back to article How to slay a cellphone with a single text

Attacks that crash most older cellphones are frequently compounded by carrier networks that send booby-trapped text messages to the target handset over and over. In other cases, they're aided by a “watchdog” feature embedded in the phone, which takes it offline after receiving just three of the malformed messages. The so-called …

COMMENTS

This topic is closed for new posts.
  1. Version 1.0 Silver badge
    Flame

    "Just upgrade"

    because the phone manufacturers will never bother fixing the bug ... why should they? This works to their advantage because most people in the US will just buy a new phone and "renew" their plan for two more years ... so bugs like this work to the networks advantage.

    It fact, if I was running a network I'd require that bugs like this are included in the phone.

  2. Anonymous Coward
    Joke

    Blackmailing for fun and profit

    right now, some evil cad is working out how to monetise this.

    It's not me, honest.

    1. Anonymous Coward
      Joke

      Alredy benn done...

      ... it's called Twitter I believe

      1. Ben 42

        Don't be silly...

        ...Twitter doesn't make any money. ;-)

  3. Anonymous Coward
    Megaphone

    fixed by the network?

    Why can't malformed messages be filtered out by the network automatically? Surely this would be the best way to do it.

    1. Charles Manning
      Megaphone

      Er...

      How do you tell them apart?

      The message was clearly sufficiently formed to be transmitted and transfered through the network.

      It is only "malformed" in the eyes of the receiver.

  4. Nigel R Silver badge

    erm... so the carries don't perform even the most rudimentary checks first?

    no clean-up done then by the carriers, prior to relaying SMS messages?

  5. Nigel R Silver badge

    erm... so the carriers don't perform even the most rudimentary checks first?

    no clean-up done then by he carriers, prior to relaying SMS messages?

  6. Andrew Jones 2

    Older phones....

    The older Sony Ericsson and Siemens phones were a doddle to crash - they used to allow you to insert pictures and sounds into normal text messages which were in reality simple placeholders like: "%SND04" which the receiving phone would simply substitute with whatever soundfile was sitting at index 04.

    Unfortunately for some strange reason the phone didn't seem to check if it actually had a picture or soundfile at the index specified and went off to fetch it anyway, but in the event the file did not exist - it never returned from it's fetching routine. The slightly better phones would allow you to recover from the situation by restarting the phone and deleting the offending message. Unfortunately the earlier models used to only offer the option to delete the message AFTER opening and scrolling down the bottom of the message.

    The funny thing about it all was though - when you inserted the built in picture or sound into your message it didn't actually add it to the message - just it's placeholder - which ANYONE could change, and as the range for sounds was something like 1-9 and pictures 1-20 then anyone who was just the tiniest bit curious could crash someones phone without even intending to.

  7. Anonymous Coward
    Anonymous Coward

    yes

    send 160 full stops to a nokia 3210, instant crash!!!!!!

  8. Fred Flintstone Gold badge

    One little problem here

    SMS attacks cost money, so they will not be used as widely and indiscriminately as trojan emails.

    1. The Alpha Klutz

      well yes

      a few pennies.

      No one was suggesting that attackers would have any desire to indiscriminately crash thousands of phones. An attacker would need to have a specific victim, their mobile number, and the knowledge that their phone is vulnerable in the first place.

      You'd almost be better off running up and grabbing the phone off them, but if you are particularly passive-aggressive, you can now do it via SMS.

    2. justkyle
      WTF?

      But what about..

      Internet email/text gateways?

    3. Nauip
      FAIL

      Really?

      because I can send an email to show up as a text to most phones. example AT&T = <cel#>@txt.att.net

      And last time I checked most carriers have a web site to do something similar as long as you have the cell #.

      1. Alastair 7

        But...

        "because I can send an email to show up as a text to most phones. example AT&T = <cel#>@txt.att.net"

        Yes, but you can't send special binary characters and overflowed headers in that e-mail. You need a slightly deeper level of access to send these messages.

  9. Gangsta
    Unhappy

    No Fix

    the sad thing is: Feature phones can't be or hardly ever can be updated by the user.

    It seems the only fix is for the Network Operator to implement - and that could be quite difficult (although I am not a Telecommunications Engineer)

  10. Michael Kean
    Happy

    Aah...

    The +++ATH of the Cellphone World eh :)

  11. David Gosnell

    Filtering

    At the risk of stating the bleeding obvious, this is simply solved by sanity filtering at the network, no? Or is it better business for them to not fix it, and tell us to upgrade our phones instead?

  12. John Smith 19 Gold badge
    FAIL

    "others have header information that is longer than specifications allow"

    IOW

    Buffer overflow.

    Note that re-boot *might* be the best approach for an *industrial* system but a *consumer* product?

    Not *even* an error message or some note who to call?

  13. Chronos
    FAIL

    Again, taking control from the user

    Advertising, yet again, is at the root of this problem. I've long thought that GSM should have had a means to disable the sending of SMS to the handset. To those of us who don't use SMS, this would be a killer feature. That it doesn't tells you all you really need to know.

