff&h=eaae55dac6b64c0616046436b294e69fc5311581 [kernel.org] - obviously that change was made less than a month ago.

Re:Next up twitter? (1)

Locke2005 (849178) | more than 3 years ago | (#35455870)

Yes, I am implicitly accusing the original author of that driver of incompetence. Sadly, he's got plenty of company.

Re:Next up twitter? (1)

sjames (1099) | more than 3 years ago | (#35458602)

So you're saying the caiaq is a trap?

Re:Next up twitter? (1)

CheerfulMacFanboy (1900788) | more than 3 years ago | (#35460652)

So you're saying the caiaq is a trap?

By whom? And even if it where - this is about a "this type of error was made fun off 20 years ago" boo-boo inside a major OSS project unnoticed for years. If a trap that mind-numbingly stupid can avoid detection, the whole idea of "it's safe because anyone can check the source code" is destroyed by the fact that actually nobody bothers to do that thinking somebody else already has.

Re:Next up twitter? (1)

peragrin (659227) | more than 3 years ago | (#35447848)

Becasue it wasn't designed to send 180 character messages, it was a a random hack a brilliant engineer figured out after the system was built to bring in extra revenue from an existing setup.

Re:Next up twitter? (2)

timeOday (582209) | more than 3 years ago | (#35448060)

That was originally true, but is either A) no longer true or B) should no longer be true. I don't think any analog networks are still in service, and I don't see why SMS would be sent that way on a network designed for digital payloads. Either way, there are no excuses for this in 2011.

Re:Next up twitter? (2, Informative)

Anonymous Coward | more than 3 years ago | (#35448844)

I don't think you realize exactly what SMS is.

SMS was originally a control channel designed for sending configuration and command messages. Then someone noticed it could be used to little text messages "out of band", and shortly after people started using it for mostly that.

The SMS spec defines all sorts of things you wouldn't believe. You can send binary messages that configure all sorts of things on the handset, or pop up messages on the phone, or even get delivered to applications that are running on the phone or sim card. The sim card is actually a small computer, it has storage, ram, and a processor, some sim cards even run a java variant VM (JavaCard), and they can communicate with the handset using AT commands (how cool is that) and the network with SMS.

There is a complete port-based delivery system, a hugely complicated encoding mechanism, a complete spec for how to encode xml into compact binary form (wbxml), and dozens if not hundreds of different specs for various messages that can be sent. Want to configure the access points on a phone? yep it can. Want to configure the home page of the browser? yes, download a ringtone? yep, send a picture? of course.

Now consider the number of handset manufactures, the number of different handsets, with different firmware, and the varying range of support for all these things. It's absolutely no surprise you can crash a phone with a well (or badly) crafted message.

Re:Next up twitter? (1)

pclminion (145572) | more than 3 years ago | (#35449692)

Neither. To perform these attacks it's necessary to set up a fake GSM "network" -- you can't do it from another phone over a carrier network. Whether this should have been anticipated and handled depends on how likely we all thought it would be that somebody would actually set up their own GSM station.

The problem isn't necessarily crappy code, it's trusting that the bits coming over the GSM network have a certain level of sanity -- this is a reasonable assumption as long as people aren't setting up their own rogue base stations. Until last year that hadn't even been demonstrated before. I think you're being overly harsh.

In other news, if you shoot a phone with a missile it won't function too well after that either.

Re:Next up twitter? (1)

sjames (1099) | more than 3 years ago | (#35458734)

Considering the decades long saga of phreaking that all got started because they let random people send arbirtrary commands within the network (based on the false belief that nobody would figure it all out), you'd think they would be a bit more sensitive to that sort of thing this time around.

Re:Next up twitter? (0)

Anonymous Coward | more than 3 years ago | (#35450138)

Holy shit. Have you used a feature phone lately? They've gone to total shit. I have a Samsung model that for two years has an outstanding bug where recurring calendar appointment reminders don't work. A freakin' calendar reminder isn't programmed right and you want these guys to do security? Don't even get me started on how the entire phone crashes if you receive an SMS while opening another SMS.

Re:Next up twitter? (0)

Anonymous Coward | more than 3 years ago | (#35451796)

I assume they're using a backdoor called SIM application toolkit that allows SMS to be used to download code that executes on the SIM. I'm amazed that it hasn't been exploited many times before in the 10+ years it has existed.

Oh, No. Carriers and Phone Manufacturers will (2)

www.sorehands.com (142825) | more than 3 years ago | (#35447464)

Now Carriers and Phone Manufacturers will blame dropped calls, phone flakiness, phone failures of malicious messages from hackers. Before, it was, "well you have to expect that with radio signals" or sunspots, or that you abused the phone.

Anything for a cell phone provider to avoid responsibility for their failure to deliver services or features they promised.

Re:Oh, No. Carriers and Phone Manufacturers will (1)

Captain Spam (66120) | more than 3 years ago | (#35448486)

Now Carriers and Phone Manufacturers will blame dropped calls, phone flakiness, phone failures of malicious messages from hackers. Before, it was, "well you have to expect that with radio signals" or sunspots, or that you abused the phone.

Anything for a cell phone provider to avoid responsibility for their failure to deliver services or features they promised.

Worse. They'll start implementing some sort of filtering for this, even for phones that aren't affected. And then they'll claim they're "justified" in charging through the nose and/or teeth for SMS messages (as well as increasing the price regardless, naturally) because of all these wonderful, magical filters they're providing. The fools! Why did they have to report this? They've doomed us all!

