A Romanian security researcher has published a vulnerability that allows someone to crash a remote Nexus 4 or Nexus 5 phone – by sending them a crafted “Class 0” text message. Instead of falling into a user's inbox and waiting for someone to read the message, a Class 0 or “flash message” pops up immediately as a message window …
Why would you want messages that immediately appear on your main screen and don't obey the settings you have for SMS? Seems one good way to fix this would be to disable flash SMS capability in the Nexus.
Re: Flash SMS
According to Wikipedia, Flash SMS is used for emergency broadcasts, i.e. "you're about to be wiped out by a tornado, good luck!".
Looking in Settings > More... under Wireless and Networks > Mobile broadcasts, there is options to choose which to display and a global option to disable them all. It also has an audio option so not sure if this is the same thing.
The screenshot also shows the Messaging app snuffing it. This has been replaced with Hangouts on the N5, is that too affected? Hangouts can optionally replace the Messaging app on the N4 too.
More info please Reg.
Re: Flash SMS
Two-factor authentication is a good one: With one time codes triggered when you logon, it's nice to just have it as a flash sms, then you don't have the chore of deleting them after.
Re: Flash SMS@anotherandroidfailure
Come on, surely not another buggy bug. Is this an Android fail or a Nexus fail?
I thought the new operating system was supposed to be more secure?
Re: Flash SMS
As well as 2FA, they're often used for prepay to flash up your balance after a call. Nothing particularly nasty about them.
it'd be nice to know if this is an Android bug or a Nexus bug.
What's the point?
This sounds like it would just cause inconvenience for a user rather than allow code injection?
If so what attacker is going to spend money sending out large amounts of SMS to random users just for laughs?
I know from experience that the bug doesn't affect CyanogenMod. This is because they enabled flash messages in nightly builds earlier this year, and it caused phones in Europe and perhaps elsewhere to be swamped by network messages - but without crashing or losing connectivity. It turns out that these messages are used for things other than emergency notifications outside of the US, and were previously ignored. My phone was getting somewhere in the region of 120 flash messages a day, about three of four each time I moved from one broadcast cell to another, and some numpty developer had removed the option to globally ignore the annoying buggers.
Not playing an audio sound is hardly the problem, personally I wouldn't want an audio alert every time some random person decides to send a class 0 SMS to me because they think its important. What is the issue here is that the applications that handle SMS need to handle large volumes correctly without crashing, im astounded really that the primary function of the application, receiving an SMS can not handle load, i mean, was no load testing done on the application at all to ensure that it can cope with any number of SMS being fired at it? Total idiocy.
Shouldn't that subhead read you have been "DOSed" rather than "pOwned"?
AFAICS this bug doesn't allow any code injection, it just crashes the phone. Nuisance, yes, disaster, no.
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Chromecast video on UK, Euro TVs hertz so badly it makes us judder – but Google 'won't fix'
- Analysis Pity the poor Windows developer: The tools for desktop development are in disarray
- Analysis BlackBerry's turnaround relies on a secret weapon: Its own network
- Hire and hold IT staff in 2015: The Reg's how-to guide