    1. Anonymous Coward
      Paris Hilton

      if you don't use SMS

      why do you care?

      1. Richard 31
        Paris Hilton

        duh!

        You not using SMS doesn't stop someone sending a DOS message to your phone.

        1. PacketPusher
          Happy

          True, but ...

          If you don't use SMS, you can ask your carrier to block them,

    2. joejack
      Coffee/keyboard

      @Chronos

      Huh. Maybe a custom build of Android could do it. You get an SMS, it's stored in a junk mail folder or deleted, and disable sending the response back to the carrier. The carrier can't charge you for msgs not received, yes?

  14. Anonymous Coward
    Joke

    It reminds me...

    ... of another platform that allowed chat straight in the console, so anyone sending "quit" or "rm -r" or "format c:" or anything in that range would cause the device to somersault from a 20-story building head-first onto a concrete slab.

    Yes, forcing the network to do packet filtering would be the Right Thing, but could it be possibly be done, on, lets say the interwebs itself, regarding every single malformed IP packet? Just a comparison for Inquiring Minds...

    1. The Original Steve

      Yes it could

      "Yes, forcing the network to do packet filtering would be the Right Thing, but could it be possibly be done, on, lets say the interwebs itself, regarding every single malformed IP packet?"

      Yes. Any sysadmin worth his salt in the corporate market does this at least at the gateway level. A mid-ranged Juniper SSG firewall is little more than £2k, has packet screening, can do network level AV and a real sys admin will be blocking all traffic other than what's authorised in BOTH directions.

      Think those, and most SME boxes upwards can also do IDS ONTOP of basic packet screening.

      It's not expensive, and it's not hard to implement.

  15. Richard 31
    Paris Hilton

    Why bother crashing?

    1) Crash someone's phone

    2) ?????

    3) Profit!!!!

    Why would a criminal want to crash your phone other than being annoying? Would this be done en-mass by rival manufacturers to boost sales of their devices. If i were a criminal looking to use this for fun and profit I would want some way of rooting the target phone, so i can use it as a relay for spam or any of the other reasons the botnets exist.

    1. Anonymous Coward
      Happy

      2)

      sell new handset to borked customer

    2. Jon 52

      acounts bidding

      Two sales execs bidding for contact;

      1) On crucial day of bidding process bork rivals phone

      2) Have your line clear to recieve call, the other exec obvoulsy doesn't want buisness as their phone is always off

      3)Get contract and profit.

  16. pullenuk
    Flame

    Fail for certain "Special Customers"

    For those people still manage to keep a hold of "Rolling over minutes/texts" on very old contracts who still kept their phones won't be happy then.....

  17. Henry Wertz 1 Gold badge

    why sms doesn't crash a smartphone

    At those who question if the carriers filter these, who knows? The researchers ran their own private SMSC and cell site inside a farrady cage for their tests. I could see equipment dropping the ones that crashed the phone by for instance claiming 10 segments when there are really 7 (since a cursory inspection indicates they are corrupted).. On the other hand, if the "outer envelope" of the text is structurally sound I wouldn't expect the equipment to look at content.

    As a bad analogy, I expect most ISPs will drop corrupted packets, and drop "bogons" (packets that "got out" to begin wtih due to misconfiguration, like 127.0.0.1 or 192.168.0.x or the like) and drop corrupted packets (bad checksum). I *wouldn't* expect them as a matter of course to inspect packets for virus or malware payloads.

    As for smartphones being less susceptible -- I don't think it's because they use both a baseband and service CPU (as opposed to simpler phones using the "baseband" CPU to run the whole show.) I think it's because smartphone OSes have memory protection and multitasking (instead of cooperative task switching*). So the text handler can never overwrite another area of the phone, and if it locks up it doesn't lock the phone. A daemon could watch for hung things like the text handler, and automatically kill the hung one and restart a clean copy. The watchdog counts down from (for instance) 10 seconds; a healthy phone resets the watchdog back to 10 seconds frequently, a hung phone the watchdog resets the phone when the countdown reaches 0.

    *With multitasking, the OS runs an app for one timeslice (often 1/100th of a second), and when that 1/100th of a second is up the system stops that app dead in it's tracks and goes to the next one. Cooperative task switching was improperly called multitasking by both Microsoft (pre-Win95) and Apple (pre-OSX), an app runs until it says it's done running. Yes, that means if an app gets stuck in a loop or locks up for any reason, the entire system locks up.

  18. Anonymous Coward
    Anonymous Coward

    better crash than cash

    If someone is attacking my mobile I'd rather it crash (basic phone) than they gain access without me knowing (smart phone).

  19. Shane Kent
    WTF?

    special binary characters?

    There are two, 1 and 0, that is binary.

    1. pitagora
      Thumb Down

      base 2 != binary characters

      Actually us programmers refer to any character other the letters, numbers and a few other characters you would use to write a message, as binary.

      To make it short, for us programmers there are two types "messages": text and binary.

This topic is closed for new posts.

Other stories you might like