Re:Oh, No. Carriers and Phone Manufacturers will (3, Informative)

Linker3000 (626634) | more than 3 years ago | (#35449068)

The Iphone 4 has a special 'safe-mode grip' the user can do with their hand that blocks these dangerous messages. It's a 'feature'.

Re:Oh, No. Carriers and Phone Manufacturers will (0)

Anonymous Coward | more than 3 years ago | (#35451754)

Informative 4? I lose maybe one bar if I cover the whole left side of the phone. An ordinary grip does nothing to the signal power. Seems like they've fixed this issue or it only affects people with big slimy hands. Maybe wankers like you?

Very very old news (0)

Anonymous Coward | more than 3 years ago | (#35447522)

My first experience with SMS DoS was done with flood more than 10 years ago, let alone other basic stuff.

sorry for the anonymous post.

7

I'd never know... (1)

Anonymous Coward | more than 3 years ago | (#35447574)

My LG likes to turn itself off on a whim (doesn't matter the battery level)... so it acts flaky enough by itself.... I'd never know if it was hit by this.

It may be in the wild (1)

bab72 (302207) | more than 3 years ago | (#35447732)

I received a specially crafted SMS message the other day that caused my phone to power off. The text of the message was "Please turn off your phone."

Re:It may be in the wild (1)

sjames (1099) | more than 3 years ago | (#35458874)

You have received the honor system virus version b. You must now delete 10 random files from your system and forward this message to at least 4 other message boards. On Nov. 11th 2011 you must roll a 6 sided die. If you get an even number, you must wipe out your PC and reinstall from scratch.

Thank you for your cooperation.

Dupe from January (1)

Khopesh (112447) | more than 3 years ago | (#35447832)

From the SMS-o-Death [events.ccc.de] talk from the 27th Chaos Communication Congress last year:

Using only Short Message Service (SMS) communications—messages that can be sent between mobile phones—a pair of security researchers were able to force low-end phones to shut down abruptly and knock them off a cellular network. As well as text messages, the SMS protocol can be used to transmit small programs, called "binaries," that run on a phone.

This was also covered HERE ON SLASHDOT, 'SMS of Death' Could Crash Many Mobile Phones [slashdot.org].

big flash happening now (0)

Anonymous Coward | more than 3 years ago | (#35447880)

you may feel mild vibration you may also (barely) be able to hear it. as far as loading you up on positive energy, that's covered too. the genetically challenged nazi mutants find the photon showers etc... disabling, as it reacts poorly with their altered dna. it is imperative that they be disarmed. the rest of it is what is supposed to happen, starting a while back. be careful. let's not mood it. see you there. thanks.

This is news? (4, Funny)

M3wThr33 (310489) | more than 3 years ago | (#35448378)

My Palm Pre already locks up and sometimes reboots when I get a regular SMS from anybody.

I hate my phone.

Control network (1)

tombeard (126886) | more than 3 years ago | (#35448716)

AFAIK, SMS rides on the cell control network. I assume it works by sending SMS control messages to devices on the network. It shouldn't surprise anybody that you can break things via SMS, it is surprising that it isn't more common. Anyone know if there is an open standard for the control structure?

xkcd... (1)

Smask (665604) | more than 3 years ago | (#35448756)

Re:xkcd... (-1)

Anonymous Coward | more than 3 years ago | (#35449060)

Hee hee that XKCD is absolutely hilarious. It actually suggests that a woman especially a mom would understand SQL statements and database security. LOL! I could believe it as an unlikely edge case if she was fat but that's not how she was drawn placing that firmly within the realm of fiction and wishful thinking.

Fact: women don't understand technology. They don't know how to manipulate anything that doesn't have a sex drive and a bank account. At least women's emotionalism, immaturity, unwillingness to accept personal responsibility, and refusal to use logic unless it supports a conclusion they already made helps them to better relate to their children.

The joke about "little Bobby Tables" was kinda funny too.

SMS/MMS and disconnects (1)

Matheus Villela (784960) | more than 3 years ago | (#35449430)

A lot of phones(including Androids) have issues when receiving SMS and MMS, the other day we had a problem with a certification made by a carrier that failed. Our software was getting disconnected when a MMS arrived(not even downloaded), turns out the phone connection was getting completely locked for more than 1 minute and that only happened with said carrier, with another the issue only happened when the MMS was downloaded. The whole thing is a a mess, both from manufacturers and carriers.

Good thing? (1)

petman (619526) | more than 3 years ago | (#35449492)

From TFA:

"The good thing is that there's no user interaction needed and the attacker can be anywhere in the world," said Mulliner. "We don't need proximity to the device."

Are the researchers evil or what?

Old and wrong (1)

RichiH (749257) | more than 3 years ago | (#35451384)

This was demonstrated at 27c3.

Also, you don't need to set up your own network, having a Motorola C123 and a serial cable is enough.

No iPhone? (1)

hesaigo999ca (786966) | more than 3 years ago | (#35452188)

I noticed that the iPhone was not one of these, I guess it is funny, but they just unwittingly added a few more bucks to the price of Apple stocks......unless of course this was the plan all along. I truly wonder, unless you have some proof of concept properly defined and able to be checked by peers, just how much some of these stories are real, and others are faked. Remember that study about the shots and the MS....how the study was faked, I am sure there is a lot of rampant faking going on, at least I know when my GF fakes it, but knowing when a study fakes it is a different thing all together.

Re:No iPhone? (0)

Anonymous Coward | more than 3 years ago | (#35469848)

FTA: "The researchers only tested their methods on so-called feature phones, not smartphones such as Android devices or iPhones. The reason, they said, is that feature phones still are far more prevalent in most of the world than smartphones are, so the target area is much larger."

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...