Feeds

back to article Nexus phones carry SMS crash bug vuln

A Romanian security researcher has published a vulnerability that allows someone to crash a remote Nexus 4 or Nexus 5 phone – by sending them a crafted “Class 0” text message. Instead of falling into a user's inbox and waiting for someone to read the message, a Class 0 or “flash message” pops up immediately as a message window …

COMMENTS

This topic is closed for new posts.
Silver badge

Flash SMS

Why would you want messages that immediately appear on your main screen and don't obey the settings you have for SMS? Seems one good way to fix this would be to disable flash SMS capability in the Nexus.

4
1
Anonymous Coward

Re: Flash SMS

According to Wikipedia, Flash SMS is used for emergency broadcasts, i.e. "you're about to be wiped out by a tornado, good luck!".

Looking in Settings > More... under Wireless and Networks > Mobile broadcasts, there is options to choose which to display and a global option to disable them all. It also has an audio option so not sure if this is the same thing.

The screenshot also shows the Messaging app snuffing it. This has been replaced with Hangouts on the N5, is that too affected? Hangouts can optionally replace the Messaging app on the N4 too.

More info please Reg.

5
0
Anonymous Coward

Re: Flash SMS

Two-factor authentication is a good one: With one time codes triggered when you logon, it's nice to just have it as a flash sms, then you don't have the chore of deleting them after.

0
0
Anonymous Coward

Re: Flash SMS@anotherandroidfailure

Come on, surely not another buggy bug. Is this an Android fail or a Nexus fail?

I thought the new operating system was supposed to be more secure?

1
8
Holmes

Re: Flash SMS

As well as 2FA, they're often used for prepay to flash up your balance after a call. Nothing particularly nasty about them.

it'd be nice to know if this is an Android bug or a Nexus bug.

1
0
Anonymous Coward

What's the point?

This sounds like it would just cause inconvenience for a user rather than allow code injection?

If so what attacker is going to spend money sending out large amounts of SMS to random users just for laughs?

6
0
Anonymous Coward

I know from experience that the bug doesn't affect CyanogenMod. This is because they enabled flash messages in nightly builds earlier this year, and it caused phones in Europe and perhaps elsewhere to be swamped by network messages - but without crashing or losing connectivity. It turns out that these messages are used for things other than emergency notifications outside of the US, and were previously ignored. My phone was getting somewhere in the region of 120 flash messages a day, about three of four each time I moved from one broadcast cell to another, and some numpty developer had removed the option to globally ignore the annoying buggers.

0
0
Bronze badge

Not playing an audio sound is hardly the problem, personally I wouldn't want an audio alert every time some random person decides to send a class 0 SMS to me because they think its important. What is the issue here is that the applications that handle SMS need to handle large volumes correctly without crashing, im astounded really that the primary function of the application, receiving an SMS can not handle load, i mean, was no load testing done on the application at all to ensure that it can cope with any number of SMS being fired at it? Total idiocy.

1
0

Shouldn't that subhead read you have been "DOSed" rather than "pOwned"?

AFAICS this bug doesn't allow any code injection, it just crashes the phone. Nuisance, yes, disaster, no.

3
0
This topic is closed for new posts.